Supported Resource-level Permissions

Last updated: 2019-11-19 17:35:19

PDF

Resource-level permission can be used to specify which resources a user can manipulate. TencentDB supports certain resource-level permission. This means that for some TencentDB operations, you can control the time when a user is allowed to perform operations (based on mandatory conditions) or to use specified resources. The following table describes the types of resources that can be authorized in TencentDB.

Types of resources that can be authorized in CAM:

Resource Type Resource Description Method in Authorization Policy
TencentDB instance-related qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId

The table below lists the TencentDB API operations which currently support resource-level permission control as well as the resources and condition keys supported by each operation. When specifying a resource path, you can use the "*" wildcard in the path.

Any TencentDB API operation not listed here does not support resource-level permission. If a TencentDB API operation does not support resource-level permission, you can still authorize a user to perform this operation, but you must specify * for the resource element of the policy statement.

API Operation Resource Path
AddTimeWindow qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
AssociateSecurityGroups qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
CloseWanService qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
CreateAccounts qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
CreateBackup qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
CreateDBImportJob qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DeleteAccounts qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DeleteBackup qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DeleteTimeWindow qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeAccountPrivileges qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeAccounts qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeBackupConfig qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeBackupDatabases qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeBackupDownloadDbTableCode qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeBackups qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeBackupTables qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeBinlogs qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDatabases qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBImportRecords qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBInstanceCharset qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBInstanceConfig qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBInstanceGTID qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBInstanceRebootTime qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBSwitchRecords qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBSecurityGroups qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeInstanceParamRecords qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeInstanceParams qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeRoGroups qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeRollbackRangeTime qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeSlowLogs qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeSupportedPrivileges qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeTables qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeTimeWindow qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDatabasesForInstances qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeMonitorData qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeTableColumns qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DropDatabaseTables qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
InitDBInstances qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
IsolateDBInstance qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyAccountDescription qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyAccountPassword qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyAccountPrivileges qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyAutoRenewFlag qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyBackupConfig qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyBackupInfo qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyDBInstanceName qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyDBInstanceProject qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyDBInstanceSecurityGroups qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyDBInstanceVipVport qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyInstanceParam qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyDBInstanceModes qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyTimeWindow qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyProtectMode qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
OfflineDBInstances qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
OpenDBInstanceGTID qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
OpenWanService qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ReleaseIsolatedDBInstances qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
RestartDBInstances qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
StartBatchRollback qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
SubmitBatchOperation qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
SwitchDrInstanceToMaster qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
SwitchForUpgrade qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DisassociateSecurityGroups qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
UpgradeDBInstance qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
UpgradeDBInstanceEngineVersion qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId