CAM Overview
Last updated: 2025-04-30 16:33:26
Feature Introduction
Cloud Access Management (CAM) helps you securely and conveniently manage access to Tencent Cloud services and resources. With CAM, you can create sub-users, user groups, and roles, and control their access scope through policies. CAM supports SSO capabilities for users and roles, allowing you to set up interoperability between enterprise users and Tencent Cloud based on specific management scenes.
The Tencent Cloud root account you initially created has full access to all services and resources under the account. It is recommended to protect the credentials of the root account, use sub-users or roles for daily access, enable multi-factor authentication, and periodically rotate keys.
Overview
If you use multiple cloud platform services, such as Cloud Virtual Machine, Virtual Private Cloud and CloudDB, managed by different people but sharing your cloud account tokens, you might face the issues:
The risk of your key being compromised is high since multiple users are sharing it.
You cannot restrict access for other users, which may lead to misoperations and potential security risks.
Basic Concepts
Root Account
When you register for a Tencent Cloud accout, the generated account is the root account and has management permissions for all cloud resources under that root account. The root account is the fundamental entity for metering and billing Tencent Cloud's resource usage.
Sub-Account
A sub-account is created by a root account and fully belongs to the root account that creates it. It has a definite identity ID and credentials.
Identity Credential
It includes log-in credentials and access certificates. Log-in credentials refer to a user's log-in name and password. Access certificates refer to Cloud API keys (SecretId and SecretKey).
Resource
A resource is an object operated in cloud services, such as a TencentDB for CTSDB 3.0 instance.
Permissions and Policies
Permission: Refers to allowing or denying some users to perform specific operations and access certain resources under certain conditions.
Policy: Refers to the syntax specification that defines and describes one or more permissions. For a detailed description of the syntax, see Permissions and Policies.
Note:
By default, a root account has access permissions to all its resources, while a sub-account does not have access permissions to any resources under the root account. You need to create policies to allow sub-accounts to use the resources or permissions they require.
For detailed operations for the default permission policies and custom policies of CTSDB, see Permissions and Policies.
For detailed operations on authorizing permission policies to sub-accounts or cross-cloud accounts, see Authorizing Policies to Sub-accounts or Cross-Cloud Accounts.
Authorization Granularity
The authorization granularity of cloud products is divided into three levels according to the granularity: service level, operation level, and resource level.
Service level: This defines whether access permissions are authorized to the overall service. It can be divided into allowing full operation permissions for the service or denying all operation permissions for the service. Cloud products with service-level authorization granularity do not support authorizing specific APIs.
Operation level: This defines whether access permissions are authorized to specific APIs of the service. For example: Authorizing a certain account to perform read-only operations on the Cloud Database Service.
Resource level: This defines whether access permissions are authorized to a specific resource. This is the finest level of authorization granularity. For example: Authorizing a certain account to perform only read and write operations on a Cloud Database Service instance. Products that can support resource-level API authorization are identified as having resource-level authorization granularity.
Note:
For a detailed list of business APIs supported by CAM authorization in CTSDB 3.0, see Authorizable Resources and Operation APIs.
More Information
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback