This topic describes all system access policies supported by Gateway Load Balancer and their corresponding permission descriptions. Use this information as a reference when granting permissions to RAM identities.
What is a system policy?
An access policy is a collection of permissions described using a specific syntax. It precisely defines the set of resources, operations, and conditions that are authorized. Alibaba Cloud Resource Access Management (RAM) provides two types of access policies: system policies and custom policies. System policies are created and maintained by Alibaba Cloud. You can use them but cannot modify them. Custom policies are managed by you. You can create, update, and delete custom policies as needed. As Gateway Load Balancer evolves, new permissions are added to system policies to support new features and capabilities. Updates to system policies affect all RAM identities granted those policies, including RAM users, RAM user groups, and RAM roles. For more information about RAM access policies, see Access policy overview.
Product system policies help you get started quickly. With minimal configuration, you can access the product and its dependent services through the console. Although the permissions in system policies also apply to other access methods such as OpenAPI or the command-line interface (CLI), we recommend using custom policies in these scenarios to grant only the specific API permissions your personnel and applications need. This improves security.
System policies fall into three categories: product system policies, service role policies, and service-linked role policies. Some cloud products provide only one or two of these categories. Refer to the policy types listed in this topic for accuracy.
Product system policies
AliyunGWLBFullAccess
Grant the AliyunGWLBFullAccess policy to a RAM identity. This policy defines full management permissions for the Gateway Load Balancer (GWLB) service.
AliyunGWLBReadOnlyAccess
Grant the AliyunGWLBReadOnlyAccess policy to a RAM identity. This policy defines read-only access permissions for the Gateway Load Balancer (GWLB) service.
Service-linked role policies
AliyunServiceRolePolicyForGwlb
Gateway Load Balancer uses the service-linked role AliyunServiceRoleForGwlb to access your resources in other cloud services. AliyunServiceRolePolicyForGwlb is the dedicated authorization policy for AliyunServiceRoleForGwlb. Gateway Load Balancer defines and uses this policy. Do not modify or delete it. Do not grant it to any RAM identity other than the service-linked role.
Authorization operation reference
By default, RAM identities have no permissions. An Alibaba Cloud account administrator must grant them permissions before they can access resources under the Alibaba Cloud account. To ensure data security, follow the Principle of Least Privilege (PoLP) and grant only the minimum permissions required to access cloud resources. For detailed authorization procedures, see: