Cloud Access Management (CAM)

Last updated: 2020-07-28 15:10:59

    Cloud Monitor (CM) allows a root account to grant a sub-account access permissions via Cloud Access Management (CAM). This document describes how to manage access permissions for a sub-account.

    Feature Overview

    By default, a root account is the resource owner and has full access to all resources in the account. A sub-account has no access to any resources. The root account must grant a sub-account access permissions for it to access resources. You can use your root account to log in to the CAM console and grant a sub-account access permissions. For more information, see Authorization Management.

    CM policies depend on the policies of other Tencent Cloud services. When you grant CM permissions to a sub-account, the corresponding cloud service permissions must also be granted for CM permissions to take effect.

    Note:

    • Permissions: allow or deny operations to access specific resources under certain conditions.
    • Policies: syntax rules used to define and describe one or more permissions.

    Common Permission Configuration

    Note:

    Below takes CVM permission configuration as an example. For more information on how to grant permissions for other Tencent Cloud services, see the following scenarios and CM-related Tencent Cloud service policies.
    Enable the corresponding Tencent Cloud service permissions.

    Common permissions

    Permission list

    Permission Type Permission Name
    CM permission QcloudMonitorFullAccess and QcloudMonitorReadOnlyAccess
    CVM permission QcloudCVMReadOnlyAccess or QcloudCVMFullAccess

    Features and permissions

    Feature Operation Permissions Access Permissions
    QcloudMonitor
    FullAccess
    QcloudMonitor
    ReadOnlyAccess
    QcloudMonitor
    FullAccess
    QcloudMonitor
    ReadOnlyAccess
    Monitoring overview
    Dashboard
    Instance grouping
    Alarm history
    Alarm policies ×
    Platform event subscription
    Custom messages
    Trigger condition templates
    Product events
    Platform events
    Traffic monitoring
    Tencent Cloud service monitoring

    Note:

    Provided that CM permissions have been properly granted, Tencent Cloud service resources can be accessed after the read-only permission is granted. The following table lists permissions for some Tencent Cloud services. For more information on permissions for other Tencent Cloud services, see CAM-Enabled Products.

    Tencent Cloud Service Policy Permission Description Reference
    Cloud Virtual Machine (CVM) QcloudCVMFullAccess Full access permissions for CVMs, including monitoring permissions for CVM, CLB and VPC Access Management
    QcloudCVMReadOnlyAccess Read-only permissions for CVM resources
    TencentDB for MySQL QcloudCDBFullAccess Full access permissions for TencentDB for MySQL instances, including permissions for MySQL, related security groups, monitoring, user groups, COS, VPC and KMS Access Management
    QcloudCDBReadOnlyAccess Read-only permissions for TencentDB for MySQL resources
    TencentDB for MongoDB QcloudMongoDBFullAccess Full access permissions for TencentDB for MongoDB Access Management
    QcloudMongoDBReadOnlyAccess Read-only permissions for TencentDB for MongoDB
    TencentDB for Redis QcloudRedisFullAccess Full access permissions for TencentDB for Redis Access Management
    QcloudRedisReadOnlyAccess Read-only permissions for TencentDB for Redis
    Tencent Cloud TcaplusDB QcloudTcaplusDBFullAccess Full access permissions for TencentDB for TcaplusDB Access Management
    QcloudTcaplusDBReadOnlyAccess Read-only permissions for TencentDB for TcaplusDB
    Elasticsearch Service QcloudElasticsearchServiceFullAccess Full access permissions for Elasticsearch Service Access Management
    QcloudElasticsearchServiceReadOnlyAccess Read-only permissions for Elasticsearch Service
    VPC QcloudVPCFullAccess Full access permissions for VPC Access Management
    QcloudVPCReadOnlyAccess Read-only permissions for VPC
    Direct Connect (DC) QcloudDCFullAccess Full access permissions for DC -
    Cloud Message Queue (CMQ) QcloudCmqQueueFullAccess Full access permissions for CMQ, including permissions for queues and Cloud Monitor -
    Message Queue CKafka QcloudCKafkaFullAccess Full access permissions for Message Queue CKafka Access Management
    QcloudCkafkaReadOnlyAccess Read-only permissions for Message Queue Ckafka
    Cloud Object Storage (COS) QcloudCOSFullAccess Full access permissions for COS Access Management
    QcloudCOSReadOnlyAccess Read-only permissions for COS
    Cloud Load Balancer (CLB) QcloudCLBFullAccess Full access permissions for CLB Access Management
    QcloudCLBReadOnlyAccess Read-only permissions for CLB
    Cloud File Storage (CFS) QcloudCFSFullAccesss Full access permissions for CFS Access Management
    QcloudCFSReadOnlyAccess Read-only permissions for CFS

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help