Cloud Monitor (CM) allows a root account to grant a sub-account access permissions via Cloud Access Management (CAM). This document describes how to manage access permissions for a sub-account.
By default, a root account is the resource owner and has full access to all resources in the account. A sub-account has no access to any resources. The root account must grant a sub-account access permissions for it to access resources. You can use your root account to log in to the CAM console and grant a sub-account access permissions. For more information, see Authorization Management.
CM policies depend on the policies of other Tencent Cloud services. When you grant CM permissions to a sub-account, the corresponding cloud service permissions must also be granted for CM permissions to take effect.
Note:
- Permissions: allow or deny operations to access specific resources under certain conditions.
- Policies: syntax rules used to define and describe one or more permissions.
Note:
Below takes CVM permission configuration as an example. For more information on how to grant permissions for other Tencent Cloud services, see the following scenarios and CM-related Tencent Cloud service policies.
Enable the corresponding Tencent Cloud service permissions.
Permission Type | Permission Name |
---|---|
CM permission | QcloudMonitorFullAccess and QcloudMonitorReadOnlyAccess |
CVM permission | QcloudCVMReadOnlyAccess or QcloudCVMFullAccess |
Feature | Operation Permissions | Access Permissions | ||
---|---|---|---|---|
QcloudMonitor FullAccess |
QcloudMonitor ReadOnlyAccess |
QcloudMonitor FullAccess |
QcloudMonitor ReadOnlyAccess |
|
Monitoring overview | √ | √ | √ | √ |
Dashboard | √ | √ | √ | √ |
Instance grouping | √ | √ | √ | √ |
Alarm history | √ | √ | √ | √ |
Alarm policies | √ | × | √ | √ |
Platform event subscription | √ | √ | √ | √ |
Custom messages | √ | √ | √ | √ |
Trigger condition templates | √ | √ | √ | √ |
Product events | √ | √ | √ | √ |
Platform events | √ | √ | √ | √ |
Traffic monitoring | √ | √ | √ | √ |
Tencent Cloud service monitoring | √ | √ | √ | √ |
Note:
Provided that CM permissions have been properly granted, Tencent Cloud service resources can be accessed after the read-only permission is granted. The following table lists permissions for some Tencent Cloud services. For more information on permissions for other Tencent Cloud services, see CAM-Enabled Products.
Tencent Cloud Service | Policy | Permission Description | Reference |
---|---|---|---|
Cloud Virtual Machine (CVM) | QcloudCVMFullAccess | Full access permissions for CVMs, including monitoring permissions for CVM, CLB and VPC | Access Management |
QcloudCVMReadOnlyAccess | Read-only permissions for CVM resources | ||
TencentDB for MySQL | QcloudCDBFullAccess | Full access permissions for TencentDB for MySQL instances, including permissions for MySQL, related security groups, monitoring, user groups, COS, VPC and KMS | Access Management |
QcloudCDBReadOnlyAccess | Read-only permissions for TencentDB for MySQL resources | ||
TencentDB for MongoDB | QcloudMongoDBFullAccess | Full access permissions for TencentDB for MongoDB | Access Management |
QcloudMongoDBReadOnlyAccess | Read-only permissions for TencentDB for MongoDB | ||
TencentDB for Redis | QcloudRedisFullAccess | Full access permissions for TencentDB for Redis | Access Management |
QcloudRedisReadOnlyAccess | Read-only permissions for TencentDB for Redis | ||
Tencent Cloud TcaplusDB | QcloudTcaplusDBFullAccess | Full access permissions for TencentDB for TcaplusDB | Access Management |
QcloudTcaplusDBReadOnlyAccess | Read-only permissions for TencentDB for TcaplusDB | ||
Elasticsearch Service | QcloudElasticsearchServiceFullAccess | Full access permissions for Elasticsearch Service | Access Management |
QcloudElasticsearchServiceReadOnlyAccess | Read-only permissions for Elasticsearch Service | ||
VPC | QcloudVPCFullAccess | Full access permissions for VPC | Access Management |
QcloudVPCReadOnlyAccess | Read-only permissions for VPC | ||
Direct Connect (DC) | QcloudDCFullAccess | Full access permissions for DC | - |
Cloud Message Queue (CMQ) | QcloudCmqQueueFullAccess | Full access permissions for CMQ, including permissions for queues and Cloud Monitor | - |
Message Queue CKafka | QcloudCKafkaFullAccess | Full access permissions for Message Queue CKafka | Access Management |
QcloudCkafkaReadOnlyAccess | Read-only permissions for Message Queue Ckafka | ||
Cloud Object Storage (COS) | QcloudCOSFullAccess | Full access permissions for COS | Access Management |
QcloudCOSReadOnlyAccess | Read-only permissions for COS | ||
Cloud Load Balancer (CLB) | QcloudCLBFullAccess | Full access permissions for CLB | Access Management |
QcloudCLBReadOnlyAccess | Read-only permissions for CLB | ||
Cloud File Storage (CFS) | QcloudCFSFullAccesss | Full access permissions for CFS | Access Management |
QcloudCFSReadOnlyAccess | Read-only permissions for CFS |
Was this page helpful?