Lists all system policies available for Cloud Phone and the permissions each policy grants, for use when authorizing RAM identities.
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. Alibaba Cloud Resource Access Management (RAM) provides system policies and custom policies. All system policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify them. You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. During service iteration, ECP adds new permissions to system policies to support new features and capabilities. The update of a system policy affects all RAM identities to which the policy is attached, including RAM users, RAM user groups, and RAM roles. For more information about RAM policies, see Overview of RAM policies.
System policies are designed for new users to quickly get started with Alibaba Cloud products on the management console, though they also enable the use of more advanced methods like API operations or CLI commands. If you are familiar with the advanced methods, we recommend that you use custom policies to implement finer-grained control on who is permitted to call what API operations, thereby improving security.
System policies can be classified into service system policies, service role policies, and service-linked role policies. Some cloud services provide only one or two of the three types of policies. For more information, see the policy types that are described in the following section.
System policies
AliyunECDFullAccess
Attach the AliyunECDFullAccess policy to RAM users to grant full permissions to manage cloud phones.
AliyunVPCFullAccess
Cloud phones depend on virtual private clouds (VPCs). Attach the AliyunVPCFullAccess policy to RAM users to grant full permissions to manage VPCs.
AliyunCADTFullAccess
When you create an instance group, Cloud Phone automatically creates VPCs through Cloud Architect Design Tools (CADT). If you create an instance group as a RAM user in the Cloud Phone console, make sure the AliyunCADTFullAccess policy is attached to the RAM user. Otherwise, the creation fails. This policy grants full permissions to manage CADT resources.
AliyunEIPFullAccess
Cloud phones depend on Elastic IP Address (EIP) for Internet access. To enable Internet access for cloud phones as a RAM user, make sure the AliyunEIPFullAccess policy is attached to the RAM user. Otherwise, the operation fails. This policy grants full permissions to manage EIP resources.
AliyunNATGatewayFullAccess
Cloud phones also depend on NAT Gateway for Internet access. To enable Internet access for cloud phones as a RAM user, make sure the AliyunNATGatewayFullAccess policy is also attached to the RAM user. Otherwise, the operation fails. This policy grants full permissions to manage NAT gateways.
AliyunECSFullAccess
To access a cloud phone over the Internet by using Android Debug Bridge (ADB) from an on-premises device, you must create a DNAT entry and update your security group settings. For more information, see Connect to a Cloud Phone instance using ADB.
You must navigate to the Elastic Compute Service (ECS) to update the Elastic Network Interface (ENI) and security group settings. If you perform these operations as a RAM user, make sure the AliyunECSFullAccess policy is attached to the RAM user. Otherwise, the operation fails. This policy grants full permissions to manage ECS resources.
AliyunTagAdministratorAccess
Cloud Phone requires tagging service permissions. Attach the AliyunTagAdministratorAccess policy to the relevant RAM identity (a RAM user, user group, or role). This policy grants permissions to manage the tagging service and tags for all Alibaba Cloud products. Without this policy, the RAM user cannot create resources.