- Product Introduction
- Purchase Guide
- Quick Start
- Operation Guide
- Cloud Monitoring Overview
- Monitoring View
- Dashboard
- Event Center
- Alarm Service
- CVM Agents
- Cloud Access Management (CAM)
- CM Connection to Grafana
- Best Practice
- Troubleshooting
- API Documentation
- History
- API Category
- Making API Requests
- Monitoring Data Query APIs
- Alarm APIs
- DescribeAlarmHistories
- CreateAlarmPolicy
- DeleteAlarmPolicy
- DescribeAlarmPolicies
- DescribeAlarmPolicy
- ModifyAlarmPolicyStatus
- SetDefaultAlarmPolicy
- BindingPolicyObject
- UnBindingPolicyObject
- UnBindingAllPolicyObject
- ModifyAlarmPolicyCondition
- ModifyAlarmPolicyNotice
- ModifyAlarmPolicyTasks
- DescribeMonitorTypes
- DescribeAllNamespaces
- DescribeAlarmMetrics
- DescribeAlarmEvents
- PutMonitorData
- DescribePolicyGroupInfo
- DescribeBindingPolicyObjectList
- DescribePolicyConditionList
- SendCustomAlarmMsg
- ModifyAlarmPolicyInfo
- DescribeConditionsTemplateList
- Legacy Alarm APIs
- Notification Template APIs
- Event Center APIs
- Data Types
- Error Codes
- FAQs
- Tencent Cloud Service Metrics
- CVM
- CBS
- TencentDB
- TencentDB for SQL Server Monitoring Metrics
- TencentDB for MySQL Monitoring Metrics
- TencentDB for Redis Monitoring Metrics
- TencentDB for MongoDB Monitoring Metrics
- TencentDB for PostgreSQL Monitoring Metrics
- TencentDB for CYNOSDB_MYSQL Monitoring Metrics
- TencentDB for TcaplusDB Monitoring Metrics
- TencentDB for MariaDB Monitoring Metrics
- TDSQL for MySQL Monitoring Metrics (Legacy)
- TDSQL for MySQL Monitoring Metrics
- TencentDB for TcaplusDB Monitoring Metrics
- SCF
- CKafka
- VPC
- NAT Gateway Monitoring Metrics
- VPN Gateway Monitoring Metrics
- VPN Tunnel Monitoring Metrics
- Direct Connect Gateway Monitoring Metrics
- CCN Monitoring Metrics
- Peering Connection Monitoring Metrics
- Bandwidth Packet Monitoring Metrics
- EIP Monitoring Metrics
- Anycast EIP Monitoring Metrics
- Network Detection Monitoring Metrics
- CLB
- COS
- CFS
- CPM
- ECM
- EMR
- CDN
- Direct Connect
- TKE
- GAAP
- CMQ
- API Gateway
- Elasticsearch
- WAF
- CLS
- Documentation Guide
- Notice
- Glossary
- Product Introduction
- Purchase Guide
- Quick Start
- Operation Guide
- Cloud Monitoring Overview
- Monitoring View
- Dashboard
- Event Center
- Alarm Service
- CVM Agents
- Cloud Access Management (CAM)
- CM Connection to Grafana
- Best Practice
- Troubleshooting
- API Documentation
- History
- API Category
- Making API Requests
- Monitoring Data Query APIs
- Alarm APIs
- DescribeAlarmHistories
- CreateAlarmPolicy
- DeleteAlarmPolicy
- DescribeAlarmPolicies
- DescribeAlarmPolicy
- ModifyAlarmPolicyStatus
- SetDefaultAlarmPolicy
- BindingPolicyObject
- UnBindingPolicyObject
- UnBindingAllPolicyObject
- ModifyAlarmPolicyCondition
- ModifyAlarmPolicyNotice
- ModifyAlarmPolicyTasks
- DescribeMonitorTypes
- DescribeAllNamespaces
- DescribeAlarmMetrics
- DescribeAlarmEvents
- PutMonitorData
- DescribePolicyGroupInfo
- DescribeBindingPolicyObjectList
- DescribePolicyConditionList
- SendCustomAlarmMsg
- ModifyAlarmPolicyInfo
- DescribeConditionsTemplateList
- Legacy Alarm APIs
- Notification Template APIs
- Event Center APIs
- Data Types
- Error Codes
- FAQs
- Tencent Cloud Service Metrics
- CVM
- CBS
- TencentDB
- TencentDB for SQL Server Monitoring Metrics
- TencentDB for MySQL Monitoring Metrics
- TencentDB for Redis Monitoring Metrics
- TencentDB for MongoDB Monitoring Metrics
- TencentDB for PostgreSQL Monitoring Metrics
- TencentDB for CYNOSDB_MYSQL Monitoring Metrics
- TencentDB for TcaplusDB Monitoring Metrics
- TencentDB for MariaDB Monitoring Metrics
- TDSQL for MySQL Monitoring Metrics (Legacy)
- TDSQL for MySQL Monitoring Metrics
- TencentDB for TcaplusDB Monitoring Metrics
- SCF
- CKafka
- VPC
- NAT Gateway Monitoring Metrics
- VPN Gateway Monitoring Metrics
- VPN Tunnel Monitoring Metrics
- Direct Connect Gateway Monitoring Metrics
- CCN Monitoring Metrics
- Peering Connection Monitoring Metrics
- Bandwidth Packet Monitoring Metrics
- EIP Monitoring Metrics
- Anycast EIP Monitoring Metrics
- Network Detection Monitoring Metrics
- CLB
- COS
- CFS
- CPM
- ECM
- EMR
- CDN
- Direct Connect
- TKE
- GAAP
- CMQ
- API Gateway
- Elasticsearch
- WAF
- CLS
- Documentation Guide
- Notice
- Glossary
Cloud Monitor (CM) allows a root account to grant a sub-account access permissions via Cloud Access Management (CAM). This document describes how to manage access permissions for a sub-account.
Feature Overview
By default, a root account is the resource owner and has full access to all resources in the account. A sub-account has no access to any resources. The root account must grant a sub-account access permissions for it to access resources. You can use your root account to log in to the CAM console and grant a sub-account access permissions. For more information, see Authorization Management.
CM policies depend on the policies of other Tencent Cloud services. When you grant CM permissions to a sub-account, the corresponding cloud service permissions must also be granted for CM permissions to take effect.
Note:
- Permissions: allow or deny operations to access specific resources under certain conditions.
- Policies: syntax rules used to define and describe one or more permissions.
Common Permission Configuration
Note:
Below takes CVM permission configuration as an example. For more information on how to grant permissions for other Tencent Cloud services, see the following scenarios and CM-related Tencent Cloud service policies.
Enable the corresponding Tencent Cloud service permissions.
Common permissions
Permission list
| Permission Type | Permission Name |
|---|---|
| CM permission | QcloudMonitorFullAccess and QcloudMonitorReadOnlyAccess |
| CVM permission | QcloudCVMReadOnlyAccess or QcloudCVMFullAccess |
Features and permissions
| Feature | Operation Permissions | Access Permissions | ||
|---|---|---|---|---|
| QcloudMonitor FullAccess |
QcloudMonitor ReadOnlyAccess |
QcloudMonitor FullAccess |
QcloudMonitor ReadOnlyAccess |
|
| Monitoring overview | √ | √ | √ | √ |
| Dashboard | √ | √ | √ | √ |
| Instance grouping | √ | √ | √ | √ |
| Alarm history | √ | √ | √ | √ |
| Alarm policies | √ | × | √ | √ |
| Platform event subscription | √ | √ | √ | √ |
| Custom messages | √ | √ | √ | √ |
| Trigger condition templates | √ | √ | √ | √ |
| Product events | √ | √ | √ | √ |
| Platform events | √ | √ | √ | √ |
| Traffic monitoring | √ | √ | √ | √ |
| Tencent Cloud service monitoring | √ | √ | √ | √ |
CM-related Tencent Cloud service policies
Note:
Provided that CM permissions have been properly granted, Tencent Cloud service resources can be accessed after the read-only permission is granted. The following table lists permissions for some Tencent Cloud services. For more information on permissions for other Tencent Cloud services, see CAM-Enabled Products.
| Tencent Cloud Service | Policy | Permission Description | Reference |
|---|---|---|---|
| Cloud Virtual Machine (CVM) | QcloudCVMFullAccess | Full access permissions for CVMs, including monitoring permissions for CVM, CLB and VPC | Access Management |
| QcloudCVMReadOnlyAccess | Read-only permissions for CVM resources | ||
| TencentDB for MySQL | QcloudCDBFullAccess | Full access permissions for TencentDB for MySQL instances, including permissions for MySQL, related security groups, monitoring, user groups, COS, VPC and KMS | Access Management |
| QcloudCDBReadOnlyAccess | Read-only permissions for TencentDB for MySQL resources | ||
| TencentDB for MongoDB | QcloudMongoDBFullAccess | Full access permissions for TencentDB for MongoDB | Access Management |
| QcloudMongoDBReadOnlyAccess | Read-only permissions for TencentDB for MongoDB | ||
| TencentDB for Redis | QcloudRedisFullAccess | Full access permissions for TencentDB for Redis | Access Management |
| QcloudRedisReadOnlyAccess | Read-only permissions for TencentDB for Redis | ||
| Tencent Cloud TcaplusDB | QcloudTcaplusDBFullAccess | Full access permissions for TencentDB for TcaplusDB | Access Management |
| QcloudTcaplusDBReadOnlyAccess | Read-only permissions for TencentDB for TcaplusDB | ||
| Elasticsearch Service | QcloudElasticsearchServiceFullAccess | Full access permissions for Elasticsearch Service | Access Management |
| QcloudElasticsearchServiceReadOnlyAccess | Read-only permissions for Elasticsearch Service | ||
| VPC | QcloudVPCFullAccess | Full access permissions for VPC | Access Management |
| QcloudVPCReadOnlyAccess | Read-only permissions for VPC | ||
| Direct Connect (DC) | QcloudDCFullAccess | Full access permissions for DC | - |
| Cloud Message Queue (CMQ) | QcloudCmqQueueFullAccess | Full access permissions for CMQ, including permissions for queues and Cloud Monitor | - |
| Message Queue CKafka | QcloudCKafkaFullAccess | Full access permissions for Message Queue CKafka | Access Management |
| QcloudCkafkaReadOnlyAccess | Read-only permissions for Message Queue Ckafka | ||
| Cloud Object Storage (COS) | QcloudCOSFullAccess | Full access permissions for COS | Access Management |
| QcloudCOSReadOnlyAccess | Read-only permissions for COS | ||
| Cloud Load Balancer (CLB) | QcloudCLBFullAccess | Full access permissions for CLB | Access Management |
| QcloudCLBReadOnlyAccess | Read-only permissions for CLB | ||
| Cloud File Storage (CFS) | QcloudCFSFullAccesss | Full access permissions for CFS | Access Management |
| QcloudCFSReadOnlyAccess | Read-only permissions for CFS |
Yes
No
Was this page helpful?