CAM-based Access Control

Last updated: 2021-11-09 09:37:47

    CSS supports permission control via CAM, where you can manage the CSS domain names, configurations, and data of your account. You can create, manage, or terminate users or user groups and grant API access permissions to them for the purpose of identity management and policy control.

    You can use CAM to bind a user or user group to a policy which allows or denies them access to specified resources to complete specified tasks.

    Concepts

    • Root account: a registered Tencent Cloud account.
    • Sub-user: created and fully owned by a root account.
    • Collaborator: after an account is added as a collaborator of a root account, it becomes one of the sub-accounts of the root account and has the identity of the root account.
    • User group: created for users with the same functions and can be bound with a policy for centralized authorization management.

    For more information on the definitions and permissions, see CAM User Types.

    Directions

    Step 1. Create a sub-user or user group

    One or more sub-users with specific roles and policies can be created under one root account. A sub-user has a unique ID and identity credential that can be used to log in to the Tencent Cloud console for configuration. It also has API access permissions. You can log in to the CAM console to create a sub-user, as shown below:

    For more information, see Creating Sub-user and Creating User Group.

    Step 2. Add a policy to the sub-user or user group

    You can add policies and authorize users or user groups on the user or user group management and policy management pages. For more information, see Authorization Management.

    Enter the user/user group page and select the user/user group to which to add a policy.

    • Click Users > User List on the left sidebar, select the user/user group to which to add a policy, click Authorize on the right, select the corresponding CSS policy, and click Confirm.

    • Click Users > User List or User Groups on the left sidebar, click the name of the user/user group to which to add a policy to enter the details page, click Associate Policy, select the corresponding CSS policy, and click OK.

    Addable policies

    • Preset policy: click Policies on the left sidebar to go to the Policies page, where you can view all existing policies.

    • Custom policy: go to the Policies page, click Create Custom Policy, and select Create by Policy Generator. For more information, see Custom Policy.

      Note:

      Currently, some APIs of CSS support resource-level authorization.

      Operation example: if you need to authorize the DescribeLiveDomains API to a sub-user for a specified domain name, follow the steps below to configure:

      1. Create a domain-level policy that allows access to the API, go to the Create by Policy Generator page, and set the configuration items:
        Configuration ItemRequiredDescription
        EffectYesSelect Allow
        ServiceYesSelect Cloud Streaming Services
        ActionYesSelect DescribeLiveDomains
        ResourceYes Select all resources or specific resources that you want to authorize.
        • Tencent Cloud services where the authorization granularity is operation level or service level don't support six-segment resource descriptions; for them, simply select all resources.
        • For Tencent Cloud services where the authorization granularity is resource level, you can select specific resources. For the resource description method, see the corresponding CAM guide in CAM-Enabled Products. For the specific authorization granularity of Tencent Cloud services, see Authorization Granularity in CAM-Enabled Products.
        ConditionNo Set the effective condition of the above authorization and enter the source IP to be authorized, so as to allow access to specified operations only when requests come from the specified IP range. You can also add other conditions to further restrict the policy. For more information, see Condition.
    Note:

    If you want to authorize multiple services, you can click Add Permissions to configure authorization policies for these services.

    1. Click Next to generate the policy. Then, associate it with users/user groups using either of the two methods above.

    Step 3. Use a sub-account

    You can use a sub-account identity (sub-account ID and password created by the root account) to call the authorized APIs (such as DescribeLiveDomains) to get the CSS information (such as all domains under the account).