- Release Notes and Announcements
- Release Notes
- Announcements
- Announcement on Changing External Network Links
- Interface Authentication Upgrade Announcement
- Maintenance Time Change from Local Time to Beijing Time
- Account Type and Permission Changes
- Product Architecture Name Change
- Disk Storage Space Composition Change
- Ending Support for Classic Network [2022.12.31]
- Backup Billing Start [2022.07.10]
- Ending Sale for Basic Edition 1-Core Specification [2022.03.07]
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Constraints and Limits
- Usage Specifications and Suggestions
- Maintaining Instance
- Renaming Instance
- Setting Instance Remarks
- Setting Instance Tag
- Setting Instance Project
- Modify Instance-level Character Set Collation
- Modify System Time Zone
- Setting Instance Maintenance Information
- Multi-AZ Disaster Recovery
- Restarting Instance
- Terminating Instance
- Migrating Across AZs
- Manual Primary-Secondary Switching
- Recycle Bin
- Adjusting Instance Configuration
- Read-Only Instance
- Network and Security
- Account Management
- Database Management
- Data Security
- Parameter Configuration
- Monitoring and Alarms
- Backup and Restoration
- Log Management
- Publish-Subscribe
- SSIS
- Data Migration (New)
- Data Migration (Legacy)
- Best Practice
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance Management APIs
- CreateCloudDBInstances
- CreateCloudReadOnlyDBInstances
- ModifyInstanceEncryptAttributes
- UpgradeDBInstance
- RollbackInstance
- RestoreInstance
- RestartDBInstance
- ResetAccountPassword
- ModifyDBRemark
- ModifyDBName
- ModifyDBInstanceProject
- ModifyDBInstanceName
- ModifyAccountPrivilege
- InquiryPriceUpgradeDBInstance
- InquiryPriceCreateDBInstances
- DescribeZones
- DescribeRollbackTime
- DescribeRegions
- DescribeProductConfig
- DescribeFlowStatus
- DescribeDBs
- DescribeDBInstances
- DescribeAccounts
- DeleteDB
- DeleteAccount
- CreateDBInstances
- CreateDB
- CreateAccount
- TerminateDBInstance
- RecycleDBInstance
- CloneDB
- DescribeDBCharsets
- ModifyDatabaseMdf
- ModifyDatabaseCT
- ModifyDatabaseCDC
- DescribeDBsNormal
- ModifyInstanceParam
- DescribeInstanceParams
- DescribeInstanceParamRecords
- OpenInterCommunication
- DescribeDBInstanceInter
- DescribeBusinessIntelligenceFile
- DeleteBusinessIntelligenceFile
- CreateBusinessIntelligenceFile
- CreateBusinessDBInstances
- CloseInterCommunication
- Network Management APIs
- Backup APIs
- RunMigration
- ModifyMigration
- DescribeMigrations
- DescribeMigrationDetail
- DescribeBackups
- DeleteMigration
- CreateMigration
- CreateBackup
- ModifyBackupStrategy
- StartIncrementalMigration
- StartBackupMigration
- ModifyIncrementalMigration
- ModifyBackupMigration
- DescribeUploadBackupInfo
- DescribeIncrementalMigration
- DescribeBackupUploadSize
- DescribeBackupMigration
- DescribeBackupCommand
- DeleteIncrementalMigration
- DeleteBackupMigration
- CreateIncrementalMigration
- CreateBackupMigration
- DescribeBackupFiles
- Extended Event APIs
- Database APIs
- Other APIs
- Data Types
- Error Codes
- FAQs
- Overview
- Model Selection
- Pricing and Selection
- Connection and Network
- Account and Permission
- Backup and Rollback
- Data Migration
- Publish/Subscribe
- Read-Only Instance
- Version and Architecture Upgrade
- Disk Space and Specification Adjustment
- Monitoring and Alarms
- Log
- Parameter Modification
- Features
- Performance/Space/Memory
- Service Agreement
- Performance Evaluation
- Glossary
- Contact Us
- Release Notes and Announcements
- Release Notes
- Announcements
- Announcement on Changing External Network Links
- Interface Authentication Upgrade Announcement
- Maintenance Time Change from Local Time to Beijing Time
- Account Type and Permission Changes
- Product Architecture Name Change
- Disk Storage Space Composition Change
- Ending Support for Classic Network [2022.12.31]
- Backup Billing Start [2022.07.10]
- Ending Sale for Basic Edition 1-Core Specification [2022.03.07]
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Constraints and Limits
- Usage Specifications and Suggestions
- Maintaining Instance
- Renaming Instance
- Setting Instance Remarks
- Setting Instance Tag
- Setting Instance Project
- Modify Instance-level Character Set Collation
- Modify System Time Zone
- Setting Instance Maintenance Information
- Multi-AZ Disaster Recovery
- Restarting Instance
- Terminating Instance
- Migrating Across AZs
- Manual Primary-Secondary Switching
- Recycle Bin
- Adjusting Instance Configuration
- Read-Only Instance
- Network and Security
- Account Management
- Database Management
- Data Security
- Parameter Configuration
- Monitoring and Alarms
- Backup and Restoration
- Log Management
- Publish-Subscribe
- SSIS
- Data Migration (New)
- Data Migration (Legacy)
- Best Practice
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance Management APIs
- CreateCloudDBInstances
- CreateCloudReadOnlyDBInstances
- ModifyInstanceEncryptAttributes
- UpgradeDBInstance
- RollbackInstance
- RestoreInstance
- RestartDBInstance
- ResetAccountPassword
- ModifyDBRemark
- ModifyDBName
- ModifyDBInstanceProject
- ModifyDBInstanceName
- ModifyAccountPrivilege
- InquiryPriceUpgradeDBInstance
- InquiryPriceCreateDBInstances
- DescribeZones
- DescribeRollbackTime
- DescribeRegions
- DescribeProductConfig
- DescribeFlowStatus
- DescribeDBs
- DescribeDBInstances
- DescribeAccounts
- DeleteDB
- DeleteAccount
- CreateDBInstances
- CreateDB
- CreateAccount
- TerminateDBInstance
- RecycleDBInstance
- CloneDB
- DescribeDBCharsets
- ModifyDatabaseMdf
- ModifyDatabaseCT
- ModifyDatabaseCDC
- DescribeDBsNormal
- ModifyInstanceParam
- DescribeInstanceParams
- DescribeInstanceParamRecords
- OpenInterCommunication
- DescribeDBInstanceInter
- DescribeBusinessIntelligenceFile
- DeleteBusinessIntelligenceFile
- CreateBusinessIntelligenceFile
- CreateBusinessDBInstances
- CloseInterCommunication
- Network Management APIs
- Backup APIs
- RunMigration
- ModifyMigration
- DescribeMigrations
- DescribeMigrationDetail
- DescribeBackups
- DeleteMigration
- CreateMigration
- CreateBackup
- ModifyBackupStrategy
- StartIncrementalMigration
- StartBackupMigration
- ModifyIncrementalMigration
- ModifyBackupMigration
- DescribeUploadBackupInfo
- DescribeIncrementalMigration
- DescribeBackupUploadSize
- DescribeBackupMigration
- DescribeBackupCommand
- DeleteIncrementalMigration
- DeleteBackupMigration
- CreateIncrementalMigration
- CreateBackupMigration
- DescribeBackupFiles
- Extended Event APIs
- Database APIs
- Other APIs
- Data Types
- Error Codes
- FAQs
- Overview
- Model Selection
- Pricing and Selection
- Connection and Network
- Account and Permission
- Backup and Rollback
- Data Migration
- Publish/Subscribe
- Read-Only Instance
- Version and Architecture Upgrade
- Disk Space and Specification Adjustment
- Monitoring and Alarms
- Log
- Parameter Modification
- Features
- Performance/Space/Memory
- Service Agreement
- Performance Evaluation
- Glossary
- Contact Us
Issues
If you use Tencent Cloud services, including CVM, VPC, and TencentDB, which are managed by different people who share your Tencent Cloud account key, the following issues may arise:
There is a high risk of key leakage because the key is shared among multiple individuals.
The absence of limitations on other users' access rights may easily lead to incorrect operations, causing security risks.
Solutions
You can avoid the issues above by providing different users with sub-accounts, permitting them to manage different services. By default, a sub-account does not possess the authorization to utilize Tencent Cloud services or the related resources. Consequently, we should formulate a policy to allow sub-accounts to use the resources and permissions they need.
Cloud Access Management (CAM) aids in the secure and convenient management of access to Tencent Cloud services and resources. With CAM, you can create sub-accounts, user groups, and roles, controlling their access scope through a policy. CAM supports SSO capabilities for users and roles, allowing targeted settings for interaction between corporate users and Tencent Cloud based on specific management circumstances. Your initially created Tencent Cloud root account possesses complete access to all Tencent Cloud services and resources. It is recommended to safeguard your root account credentials, utilize sub-accounts or roles for daily access, enable multi-factor authentication, and change keys regularly.
While CAM is used, a policy can be associated with a user or a group of users to allow or reject the use of specific resources by users to accomplish designated tasks. For more information on CAM policies, please refer to Policy Syntax.
If you do not need to manage the CAM of the related resources of the Tencent Cloud Database for the sub-accounts, you may bypass this part. It will not impede your comprehension or usage of the remaining parts in this document.
Quick Start
A CAM policy must authorize or deny the use of one or more cloud database operations. Simultaneously, it must specify the resources that can be used for these operations, which could be all the resources (some operations can also be partial resources). The policy can also encompass the conditions stipulated for the operated resources.
Note:
Users are recommended to use CAM policies to manageTencentDB resources and authorize TencentDB operations. While the experience for existing users with project-based permissions remains unchanged, it is not suggested to continue resource management and operation authorization with project-based permissions.
The TencentDB does not support the setting of related validity conditions for the time being.
Task | Link |
Understanding the fundamental structure of policies | |
Defining operations in a policy | |
Defining resources in a policy | |
Resource-level permissions supported by TencentDB |
Yes
No
Was this page helpful?