This topic describes the system policies supported by Data Disaster Recovery and the related permissions. You can attach system policies and grant permissions to Resource Access Management (RAM) identities based on your business requirements.
What is a system policy?
A policy is a set of permissions that are defined based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. Alibaba Cloud RAM provides system policies and custom policies. All system policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify them. You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. During service iteration, Data Disaster Recovery adds new permissions to system policies to support new features and capabilities. The updates of system policies affect all RAM identities to which the policies are attached, including RAM users, RAM user groups, and RAM roles. For more information about RAM policies, see Policy overview.
System policies are designed for new users to quickly get started with Alibaba Cloud services in the Alibaba Cloud Management Console. System policies also apply to programmatic access methods, such as API operations and CLI commands. However, in programmatic access scenarios, we recommend that you use finer-grained custom policies to allow only the designated users to access only the specified resources based on actual requirements.
System policies can be classified into service system policies, service role policies, and service-linked role policies. Some cloud services provide only one or two of the three types of policies.
Service system policies
AliyunDBSFullAccess
You can attach this policy to RAM identities to grant management permissions on Data Disaster Recovery.
AliyunDBSReadOnlyAccess
You can attach this policy to RAM identities to grant read-only access to Data Disaster Recovery.
Service role policies
AliyunDBSRolePolicy
The AliyunDBSRolePolicy policy is the dedicated authorization policy of the AliyunDBSDefaultRole service role. Do not attach this policy to a RAM identity other than the AliyunDBSRolePolicy service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
Service-linked role policies
AliyunServiceRolePolicyForDBS
Data Disaster Recovery assumes the AliyunServiceRolePolicyForDBS service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForDBS policy is the dedicated authorization policy of the AliyunServiceRoleForDBS service-linked role. This policy is defined and used by Data Disaster Recovery. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the AliyunServiceRoleForDBS service-linked role.
References
By default, RAM identities do not have any permissions. RAM identities can access cloud resources within an Alibaba Cloud account only after an account administrator grants the required permissions to the RAM identities. To ensure resource security, we recommend that you grant only required permissions to the RAM identities based on the principle of least privilege. For more information, see the following topics: