Project-Level Permissions

Last updated: 2020-04-27 14:28:28

PDF

Creating Policies

If you need to grant different project-level permissions such as those for data query, purge and prefetch, and domain name management to different sub-accounts, you can create a policy as follows:

  1. Log in to the CAM Console and click Policies on the left sidebar.
  2. Click Create Custom Policy and select Create by Product Feature or Project Permission:
  3. Enter the policy name as required and select CDN as the service type below:
  4. Enable the operation set to be authorized as needed and associate them with desired projects (the default project cannot be authorized). Then, associate them with sub-users:

Resource-Level and Project-Level

Currently, categories of operation sets and their corresponding OPEN API2.0 and OPEN API3.0 APIs are as shown below. Sub-users with operation set permissions can call a 2.0 or 3.0 API in the following list for any domain name in an authorized project:

Permission Set API2.0 API3.0 Authorization Required
Query usage data and statistics DescribeCdnHostInfo DescribeCdnHostDetailedInfo GetCdnStatusCode
GetCdnStatTop
GetCdnProvIspDetailStat
DescribeCdnData DescribeOriginData
ListTopData
DescribeIpVisit
Yes
Query domain name information GetHostInfoById
GetHostInfoByHost
DescribeDomains
DescribeDomainsConfig
Yes
Query a CDN log download link GenerateLogList
GetCdnLogList
DescribeCdnDomainLogs Yes
Add a domain name AddCdnHost AddCdnDomain Yes
Launch/Deactivate a domain name OnlineHost OfflineHost StartCdnDomain
StopCdnDomain
Yes
Delete a domain name DeleteCdnHost DeleteCdnDomain Yes
Modify domain name configuration UpdateCdnConfig UpdateDomainConfig Yes
Purge and prefetch RefreshCdnDir
RefreshCdnUrl
GetCdnRefreshLog
CdnPusherV2
GetPushLogs
CdnOverseaPushser
PurgeUrlsCache
PurgePathCache
DescribePurgeTasks
PushUrlsCache
DescribePushTasks
Yes
Query service QueryCdnIp (no authorization required) DescribeCdnIp Yes

Console Permissions

  • View usage data and statistics: if View usage data and statistics is enabled in the policy and associated with a project, the sub-user can view the following modules in the console:
    • Overview page: data display module
    • Statistical analysis: real-time monitoring
    • Statistical analysis: data analysis
    • Data monitoring over the entire network
  • Query domain name information: if the policy enables Query domain name information and is associated with a project, the sub-user can view the domain name list and detailed configuration information of the authorized project on the Domain Name Management page in the console.
  • Query a CDN log download link: if the policy enables Query a CDN log download link and is associated with a project, the sub-user can query a log download link on the Log Service page in the console.
  • Add a domain name: if the policy enables Add a domain name and is associated with a project, the sub-user can add a domain name to the specified project.
  • Launch/deactivate a domain name: if the policy enables Launch/deactivate a domain name and is associated with a project, the sub-user can launch/deactivate an acceleration domain name in the specified project.
  • Delete a domain name: if the policy enables Delete a domain name and is associated with a project, the sub-user can delete an acceleration domain name in the specified project. As only deactivated domain names can be deleted, if the sub-user wants to delete a launched domain name, they need to have the permission to launch/deactivate a domain name.
  • Modify domain name configuration: if the policy enables Modify domain name configuration and is associated with a project, the sub-user can modify the configuration of an accelerated domain name in the specified project.
  • Purge and prefetch: if Purge and prefetch is enabled in the policy and associated with a project, the sub-user can submit corresponding purge or prefetch (whitelist) tasks and query their execution status on the Cache Purge page.