IPv6 Gateway provides built-in system policies that you can attach to Resource Access Management (RAM) identities to control access to the service.
What is a system policy?
A policy defines a set of permissions using a specific structure and syntax. Policies specify the authorized resource sets, authorized operation sets, and authorization conditions that apply to a RAM identity.
RAM supports two types of policies:
System policies: Created and maintained by Alibaba Cloud. You can attach system policies to RAM identities but cannot modify them. As IPv6 Gateway releases new features, Alibaba Cloud automatically adds the required permissions to existing system policies. These updates apply to all RAM users, RAM user groups, and RAM roles that have the policy attached.
Custom policies: Created and managed by you. You can create, update, and delete custom policies to match your specific access requirements.
System policies fall into three categories: service system policies, service role policies, and service-linked role policies. Some Alibaba Cloud services support only one or two of the three types of policies. The policy types described in this topic apply to IPv6 Gateway.
System policies let new users get started quickly in the Alibaba Cloud Management Console — a few clicks are enough to access IPv6 Gateway and its dependent services. System policies also work with API operations and CLI commands. For finer-grained access control, use custom policies instead, which let you specify exactly which API operations each RAM identity can call.
Service system policies
IPv6 Gateway provides the following service system policies.
AliyunIpv6FullAccess
You can grant the AliyunIpv6FullAccess policy to a RAM identity. This policy grants full access permissions to IPv6 Gateway.
Grants full access to IPv6 gateways. Attach this policy to RAM identities that need to create, configure, and manage IPv6 gateway resources.
For the complete list of permissions this policy grants, see AliyunIpv6FullAccess.
AliyunIpv6ReadOnlyAccess
You can grant the AliyunIpv6ReadOnlyAccess policy to a RAM identity. This policy grants read-only permissions to IPv6 Gateway.
Grants read-only access to IPv6 gateways. Attach this policy to RAM identities that need to view IPv6 gateway resources without making changes.
For the complete list of permissions this policy grants, see AliyunIpv6ReadOnlyAccess.
What's next
RAM identities have no permissions by default. An account administrator must grant permissions before a RAM identity can access resources in an Alibaba Cloud account. Follow the principle of least privilege and grant only the permissions each identity needs.