tencent cloud

Cloud Infinite

Release Notes and Announcements
Release Notes
Announcements
Product Introduction
Product Overview
Product Strengths
Use Cases
Feature Overview
Regions and Domains
Specifications and Limits
Billing
Billing Overview
Billing Mode
Billable Items
Free Tier
Payment Overdue
Viewing Bill Details
FAQs
Getting Started
Registering and Logging In
Bind Bucket
Uploading and Processing File
Downloading and Deleting Images
Unbinding Buckets
Using CI via COS
Features
Image Processing
Media Processing
Content Moderation
AI Content Recognition
File Processing
Smart Voice
File processing
User Guide
Overview
Bucket Management
Smart Toolbox
Job and Workflow
Data Monitoring
Usage statistics
Use Cases
Copyright Protection Solutions
Image Processing Practices
Working with API Authorization Policies
Workflow Practices
API Documentation
API Overview
Structure
Common Request Headers
Common Response Headers
Activate Vast Service
Image Processing
AI-Based Content Recognition
Smart Audio
Media Processing
Content Moderation
Document Processing
File Processing
Job and Workflow
Cloud Virus Detection
Error Codes
Request Signature
SDK Documentation
SDK Overview
Android SDK
iOS SDK
COS Android SDK
C SDK
C++ SDK
.NET(C#) SDK
Go SDK
COS iOS SDK
Java SDK
JavaScript SDK
Node.js SDK
PHP SDK
Python SDK
Mini Program SDK
Personal Information Protection Policy for SDK
Security and Compliance
Permission ‍Management
FAQs
Basic Settings
Document Processing
Media Processing
Content Recognition
Smart Audio
Agreements
Service Level Agreement
Contact Us
Glossary
DocumentationCloud InfiniteSecurity and CompliancePermission ‍ManagementConfiguring Data Persistence Permissions for Sub-Accounts

Configuring Data Persistence Permissions for Sub-Accounts

Focus Mode
Font Size
Last updated: 2025-12-04 10:30:10
Cloud Infinite grants sub-accounts permissions for persistent data processing operations by associating them with write permissions for specified COS resources. The following examples demonstrate how to grant persistent processing permissions for all resources in Cloud Infinite or authorize persistent operation permissions for specified resources.
Note:
Before configuring data persistence permissions for sub-accounts, you must first associate the CI full read-write permission QcloudCIFullAccess.
When configuring a custom policy, you can copy and paste the following reference policy into the input box edit the policy content, then modify it according to your actual configuration. For details, refer to the CAM policy syntax documentation.

Grant Persistent Operations to Sub-Accounts for All Resources

Assume that the enterprise account CompanyExample (OwnerUin is 100000000001, APPID is 1250000000) has a sub-account Developer, which needs to perform persistent data processing on all resources under the enterprise account CompanyExample.
Cloud Infinite grants sub-accounts persistent operation permissions by setting write permissions for all resources under the account via COS.
Solution A:
The enterprise account CompanyExample grants the preset policy QcloudCOSDataWriteOnly to the sub-account Developer. For the authorization method, see Authorization Management.
Solution B:
1. Create the following policy using policy syntax.
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cos:ListParts",
                "cos:PostObject",
                "cos:PutObject*",
                "cos:InitiateMultipartUpload",
                "cos:UploadPart",
                "cos:UploadPartCopy",
                "cos:CompleteMultipartUpload",
                "cos:AbortMultipartUpload"
            ],
            "resource": "*"
        }
    ]
}
2. Grant the policy to the sub-account. For the authorization method, see Authorization Management.

Grant Sub-Accounts Persistent Operations Authorization for Resources in Specific Directories

Assume that the enterprise account CompanyExample (OwnerUin is 100000000001, APPID is 1250000000) has a sub-account Developer, which needs to perform persistent data processing on resources under the doc directory in the Bucket (named examplebucket, located in the Shanghai Region) of the enterprise account.
Cloud Infinite grants sub-accounts persistent operation permissions by setting write permissions for resources under a specific directory via COS.
Solution A:
Configure Policy and ACL settings for resources via the COS console. For details, refer to the COS Add Bucket Policy documentation.
Solution B:
1. Create the following policy using policy syntax.
{
   "version": "2.0",
   "statement": [
       {
           "effect": "allow",
           "action": [
                "cos:ListParts",
                "cos:PostObject",
                "cos:PutObject*",
                "cos:InitiateMultipartUpload",
                "cos:UploadPart",
                "cos:UploadPartCopy",
                "cos:CompleteMultipartUpload",
                "cos:AbortMultipartUpload"
           ],
           "resource":"qcs::cos:ap-shanghai:uid/1250000000:examplebucket-1250000000/doc/*"    
 }
    ]
}
2. Grant the policy to the sub-account. For the authorization method, see Authorization Management.

Authorize Sub-Account for Persistent Operations on Specified Resources

Assume that the enterprise account CompanyExample (OwnerUin is 100000000001, APPID is 1250000000) has a sub-account Developer, which needs to perform persistent processing on the image picture.jpg under the doc directory in the Bucket (named examplebucket, located in the Shanghai Region) of the enterprise account.
Cloud Infinite grants sub-accounts persistent operation permissions by setting write permissions for specific resources via COS.
Solution A:
Configure Policy and ACL settings for resources via the COS console. For details, refer to the COS Add Bucket Policy documentation.
Solution B:
1. Create the following policy using policy syntax.
{
   "version": "2.0",
   "statement": [
       {
           "effect": "allow",
           "action": [
                "cos:ListParts",
                "cos:PostObject",
                "cos:PutObject*",
                "cos:InitiateMultipartUpload",
                "cos:UploadPart",
                "cos:UploadPartCopy",
                "cos:CompleteMultipartUpload",
                "cos:AbortMultipartUpload"
           ],
      "resource":"qcs::cos:ap-shanghai:uid/1250000000:examplebucket-1250000000/doc/picture.jpg"      
 }
    ]
}
2. Grant the policy to the sub-account. For the authorization method, see Authorization Management.

Grant Sub-Accounts Persistent Operation Permissions on Resources with Specified Prefixes

Assume that the enterprise account CompanyExample (OwnerUin is 100000000001, APPID is 1250000000) has a sub-account Developer, which needs to perform persistent processing on resources prefixed with test under the doc directory in the Bucket (named examplebucket, located in the Shanghai Region) of the enterprise account.
Cloud Infinite grants persistent operation authorization to sub-accounts by setting write permissions for resources with specified prefixes via COS.
Solution A:
Configure Policy and ACL settings for resources via the COS console. For details, refer to the COS Add Bucket Policy documentation.
Solution B:
1. Create the following policy using policy syntax.
{
   "version": "2.0",
   "statement": [
       {
           "effect": "allow",
           "action": [
                "cos:ListParts",
                "cos:PostObject",
                "cos:PutObject*",
                "cos:InitiateMultipartUpload",
                "cos:UploadPart",
                "cos:UploadPartCopy",
                "cos:CompleteMultipartUpload",
                "cos:AbortMultipartUpload"
           ],
      "resource":"qcs::cos:ap-shanghai:uid/1250000000:examplebucket-1250000000/doc/test*"      
 }
    ]
}
2. Grant the policy to the sub-account. For the authorization method, see Authorization Management.

Grant Sub-Accounts Persistent Operation Permissions on All Resources in a Specific Directory and Prohibit Operations on Specified Files Within That Directory

Assume that the enterprise account CompanyExample (OwnerUin is 100000000001, APPID is 1250000000) has a sub-account Developer, which needs to perform persistent processing on all resources under the doc directory in the Bucket (named examplebucket, located in the Shanghai Region) of the enterprise account, but prohibits persistent processing of the picture.jpg file.
Cloud Infinite grants sub-accounts persistent operation permissions by setting write permissions for specified files via COS.
Solution A:
Configure Policy and ACL settings via the COS console. For details, see the COS Add Bucket Policy documentation.
Solution B:
1. Create the following policy using policy syntax.
{
   "version": "2.0",
   "statement": [
{
           "effect": "allow",
           "action": [
                "cos:ListParts",
                "cos:PostObject",
                "cos:PutObject*",
                "cos:InitiateMultipartUpload",
                "cos:UploadPart",
                "cos:UploadPartCopy",
                "cos:CompleteMultipartUpload",
                "cos:AbortMultipartUpload"
           ],
           "resource":"qcs::cos:ap-shanghai:uid/1250000000:examplebucket-1250000000/doc/*"    
 },

       {
           "effect": "deny",
           "action": [
                "cos:ListParts",
                "cos:PostObject",
                "cos:PutObject*",
                "cos:InitiateMultipartUpload",
                "cos:UploadPart",
                "cos:UploadPartCopy",
                "cos:CompleteMultipartUpload",
                "cos:AbortMultipartUpload"
           ],
      "resource":"qcs::cos:ap-shanghai:uid/1250000000:examplebucket-1250000000/doc/picture.jpg"      
 }
    ]
}
2. Grant the policy to the sub-account. For the authorization method, see Authorization Management.
Previous Topic: Authorize Sub-Accounts to Access Cloud Infinite ServicesNext Topic: Authorizing a Sub-Account to Filter Buckets by Tag

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback