All Products
Search
Document Center

Edge Security Acceleration:Custom policies for DCDN

Last Updated:Oct 16, 2024

If system policies do not meet your requirements, you can configure custom policies to implement the principle of least privilege. You can use custom policies to achieve fine-grained control over permissions and improve resource access security. This topic describes how to configure custom policies for (Dynamic Content Delivery Network (DCDN)) and provides examples.

What is a custom policy?

Resource Access Management (RAM) policies are classified into system policies and custom policies. You can manage custom policies based on your business requirements.

  • After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.

  • You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.

  • Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.

References

Common scenarios and examples of custom policies

  • Example 1: Full permissions (excluding service activation)

    Full permissions on Dynamic Content Delivery Network (DCDN), such as the permissions to configure cache policies and origin fetch settings and change the metering method. The permissions to activate Dynamic Content Delivery Network (DCDN) are excluded.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "dcdn:*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "dcdn:OpenDcdnService"
                ],
                "Resource": "*",
                "Effect": "Deny"
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": [
                            "logdelivery.dcdn.aliyuncs.com"
                        ]
                    }
                }
            }
        ]
    }
  • Example 2: Full permissions (excluding configuration change)

    Full permissions on Dynamic Content Delivery Network (DCDN), such as the permissions to configure cache policies and origin fetch settings and activate Dynamic Content Delivery Network (DCDN). The permissions to change the metering method are excluded.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "dcdn:*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "dcdn:ModifyDcdnService"
                ],
                "Resource": "*",
                "Effect": "Deny"
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": [
                            "logdelivery.dcdn.aliyuncs.com"
                        ]
                    }
                }
            }
        ]
    }
  • Example 3: Service activation permissions only

    Only the permissions to activate Dynamic Content Delivery Network (DCDN).

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "dcdn:OpenDcdnService"
                ],
                "Resource": "*"
            }
        ],
        "Version": "1"
    }
  • Example 4: Configuration change permissions only

    Only the permissions to change the metering method.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "dcdn:ModifyDcdnService"
                ],
                "Resource": "*"
            }
        ],
        "Version": "1"
    }
  • Example 5: Service activation and configuration change permissions only

    Only the permissions to activate Dynamic Content Delivery Network (DCDN) and change the metering method.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "dcdn:OpenDcdnService",
                     "dcdn:ModifyDcdnService"
                ],
                "Resource": "*"
            }
        ],
        "Version": "1"
    }
  • Example 6: Permissions excluding service activation and configuration change

    Full permissions on Dynamic Content Delivery Network (DCDN), such as the permissions to configure cache policies and origin fetch settings. The permissions to activate Dynamic Content Delivery Network (DCDN) and change the metering method are excluded.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": "dcdn:*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "dcdn:ModifyDcdnService",
                    "dcdn:OpenDcdnService"
                ],
                "Resource": "*",
                "Effect": "Deny"
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": [
                            "logdelivery.dcdn.aliyuncs.com"
                        ]
                    }
                }
            }
        ]
    }
  • Example 7: Purge and prefetch permissions

    This policy grants the RAM user permissions to purge or prefetch resources by calling API operations.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "dcdn:PreloadDcdnObjectCaches",
            "dcdn:RefreshDcdnObjectCaches",
            "dcdn:DescribeDcdnRefreshTaskById",
            "dcdn:DescribeDcdnRefreshQuota",
            "dcdn:DescribeDcdnRefreshTasks"
          ],
          "Resource": "acs:dcdn:*:*:*",
          "Effect": "Allow"
        }
      ]
    }

Authorization information

To use a custom policy, you must understand the permission control requirements of your business and the authorization information about Dynamic Content Delivery Network (DCDN). For more information, see RAM authorization.