Data Disaster Recovery provides predefined system policies for Resource Access Management (RAM). Attach these policies to RAM users, RAM user groups, or RAM roles based on the level of access each identity needs.
Policies at a glance
| Policy | Type | Use when |
|---|---|---|
AliyunDBSFullAccess |
Service system policy | The identity manages all Data Disaster Recovery resources |
AliyunDBSReadOnlyAccess |
Service system policy | The identity only monitors or audits Data Disaster Recovery resources |
AliyunDBSRolePolicy |
Service role policy | Used internally by the AliyunDBSDefaultRole service role (do not attach manually) |
AliyunServiceRolePolicyForDBS |
Service-linked role policy | Used internally by the AliyunServiceRoleForDBS service-linked role (do not attach manually) |
What is a system policy?
A policy is a set of permissions defined using the RAM policy structure and syntax. It describes the authorized resources, operations, and conditions.
RAM provides two types of policies:
System policies — Created and managed by Alibaba Cloud. You can attach them to RAM identities, but cannot modify them. During service iteration, Data Disaster Recovery adds new permissions to system policies to support new features. These updates apply to all RAM identities that have the policy attached, including RAM users, RAM user groups, and RAM roles.
Custom policies — Created and managed by you. Use custom policies when system policies are too broad for your requirements.
System policies work in the Alibaba Cloud Management Console and with programmatic access methods such as API operations and CLI commands. For programmatic access, use fine-grained custom policies to restrict access to designated users and required resources only.
System policies fall into three categories. Some services provide only one or two of these types:
Service system policies — Attach to RAM identities to grant end-user access.
Service role policies — Dedicated to a specific service role. Do not attach to other RAM identities.
Service-linked role policies — Used by Data Disaster Recovery to access other cloud services. Do not attach to other RAM identities.
For more information about RAM policies, see Policy overview.
Service system policies
AliyunDBSFullAccess
Grants full management permissions on Data Disaster Recovery. Attach this policy to RAM identities that need to manage Data Disaster Recovery resources.
For the complete list of permissions, see AliyunDBSFullAccess.
AliyunDBSReadOnlyAccess
Grants read-only access to Data Disaster Recovery. Attach this policy to RAM identities that need to view Data Disaster Recovery resources without the ability to make changes.
For the complete list of permissions, see AliyunDBSReadOnlyAccess.
Service role policies
AliyunDBSRolePolicy
This policy is the dedicated authorization policy of the AliyunDBSDefaultRole service role. It is used internally by the service role and is not intended for manual attachment. Do not attach this policy to any RAM identity other than the AliyunDBSDefaultRole service role.
For the complete list of permissions, see AliyunDBSRolePolicy.
Service-linked role policies
AliyunServiceRolePolicyForDBS
Data Disaster Recovery assumes the AliyunServiceRoleForDBS service-linked role to access resources in other cloud services. AliyunServiceRolePolicyForDBS is the dedicated authorization policy of this service-linked role. It is defined and used by Data Disaster Recovery — you cannot modify or delete it. Do not attach this policy to any RAM identity other than the AliyunServiceRoleForDBS service-linked role.
For the complete list of permissions, see AliyunServiceRolePolicyForDBS.
What's next
RAM identities have no permissions by default. An account administrator must explicitly grant the required permissions. Follow the principle of least privilege and grant only the permissions that each identity needs.