When multiple team members share the same Alibaba Cloud account, any member can access all resources — increasing the risk of accidental changes and security incidents. Custom policies let you grant each RAM user, user group, or role only the permissions they need for Data Disaster Recovery, following the principle of least privilege.
Use custom policies when the built-in system policies are too broad. For example, grant a backup operator permission to create and monitor backup plans, but not to delete them.
How custom policies work
Resource Access Management (RAM) policies fall into two categories: system policies (managed by Alibaba Cloud) and custom policies (managed by you). Custom policies give you fine-grained permission control over Data Disaster Recovery actions.
-
A policy takes effect only after you attach it to a RAM user, RAM user group, or RAM role.
-
To delete a custom policy, first detach it from all principals it is attached to.
-
Custom policies support version control. Use RAM's version management to update a policy without losing the previous version.
For the list of available actions and resource types, see RAM authorization.
Common scenarios
| Scenario | Reference |
|---|---|
| Grant a RAM role the permissions needed for data backup and restoration across Alibaba Cloud accounts | Create a RAM role for data backup and restoration across Alibaba Cloud accounts |
| Set up the service-linked role that Data Disaster Recovery uses to access other Alibaba Cloud services | AliyunServiceRoleForDBS |
Manage custom policies
| Task | Reference |
|---|---|
| Create a custom policy | Create a custom policy |
| Update a policy's content or description | Modify the document and description of a custom policy |
| Delete a custom policy | Delete a custom policy |
| View which principals a policy is attached to | Manage policy references |
| Roll back or activate a specific policy version | Manage custom policy versions |