If you need to grant different project-level permissions such as those for data query, purge and prefetch, and domain name management to different sub-accounts, you can create a policy as follows:
- Log in to the CAM Console and click Policies on the left sidebar.
- Click Create Custom Policy and select Create by Product Feature or Project Permission:
- Enter the policy name as required and select CDN as the service type below:
- Enable the operation set to be authorized as needed and associate them with desired projects (the default project cannot be authorized). Then, associate them with sub-users:
Resource-Level and Project-Level
Currently, categories of operation sets and their corresponding OPEN API2.0 and OPEN API3.0 APIs are as shown below. Sub-users with operation set permissions can call a 2.0 or 3.0 API in the following list for any domain name in an authorized project:
|Query usage data and statistics
||DescribeCdnHostInfo DescribeCdnHostDetailedInfo GetCdnStatusCode
|Query domain name information
|Query a CDN log download link
|Add a domain name
|Launch/Deactivate a domain name
|Delete a domain name
|Modify domain name configuration
|Purge and prefetch
||QueryCdnIp (no authorization required)
- View usage data and statistics: if View usage data and statistics is enabled in the policy and associated with a project, the sub-user can view the following modules in the console:
- Overview page: data display module
- Statistical analysis: real-time monitoring
- Statistical analysis: data analysis
- Data monitoring over the entire network
- Query domain name information: if the policy enables Query domain name information and is associated with a project, the sub-user can view the domain name list and detailed configuration information of the authorized project on the Domain Name Management page in the console.
- Query a CDN log download link: if the policy enables Query a CDN log download link and is associated with a project, the sub-user can query a log download link on the Log Service page in the console.
- Add a domain name: if the policy enables Add a domain name and is associated with a project, the sub-user can add a domain name to the specified project.
- Launch/deactivate a domain name: if the policy enables Launch/deactivate a domain name and is associated with a project, the sub-user can launch/deactivate an acceleration domain name in the specified project.
- Delete a domain name: if the policy enables Delete a domain name and is associated with a project, the sub-user can delete an acceleration domain name in the specified project. As only deactivated domain names can be deleted, if the sub-user wants to delete a launched domain name, they need to have the permission to launch/deactivate a domain name.
- Modify domain name configuration: if the policy enables Modify domain name configuration and is associated with a project, the sub-user can modify the configuration of an accelerated domain name in the specified project.
- Purge and prefetch: if Purge and prefetch is enabled in the policy and associated with a project, the sub-user can submit corresponding purge or prefetch (allowlist) tasks and query their execution status on the Cache Purge page.