- Release Notes
- Product Introduction
- Purchase Guide
- Download
- Get Started
- Quick Integration Solution (Including UI Library) (Recommended)
- Self-implementing Integration Solution
- Client APIs
- SDK APIs (New)
- SDK APIs (Legacy)
- Server APIs
- Generating UserSig
- RESTful APIs
- RESTful API Overview
- RESTful API List
- Account Management
- One-to-One Messages
- Profile Management
- Pushing to All Users
- Relationship Chain Management
- Recent Contacts
- Group Management
- Getting All Groups in an App
- Creating a Group
- Getting Group Profiles
- Getting Group Member Profiles
- Modifying the Profile of a Group
- Adding Group Members
- Deleting Group Members
- Modifying the Profile of a Group Member
- Disbanding a Group
- Getting the Groups a User Has Joined
- Querying the Roles of Users in a Group
- Bulk Muting and Unmuting
- Getting the List of Muted Group Members
- Sending Ordinary Messages in a Group
- Sending System Messages in a Group
- Recalling Group Messages
- Changing Group Owner
- Importing a Group Profile
- Importing Group Messages
- Importing Group Members
- Setting the Unread Message Count of a Member
- Deleting Messages Sent by a Specified User
- Pulling Historical Messages
- Getting the Number of Online Users in an Audio-Video Group
- Getting Custom Group Attributes
- Modifying Custom Group Attributes
- Clearing Custom Group Attributes
- Resetting Custom Group Attributes
- Global Mute Management
- Operations Management
- Third-Party Callbacks
- Third-Party Callback Overview
- Callback Command List
- Online Status Callbacks
- Relationship Chain Callbacks
- One-to-One Message Callbacks
- Group System Callbacks
- Callback Before Creating a Group
- Callback After Creating a Group
- Callback Before Accepting a Request to Join a Group
- Callback Before Accepting a Request to Add a User to a Group
- Callback After a User Joins a Group
- Callback After a User Leaves a Group
- Callback Before Sending a Group Message
- Callback After Sending a Group Message
- Callback After a Group Is Full
- Callback After Disbanding a Group
- Callback After Modifying Group Profile
- Callbacks After Recalling Group Messages
- Callback Mutual Authentication Configuration Guide
- Use Cases
- Console Guide
- FAQs
- Security Compliance Certification
- IM Policy
- Smooth Migration Solutions
- Error Codes
- Contact Us
- Release Notes
- Product Introduction
- Purchase Guide
- Download
- Get Started
- Quick Integration Solution (Including UI Library) (Recommended)
- Self-implementing Integration Solution
- Client APIs
- SDK APIs (New)
- SDK APIs (Legacy)
- Server APIs
- Generating UserSig
- RESTful APIs
- RESTful API Overview
- RESTful API List
- Account Management
- One-to-One Messages
- Profile Management
- Pushing to All Users
- Relationship Chain Management
- Recent Contacts
- Group Management
- Getting All Groups in an App
- Creating a Group
- Getting Group Profiles
- Getting Group Member Profiles
- Modifying the Profile of a Group
- Adding Group Members
- Deleting Group Members
- Modifying the Profile of a Group Member
- Disbanding a Group
- Getting the Groups a User Has Joined
- Querying the Roles of Users in a Group
- Bulk Muting and Unmuting
- Getting the List of Muted Group Members
- Sending Ordinary Messages in a Group
- Sending System Messages in a Group
- Recalling Group Messages
- Changing Group Owner
- Importing a Group Profile
- Importing Group Messages
- Importing Group Members
- Setting the Unread Message Count of a Member
- Deleting Messages Sent by a Specified User
- Pulling Historical Messages
- Getting the Number of Online Users in an Audio-Video Group
- Getting Custom Group Attributes
- Modifying Custom Group Attributes
- Clearing Custom Group Attributes
- Resetting Custom Group Attributes
- Global Mute Management
- Operations Management
- Third-Party Callbacks
- Third-Party Callback Overview
- Callback Command List
- Online Status Callbacks
- Relationship Chain Callbacks
- One-to-One Message Callbacks
- Group System Callbacks
- Callback Before Creating a Group
- Callback After Creating a Group
- Callback Before Accepting a Request to Join a Group
- Callback Before Accepting a Request to Add a User to a Group
- Callback After a User Joins a Group
- Callback After a User Leaves a Group
- Callback Before Sending a Group Message
- Callback After Sending a Group Message
- Callback After a Group Is Full
- Callback After Disbanding a Group
- Callback After Modifying Group Profile
- Callbacks After Recalling Group Messages
- Callback Mutual Authentication Configuration Guide
- Use Cases
- Console Guide
- FAQs
- Security Compliance Certification
- IM Policy
- Smooth Migration Solutions
- Error Codes
- Contact Us
Note:This document describes the Cloud Access Management (CAM) feature for IM. For more information about CAM for other Tencent Cloud services, see CAM-Enabled Products.
You can easily use preset policies in the CAM console for authorization. However, preset policies only provide coarse-grained permission control and cannot be refined to IM applications and Tencent Cloud APIs. If you need refined permission control, you must create custom policies.
Custom Policy Creation Methods
The table compares several custom policy creation methods with detailed instructions for using them.
| Entry | Method | Effect | Resource | Action | Flexibility | Difficulty |
|---|---|---|---|---|---|---|
| CAM console | Policy generator | Manual selection | Syntax description | Manual selection | Medium | Medium |
| CAM console | Policy syntax | Syntax description | Syntax description | Syntax description | High | High |
| CAM server API | CreatePolicy | Syntax description | Syntax description | Syntax description | High | High |
Note:
- IM does not support custom policy creation by product feature or project.
- Manual selection indicates that you must select an object from the option list in the console.
- Syntax description indicates that the authorization policy syntax is used to describe objects.
Authorization Policy Syntax
Resource syntax description
As mentioned previously, the resource granularity for IM permission management is applications. Policy syntax description of applications comply with the Resource Description Method. In the following example, the developer’s root account ID is 12345678, and the developer creates three applications whose SDKAppIDs are 1400000000, 1400000001, and 1400000002 respectively.
Policy syntax description for all IM applications
"resource": [ "qcs::im::uin/12345678:sdkappid/*" ]Policy syntax description for a single application
"resource": [ "qcs::im::uin/12345678:sdkappid/1400000001" ]Policy syntax description for multiple applications
"resource": [ "qcs::im::uin/12345678:sdkappid/1400000000", "qcs::im::uin/12345678:sdkappid/1400000001" ]
Action syntax description
As mentioned previously, the action granularity of TRTC permission management is Tencent Cloud APIs. In the following example, Tencent Cloud APIs such as DescribeAppStatList (for obtaining the application list) and DescribeSdkAppInfo (for obtaining application information) are used.
Policy syntax description for all Tencent Cloud APIs for IM
"action": [ "name/im:*" ]Policy syntax description for a single Tencent Cloud API
"action": [ "name/im:DescribeAppStatList" ]Policy syntax description for multiple Tencent Cloud APIs
"action": [ "name/im:DescribeAppStatList", "name/im:DescribeTrtcAppAndAccountInfo" ]
Custom Policy Usage Example
Using the policy generator
In the following example, we will create a custom policy that allows all operations on the IM application whose SDKAppID is 1400000001.
- Log in to the Policies page in the CAM console with the root account. Then, click Create Custom Policy.
- Select Create by Policy Generator to go to the policy creation page.
- In the Select Service and Action step:
- Select Allow for Effect.
- Select IM for Service.
- Select all items for Action.
- Enter
qcs::im::uin/12345678:sdkappid/1400000001for Resource based on the resource syntax description. - Condition is optional.
- Click Add Statement. A statement that allows all operations for the IM application 1400000001 appears.
- Continue to add another statement on the same page by configuring the following settings:
- Select Deny for Effect.
- Select IM for Service.
- Select
RemoveUserfor Action. (You can quickly findRemoveUserwith the search feature.) - Enter
qcs::im::uin/12345678:sdkappid/1400000001for Resource based on the resource syntax description. - Condition is optional.
- Click Add Statement. A statement that rejects the
RemoveUseroperation for IM application 1400000001 appears.
- Click Next and rename the policy as needed (You can also retain the current policy name).
- Click Done.
The method for granting the policy to other sub-accounts is the same as Granting IM Permissions to an Existing Sub-account.
Using the policy syntax
In the following example, we will create a custom policy that allows all operations for the IM applications whose SDKAppIDs are 1400000001 and 1400000002.
- Log in to the Policies page in the CAM console with the root account. Then, click Create Custom Policy.
- Select Create by Policy Syntax to go to the creation page.
- In the Select a template type area, select Blank Template.
Note:
A policy template is used to create a policy by copying an existing policy (a preset or custom policy) and then modifying the policy. You can select an appropriate policy template to reduce the difficulty and workload of policy definition.
- Click Next and rename the policy as needed (You can also retain the current policy name).
- Copy and paste the following content in the Policy Content box:
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "name/im:*" ], "resource": [ "qcs::im::uin/12345678:sdkappid/1400000001", "qcs::im::uin/12345678:sdkappid/1400000002" ] }, { "effect": "deny", "action": [ "name/im:RemoveUser" ], "resource": [ "qcs::im::uin/12345678:sdkappid/1400000001" ] } ] }
Note:The policy content must comply with the CAM policy syntax logic described in Element Reference. For more information on the syntax for resource and action elements, see Resource syntax description and Action syntax description.
6. Click Done.
The method for granting the policy to other sub-accounts is the same as Granting IM Permissions to an Existing Sub-account.
Using server APIs provided by CAM
For most developers, performing permission management operations in the console can meet their business needs. However, if you need to automate and systematize your permission management capabilities, you can use server APIs.
Policy-related server APIs are included in CAM. For more information, see CAM documentation. Among these APIs, the major ones include:
Yes
No
Was this page helpful?