Service-linked roles for DSC - Data Security Center - Alibaba Cloud Documentation Center

To obtain permissions to access other Alibaba Cloud services, Data Security Center (DSC) must assume a service-linked role. This topic describes the service-linked roles for DSC, including the role definitions and scenarios.

A service-linked role is a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service. DSC assumes a service-linked role to obtain the permissions to access other cloud services or cloud resources.

In most cases, the system automatically creates a service-linked role when you perform an operation. If the system fails to create a service-linked role or DSC does not support automatic creation, you must manually create a service-linked role.

RAM provides a system policy for each service-linked role. You cannot modify the policy. To view the information about the system policy of a specific service-linked role, go to the details page of the role. For more information, see System Policy Reference.

Scenarios

Before you use DSC to check the data security of Alibaba Cloud resources, you must create a service-linked role named AliyunServiceRoleForSDDP. This way, DSC can use the service-linked role to access other cloud resources.

Required permissions for a RAM user to assume a service-linked role

If you use a RAM user to create or delete a service-linked role, you must contact the administrator to grant the AliyunYundunSDDPFullAccess administrator permission to the RAM user or add the following permissions to the RAM user in the Action statement of the custom policy:

Permission required to create a service-linked role: ram:CreateServiceLinkedRole
Permission required to delete a service-link role: ram:DeleteServiceLinkedRole

For more information, see Permissions required to create and delete a service-linked role.

Create a service-linked role

The first time you log on to the DSC console after you activate DSC, click Authorize. Alibaba Cloud automatically creates the AliyunServiceRoleForSDDP service-linked role. For more information, see Authorize DSC to access Alibaba Cloud resources.

View a service-linked role

After the service-linked role is created, you can view the following details of the role by searching for AliyunServiceRoleForSDDP on the Roles page in the RAM console:

Basic information
In the Basic Information section, you can view the basic information about the AliyunServiceRoleForSDDP role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Policy
On the Permissions tab, you can click the name of a policy to view the policy content and the cloud resources that the AliyunServiceRoleForSDDP role can access.
Trust policy
On the Trust Policy tab, you can view the content of the trust policy that is attached to the AliyunServiceRoleForSDDP role. A trust policy describes the trusted entities of a RAM role. A trusted entity is an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. You can view the value of the Service field in the trust policy to obtain the trusted entity.

For more information about how to view information about a service-linked role, see View the information about a RAM role.

Delete a service-linked role

Important

After a service-linked role is deleted, the features that depend on the role cannot be used. Proceed with caution.

If you no longer use DSC, you can manually delete the service-linked role in the RAM console.

For more information, see Delete a RAM role.