What is a system policy?
A policy defines a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. Alibaba Cloud Resource Access Management (RAM) provides system policies and custom policies. All system policies are created and updated by Alibaba Cloud. You can use system policies, but you cannot modify them. You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. During service iteration, OOS adds new permissions to system policies to support new features and capabilities. The update of a system policy affects all RAM identities to which the policy is attached, including RAM users, RAM user groups, and RAM roles. For more information about RAM policies, see Policy overview.
System policies are designed for new users to quickly get started with Alibaba Cloud products on the management console, though they also enable the use of more advanced methods like API operations or CLI commands. If you are familiar with the advanced methods, we recommend that you use custom policies to implement finer-grained control on who is permitted to call what API operations, thereby improving security.
System policies can be classified into service system policies, service role policies, and service-linked role policies. Some cloud services provide only one or two of the three types of policies. For more information, see the policy types that are described in the following section.
Service system policies
AliyunCloudOpsMCPAccess
The AliyunCloudOpsMCPAccess policy: Authorization policy for AliyunCloudOpsMCPAccess. It can be attached to RAM identities.
AliyunOOSFullAccess
The AliyunOOSFullAccess policy: Provides full access to OOS via Management Console. It can be attached to RAM identities.
AliyunOOSReadOnlyAccess
The AliyunOOSReadOnlyAccess policy: Provides read-only access to OOS via Management Console. It can be attached to RAM identities.
Service role policies
AliyunOOSApplicationDeployRolePolicy
The AliyunOOSApplicationDeployRolePolicy policy is the dedicated authorization policy of the AliyunOOSApplicationDeployRole service role. By default, OOS uses this role to complete application publishing. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
AliyunOOSApplicationDeployRolePolicy
AliyunOOSLifecycleHook4CSRolePolicy
The AliyunOOSLifecycleHook4CSRolePolicy policy is the dedicated authorization policy of the AliyunOOSLifecycleHook4CSRole service role. By default, The policy for AliyunOOSLifecycleHook4CSRole. Do not attach this policy to a RAM identity other than the service role. If a service provides precise authorization capabilities, refer to the documentation provided by the service.
Service-linked role policies
AliyunServiceRolePolicyForOOSAppliactionManager
OOS assumes the AliyunServiceRolePolicyForOOSAppliactionManager service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForOOSAppliactionManager policy is the dedicated authorization policy of the AliyunServiceRoleForOOSAppliactionManager service-linked role. This policy is defined and used by OOS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForOOSAppliactionManager
AliyunServiceRolePolicyForOOSBandwidthScheduler
OOS assumes the AliyunServiceRolePolicyForOOSBandwidthScheduler service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForOOSBandwidthScheduler policy is the dedicated authorization policy of the AliyunServiceRoleForOOSBandwidthScheduler service-linked role. This policy is defined and used by OOS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForOOSBandwidthScheduler
AliyunServiceRolePolicyForOOSExecutionDelivery
OOS assumes the AliyunServiceRolePolicyForOOSExecutionDelivery service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForOOSExecutionDelivery policy is the dedicated authorization policy of the AliyunServiceRoleForOOSExecutionDelivery service-linked role. This policy is defined and used by OOS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForOOSExecutionDelivery
AliyunServiceRolePolicyForOOSExecutionScheduler
OOS assumes the AliyunServiceRolePolicyForOOSExecutionScheduler service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForOOSExecutionScheduler policy is the dedicated authorization policy of the AliyunServiceRoleForOOSExecutionScheduler service-linked role. This policy is defined and used by OOS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForOOSExecutionScheduler
AliyunServiceRolePolicyForOOSInstanceScheduler
OOS assumes the AliyunServiceRolePolicyForOOSInstanceScheduler service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForOOSInstanceScheduler policy is the dedicated authorization policy of the AliyunServiceRoleForOOSInstanceScheduler service-linked role. This policy is defined and used by OOS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForOOSInstanceScheduler
AliyunServiceRolePolicyForOOSOpsCenter
OOS assumes the AliyunServiceRolePolicyForOOSOpsCenter service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForOOSOpsCenter policy is the dedicated authorization policy of the AliyunServiceRoleForOOSOpsCenter service-linked role. This policy is defined and used by OOS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForOOSOpsCenter
AliyunServiceRolePolicyForOOSPatchManager
OOS assumes the AliyunServiceRolePolicyForOOSPatchManager service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForOOSPatchManager policy is the dedicated authorization policy of the AliyunServiceRoleForOOSPatchManager service-linked role. This policy is defined and used by OOS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
AliyunServiceRolePolicyForOOSPatchManager
AliyunServiceRolePolicyForOOSSystemEventOperator
OOS assumes the AliyunServiceRolePolicyForOOSSystemEventOperator service-linked role to access the resources in other cloud services. The AliyunServiceRolePolicyForOOSSystemEventOperator policy is the dedicated authorization policy of the AliyunServiceRoleForOOSSystemEventOperator service-linked role. This policy is defined and used by OOS. You cannot modify or delete the policy. Do not attach this policy to a RAM identity other than the service-linked role.
References
By default, RAM identities do not have any permissions. RAM identities can access cloud resources within an Alibaba Cloud account only after an account administrator grants the required permissions to the RAM identities. To ensure resource security, we recommend that you grant only the required permissions to the RAM identities based on the principle of least privilege. For more information, see the following topics: