When system policies don't cover your access control requirements for Data Security Center (DSC), create custom policies to grant only the permissions your team needs. Custom policies let you define fine-grained permissions for specific DSC resources and actions, following the principle of least privilege.
System policies vs. custom policies
Resource Access Management (RAM) provides two types of policies:
| Type | Managed by | Modifiable | When to use |
|---|---|---|---|
| System policy | Alibaba Cloud | No | Common access scenarios with broad permission sets |
| Custom policy | You | Yes | Fine-grained control over specific DSC resources and actions |
Use custom policies when system policies are too broad or don't match your business requirements.
Manage custom policies
Attach a policy
After creating a custom policy, attach it to a RAM user, RAM user group, or RAM role. The principal receives the permissions defined in the policy only after you attach the policy.
Update a policy
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM. For details, see Manage custom policy versions.
Delete a policy
The steps depend on whether the policy is currently attached:
Not attached to any principal: Delete the policy directly.
Attached to a principal: Detach the policy from the principal first, then delete it.
For step-by-step instructions, see Delete a custom policy.
Authorization information
To use custom policies, you must understand the access control requirements of your business and the authorization information about DSC. See RAM authorization.