CAM policy:
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}
In a TencentDB for SQL Server policy statement, you can specify any API operation from any service that supports TencentDB for SQL Server. APIs prefixed with sqlserver:
should be used for TencentDB for SQL Server, such as sqlserver:DescribeDBInstances
or sqlserver:CreateAccount
.
To specify multiple operations in a single statement, separate them with commas, as shown below:
"action":["sqlserver:action1","sqlserver:action2"]
You can also specify multiple operations using a wildcard. For example, you can specify all operations beginning with "Describe" in name, as shown below:
"action":["sqlserver:Describe*"]
If you want to specify all operations in TencentDB for SQL Server, use a wildcard as shown below:
"action":["sqlserver:*"]
Each CAM policy statement has its own resources.
Resources are generally in the following format:
qcs:project_id:service_type:region:account:resource
For example, you can specify a resource for a specific instance (mssql-m8oh024t) in a statement as shown below:
"resource":[ "qcs::sqlserver:ap-guangzhou:uin/653339763:instance/mssql-m8oh024t"]
You can also use the wildcard "*" to specify it for all instances that belong to a specific account as shown below:
"resource":[ "qcs::sqlserver:ap-guangzhou:uin/653339763:instance/*"]
If you want to specify all resources or a specific API operation does not support resource-level permission control, you can use the wildcard "*" in the "resource" element as shown below:
"resource": ["*"]
To specify multiple resources in a single command, separate them with commas. Below is an example where two resources are specified:
"resource":["resource1","resource2"]
The table below describes the resources that can be used by TencentDB for SQL Server and the corresponding resource description methods, where words prefixed with $ are placeholders, project
refers to a project ID, region
refers to a region, and account
refers to an account ID.
Resource | Resource Description Method in Authorization Policy |
---|---|
Instance | qcs::sqlserver:$region:$account:instance/$instanceId |
VPC | qcs::vpc:$region:$account:vpc/$vpcId |
Security group | qcs::cvm:$region:$account:sg/$sgId |
Was this page helpful?