- Release Notes and Announcements
- User Guide
- Product Introduction
- Purchase Guide
- Live Video Broadcasting (LVB)
- Live Event Broadcasting (LEB)
- Console Guide
- Feature Guide
- SDK
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Delayed Playback Management APIs
- Live Stream Management APIs
- Recording Management APIs
- Watermark Management APIs
- Authentication Management APIs
- Screencapture and Porn Detection APIs
- LVB Callback APIs
- LVB Transcoding APIs
- Certificate Management APIs
- Domain Name Management APIs
- Live Stream Mix APIs
- Billing Data Query APIs
- Monitoring Data Query APIs
- DescribeStreamPlayInfoList
- DescribeLiveTranscodeDetailInfo
- DescribeStreamDayPlayInfoList
- DescribeProvinceIspPlayInfoList
- DescribeProIspPlaySumInfoList
- DescribeLiveStreamPushInfoList
- DescribeVisitTopSumInfoList
- DescribeTopClientIpSumInfoList
- DescribeStreamPushInfoList
- DescribePlayErrorCodeSumInfoList
- DescribePlayErrorCodeDetailInfoList
- DescribeLiveDomainPlayInfoList
- DescribeHttpStatusInfoList
- DescribeGroupProIspPlayInfoList
- DescribeAllStreamPlayInfoList
- DescribeVisitTopSumInfoList
- Data Types
- Error Codes
- Ops Guide
- About Pushing
- Playing Method
- Live Streaming Quiz
- FAQs
- SLA
- Glossary
- Release Notes and Announcements
- User Guide
- Product Introduction
- Purchase Guide
- Live Video Broadcasting (LVB)
- Live Event Broadcasting (LEB)
- Console Guide
- Feature Guide
- SDK
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Delayed Playback Management APIs
- Live Stream Management APIs
- Recording Management APIs
- Watermark Management APIs
- Authentication Management APIs
- Screencapture and Porn Detection APIs
- LVB Callback APIs
- LVB Transcoding APIs
- Certificate Management APIs
- Domain Name Management APIs
- Live Stream Mix APIs
- Billing Data Query APIs
- Monitoring Data Query APIs
- DescribeStreamPlayInfoList
- DescribeLiveTranscodeDetailInfo
- DescribeStreamDayPlayInfoList
- DescribeProvinceIspPlayInfoList
- DescribeProIspPlaySumInfoList
- DescribeLiveStreamPushInfoList
- DescribeVisitTopSumInfoList
- DescribeTopClientIpSumInfoList
- DescribeStreamPushInfoList
- DescribePlayErrorCodeSumInfoList
- DescribePlayErrorCodeDetailInfoList
- DescribeLiveDomainPlayInfoList
- DescribeHttpStatusInfoList
- DescribeGroupProIspPlayInfoList
- DescribeAllStreamPlayInfoList
- DescribeVisitTopSumInfoList
- Data Types
- Error Codes
- Ops Guide
- About Pushing
- Playing Method
- Live Streaming Quiz
- FAQs
- SLA
- Glossary
CSS supports permission control via CAM, where you can manage the CSS domain names, configurations, and data of your account. You can create, manage, or terminate users or user groups and grant API access permissions to them for the purpose of identity management and policy control.
You can use CAM to bind a user or user group to a policy which allows or denies them access to specified resources to complete specified tasks.
Concepts
- Root account: a registered Tencent Cloud account.
- Sub-user: created and fully owned by a root account.
- Collaborator: after an account is added as a collaborator of a root account, it becomes one of the sub-accounts of the root account and has the identity of the root account.
- User group: created for users with the same functions and can be bound with a policy for centralized authorization management.
For more information on the definitions and permissions, see CAM User Types.
Directions
Step 1. Create a sub-user or user group
One or more sub-users with specific roles and policies can be created under one root account. A sub-user has a unique ID and identity credential that can be used to log in to the Tencent Cloud console for configuration. It also has API access permissions. You can log in to the CAM console to create a sub-user, as shown below:
For more information, see Creating Sub-user and Creating User Group.
Step 2. Add a policy to the sub-user or user group
You can add policies and authorize users or user groups on the user or user group management and policy management pages. For more information, see Authorization Management.
Enter the user/user group page and select the user/user group to which to add a policy.
Click Users > User List on the left sidebar, select the user/user group to which to add a policy, click Authorize on the right, select the corresponding CSS policy, and click Confirm.
Click Users > User List or User Groups on the left sidebar, click the name of the user/user group to which to add a policy to enter the details page, click Associate Policy, select the corresponding CSS policy, and click OK.
Addable policies
Preset policy: click Policies on the left sidebar to go to the Policies page, where you can view all existing policies.
- CSS preset policies include QcloudLIVEFullAccess (read and write policy) and QcloudLIVEReadOnlyAccess (read-only policy).
- To use tags, authorization of QcloudTAGFullAccess (full read and write access by tag) is required.
- To use real-time logs, authorization of QcloudCamFullAccess (full read/write access to CAM) is required.
Custom policy: go to the Policies page, click Create Custom Policy, and select Create by Policy Generator. For more information, see Custom Policy.
Note:Currently, some APIs of CSS support resource-level authorization.
Operation example: if you need to authorize the DescribeLiveDomains API to a sub-user for a specified domain name, follow the steps below to configure:
- Create a domain-level policy that allows access to the API, go to the Create by Policy Generator page, and set the configuration items:
Configuration Item Required Description Effect Yes Select Allow Service Yes Select Cloud Streaming Services Action Yes Select DescribeLiveDomains Resource Yes Select all resources or specific resources that you want to authorize. - Tencent Cloud services where the authorization granularity is operation level or service level don't support six-segment resource descriptions; for them, simply select all resources.
- For Tencent Cloud services where the authorization granularity is resource level, you can select specific resources. For the resource description method, see the corresponding CAM guide in CAM-Enabled Products. For the specific authorization granularity of Tencent Cloud services, see Authorization Granularity in CAM-Enabled Products.
Condition No Set the effective condition of the above authorization and enter the source IP to be authorized, so as to allow access to specified operations only when requests come from the specified IP range. You can also add other conditions to further restrict the policy. For more information, see Condition. 
- Create a domain-level policy that allows access to the API, go to the Create by Policy Generator page, and set the configuration items:
Note:If you want to authorize multiple services, you can click Add Permissions to configure authorization policies for these services.
- Click Next to generate the policy. Then, associate it with users/user groups using either of the two methods above.
Step 3. Use a sub-account
You can use a sub-account identity (sub-account ID and password created by the root account) to call the authorized APIs (such as DescribeLiveDomains) to get the CSS information (such as all domains under the account).
Yes
No
Was this page helpful?