Cloud Monitor (CM) allows a root account to grant a sub-account access permissions via Cloud Access Management (CAM). This document describes how to manage access permissions for a sub-account.
By default, a root account is the resource owner and has full access to all resources in the account. A sub-account has no access to any resources. The root account must grant a sub-account access permissions for it to access resources. You can use your root account to log in to the CAM console and grant a sub-account access permissions. For more information, see Authorization Management.
CM policies depend on the policies of other Tencent Cloud services. When you grant CM permissions to a sub-account, the corresponding cloud service permissions must also be granted for CM permissions to take effect.
Note:
- Permissions: allow or deny operations to access specific resources under certain conditions.
- Policies: syntax rules used to define and describe one or more permissions.
Note:
Below takes CVM permission configuration as an example. For more information on how to grant permissions for other Tencent Cloud services, see the following scenarios and CM-related Tencent Cloud service policies.
Enable the corresponding Tencent Cloud service permissions.
| Permission Type | Permission Name |
|---|---|
| CM permission | QcloudMonitorFullAccess and QcloudMonitorReadOnlyAccess |
| CVM permission | QcloudCVMReadOnlyAccess or QcloudCVMFullAccess |
| Feature | Operation Permissions | Access Permissions | ||
|---|---|---|---|---|
| QcloudMonitor FullAccess |
QcloudMonitor ReadOnlyAccess |
QcloudMonitor FullAccess |
QcloudMonitor ReadOnlyAccess |
|
| Monitoring overview | √ | √ | √ | √ |
| Dashboard | √ | √ | √ | √ |
| Instance grouping | √ | √ | √ | √ |
| Alarm history | √ | √ | √ | √ |
| Alarm policies | √ | × | √ | √ |
| Platform event subscription | √ | √ | √ | √ |
| Custom messages | √ | √ | √ | √ |
| Trigger condition templates | √ | √ | √ | √ |
| Product events | √ | √ | √ | √ |
| Platform events | √ | √ | √ | √ |
| Traffic monitoring | √ | √ | √ | √ |
| Tencent Cloud service monitoring | √ | √ | √ | √ |
Note:
Provided that CM permissions have been properly granted, Tencent Cloud service resources can be accessed after the read-only permission is granted. The following table lists permissions for some Tencent Cloud services. For more information on permissions for other Tencent Cloud services, see CAM-Enabled Products.
| Tencent Cloud Service | Policy | Permission Description | Reference |
|---|---|---|---|
| Cloud Virtual Machine (CVM) | QcloudCVMFullAccess | Full access permissions for CVMs, including monitoring permissions for CVM, CLB and VPC | Access Management |
| QcloudCVMReadOnlyAccess | Read-only permissions for CVM resources | ||
| TencentDB for MySQL | QcloudCDBFullAccess | Full access permissions for TencentDB for MySQL instances, including permissions for MySQL, related security groups, monitoring, user groups, COS, VPC and KMS | Access Management |
| QcloudCDBReadOnlyAccess | Read-only permissions for TencentDB for MySQL resources | ||
| TencentDB for MongoDB | QcloudMongoDBFullAccess | Full access permissions for TencentDB for MongoDB | Access Management |
| QcloudMongoDBReadOnlyAccess | Read-only permissions for TencentDB for MongoDB | ||
| TencentDB for Redis | QcloudRedisFullAccess | Full access permissions for TencentDB for Redis | Access Management |
| QcloudRedisReadOnlyAccess | Read-only permissions for TencentDB for Redis | ||
| Tencent Cloud TcaplusDB | QcloudTcaplusDBFullAccess | Full access permissions for TencentDB for TcaplusDB | Access Management |
| QcloudTcaplusDBReadOnlyAccess | Read-only permissions for TencentDB for TcaplusDB | ||
| Elasticsearch Service | QcloudElasticsearchServiceFullAccess | Full access permissions for Elasticsearch Service | Access Management |
| QcloudElasticsearchServiceReadOnlyAccess | Read-only permissions for Elasticsearch Service | ||
| VPC | QcloudVPCFullAccess | Full access permissions for VPC | Access Management |
| QcloudVPCReadOnlyAccess | Read-only permissions for VPC | ||
| Direct Connect (DC) | QcloudDCFullAccess | Full access permissions for DC | - |
| Cloud Message Queue (CMQ) | QcloudCmqQueueFullAccess | Full access permissions for CMQ, including permissions for queues and Cloud Monitor | - |
| Message Queue CKafka | QcloudCKafkaFullAccess | Full access permissions for Message Queue CKafka | Access Management |
| QcloudCkafkaReadOnlyAccess | Read-only permissions for Message Queue Ckafka | ||
| Cloud Object Storage (COS) | QcloudCOSFullAccess | Full access permissions for COS | Access Management |
| QcloudCOSReadOnlyAccess | Read-only permissions for COS | ||
| Cloud Load Balancer (CLB) | QcloudCLBFullAccess | Full access permissions for CLB | Access Management |
| QcloudCLBReadOnlyAccess | Read-only permissions for CLB | ||
| Cloud File Storage (CFS) | QcloudCFSFullAccesss | Full access permissions for CFS | Access Management |
| QcloudCFSReadOnlyAccess | Read-only permissions for CFS |
Was this page helpful?