This topic describes system policies supported by Dedicated Host (DDH) and the corresponding permission descriptions for you to refer to when you grant permissions to RAM users.
What is a system policy?
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. RAM provides two types of policies: system policies and custom policies. All system policies are created and updated by Alibaba Cloud. You can use these policies but cannot modify them. You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. Each time Simple Application Server has a release, new permissions are added to the system policies supported by Simple Application Server to allow RAM users to access new features and capabilities. The updates of system policies affect all RAM identities to which the policies are attached, such as RAM users, RAM user groups, and RAM roles. For more information about RAM policies, see Policy overview.
System policies are designed for new users to quickly get started with Alibaba Cloud products in the Alibaba Cloud Management Console. New users who are granted system policies of Simple Application Server can access the product and its dependent products with only a few clicks. System policies also enable the use of more advanced methods such as API operations and CLI commands. If you are familiar with the advanced methods, we recommend that you use custom policies to implement finer-grained control on who is permitted to call what API operations, thereby improving security.
System policies can be classified into service system policies, service role policies, and service-linked role policies. Some Alibaba Cloud products support only one or two of the three types of policies. The policy types that are described in this topic prevail.
Service system policies
AliyunECSFullAccess
If you attach the AliyunECSFullAccess policy to a RAM user, the RAM user has permissions to manage dedicated hosts. For more information, see AliyunECSFullAccess.
AliyunECSReadOnlyAccess
If you attach the AliyunECSReadOnlyAccess policy to a RAM user, the RAM user has only the read permission for dedicated hosts. For more information, see AliyunECSReadOnlyAccess.
References
By default, a RAM identity has no permissions. The RAM identity can access resources within the Alibaba Cloud account only after the administrator of the Alibaba Cloud account grants the RAM identity the required permissions. To ensure resource security, we recommend that you follow the principle of least privilege to grant a RAM identity sufficient permissions to access Alibaba Cloud resources. For more information about how to grant the required permissions, see the following topics: