Documentation|Tencent Cloud

Recent Pages

Project-Level Permissions

Last updated: 2020-08-03 11:22:38

Creating Policies

If you need to grant different project-level permissions such as those for data query, purge and prefetch, and domain name management to different sub-accounts, you can create a policy as follows:

Log in to the CAM Console and click Policies on the left sidebar.
Click Create Custom Policy and select Create by Product Feature or Project Permission:
Enter the policy name as required and select CDN as the service type below:
Enable the operation set to be authorized as needed and associate them with desired projects (the default project cannot be authorized). Then, associate them with sub-users:

Resource-Level and Project-Level

Currently, categories of operation sets and their corresponding OPEN API2.0 and OPEN API3.0 APIs are as shown below. Sub-users with operation set permissions can call a 2.0 or 3.0 API in the following list for any domain name in an authorized project:

Permission Set	API2.0	API3.0	Authorization Required
Query usage data and statistics	DescribeCdnHostInfo DescribeCdnHostDetailedInfo GetCdnStatusCode GetCdnStatTop GetCdnProvIspDetailStat	DescribeCdnData DescribeOriginData ListTopData DescribeIpVisit	Yes
Query domain name information	GetHostInfoById GetHostInfoByHost	DescribeDomains DescribeDomainsConfig	Yes
Query a CDN log download link	GenerateLogList GetCdnLogList	DescribeCdnDomainLogs	Yes
Add a domain name	AddCdnHost	AddCdnDomain	Yes
Launch/Deactivate a domain name	OnlineHost OfflineHost	StartCdnDomain StopCdnDomain	Yes
Delete a domain name	DeleteCdnHost	DeleteCdnDomain	Yes
Modify domain name configuration	UpdateCdnConfig	UpdateDomainConfig	Yes
Purge and prefetch	RefreshCdnDir RefreshCdnUrl GetCdnRefreshLog CdnPusherV2 GetPushLogs CdnOverseaPushser	PurgeUrlsCache PurgePathCache DescribePurgeTasks PushUrlsCache DescribePushTasks	Yes
Query service	QueryCdnIp (no authorization required)	DescribeCdnIp	Yes

Console Permissions

View usage data and statistics: if View usage data and statistics is enabled in the policy and associated with a project, the sub-user can view the following modules in the console:
- Overview page: data display module
- Statistical analysis: real-time monitoring
- Statistical analysis: data analysis
- Data monitoring over the entire network
Query domain name information: if the policy enables Query domain name information and is associated with a project, the sub-user can view the domain name list and detailed configuration information of the authorized project on the Domain Name Management page in the console.
Query a CDN log download link: if the policy enables Query a CDN log download link and is associated with a project, the sub-user can query a log download link on the Log Service page in the console.
Add a domain name: if the policy enables Add a domain name and is associated with a project, the sub-user can add a domain name to the specified project.
Launch/deactivate a domain name: if the policy enables Launch/deactivate a domain name and is associated with a project, the sub-user can launch/deactivate an acceleration domain name in the specified project.
Delete a domain name: if the policy enables Delete a domain name and is associated with a project, the sub-user can delete an acceleration domain name in the specified project. As only deactivated domain names can be deleted, if the sub-user wants to delete a launched domain name, they need to have the permission to launch/deactivate a domain name.
Modify domain name configuration: if the policy enables Modify domain name configuration and is associated with a project, the sub-user can modify the configuration of an accelerated domain name in the specified project.
Purge and prefetch: if Purge and prefetch is enabled in the policy and associated with a project, the sub-user can submit corresponding purge or prefetch (allowlist) tasks and query their execution status on the Cache Purge page.