Authorizable Resource Types

Last updated: 2020-04-01 16:46:08

PDF

Resource-level permission can be used to specify which resources a user can manipulate. TencentDB supports certain resource-level permissions. This means that for TencentDB operations that support resource-level permission, you can control the time when a user is allowed to perform operations or to use specified resources. The following table describes the types of resources that can be authorized in CAM.

Resource Type Resource Description Method in Authorization Policy
TencentDB instance-related qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId

The table below lists the TencentDB API operations which currently support resource-level permission control as well as the resources and condition keys supported by each operation. When specifying a resource path, you can use the "*" wildcard in the path.

List of APIs supporting authorization at resource level

API Operation Resource Path
AddTimeWindow qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
AssociateSecurityGroups qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
CloseWanService qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
CreateAccounts qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
CreateBackup qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
CreateDBImportJob qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DeleteAccounts qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DeleteBackup qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DeleteTimeWindow qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeAccountPrivileges qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeAccounts qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeBackupConfig qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeBackupDatabases qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeBackupDownloadDbTableCode qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeBackups qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeBackupTables qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeBinlogs qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDatabases qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBImportRecords qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBInstanceCharset qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBInstanceConfig qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBInstanceGTID qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBInstanceRebootTime qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBSwitchRecords qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDBSecurityGroups qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeInstanceParamRecords qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeInstanceParams qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeRoGroups qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeRollbackRangeTime qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeSlowLogs qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeSupportedPrivileges qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeTables qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeTimeWindow qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeDatabasesForInstances qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeMonitorData qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DescribeTableColumns qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DropDatabaseTables qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
InitDBInstances qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
IsolateDBInstance qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyAccountDescription qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyAccountPassword qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyAccountPrivileges qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyAutoRenewFlag qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyBackupConfig qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyBackupInfo qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyDBInstanceName qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyDBInstanceProject qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyDBInstanceSecurityGroups qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyDBInstanceVipVport qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyInstanceParam qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyDBInstanceModes qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyTimeWindow qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ModifyProtectMode qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
OfflineDBInstances qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
OpenDBInstanceGTID qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
OpenWanService qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
ReleaseIsolatedDBInstances qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
RestartDBInstances qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
StartBatchRollback qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
SubmitBatchOperation qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
SwitchDrInstanceToMaster qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
SwitchForUpgrade qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
DisassociateSecurityGroups qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
UpgradeDBInstance qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId
UpgradeDBInstanceEngineVersion qcs::cdb:$region:$account:instanceId/*
qcs::cdb:$region:$account:instanceId/$instanceId

List of APIs not supporting authorization at resource level

For a TencentDB API operation that does not support authorization at the resource level, you can still authorize a user to perform it, but you must specify * as the resource element in the policy statement.

API Operation API Description
CreateDBInstanceHour Creates a pay-as-you-go TencentDB instance
CreateParamTemplate Creates a parameter template
DeleteParamTemplate Deletes a monitoring template item
DescribeProjectSecurityGroups Queries security group information of a project
DescribeDefaultParams Queries the list of default configurable parameters
DescribeParamTemplateInfo Queries the parameter template details
DescribeParamTemplates Queries the list of parameter templates
DescribeAsyncRequestInfo Queries the execution result of an async task
DescribeTasks Queries the list of tasks for a TencentDB instance
DescribeUploadedFiles Queries the list of imported SQL files
ModifyParamTemplate Modifies a parameter template
RenewDBInstance Renews a TencentDB instance
StopDBImportJob Stops a data import task