Note:This document describes the access management feature of SMS. For more information on access management for other Tencent Cloud services, please see CAM-Enabled Products.
It is convenient to use a default policy in SMS access control to implement authorization, but its granularity of permission control is coarse and cannot be refined to the SMS application and the TencentCloud API levels. If you need fine-grained permissions control, you need to create custom policies.
There are multiple ways to create a custom policy. The table below shows a comparison of various methods. For detailed directions, please see further below.
Creation Entry | Creation Method | Effect | Resource | Action | Flexibility |
---|---|---|---|---|---|
CAM console | Policy generator | Manual selection | Syntax description | Manual selection | Medium |
CAM console | Policy syntax | Syntax description | Syntax description | Syntax description | High |
CAM server API | CreatePolicy | Syntax description | Syntax description | Syntax description | High |
Note:
- SMS does not support creating custom policies by product feature or project.
- Manual selection means that you can select an object from the candidate list displayed in the console.
- Syntax description means that you can describe objects through the authorization policy syntax.
As mentioned above, the resource granularity of permission management in SMS is the application. The application description in the policy syntax follows the CAM resource description method. In the example below, the developer's root account ID is 12345678, and the developer has created three applications with an App
of 1400000000, 1400000001, and 1400000002, respectively.
Policy syntax description for all SMS applications
"resource": ["qcs::sms::uin/12345678:app/*"]
Policy syntax description for a single SMS application
"resource": [ "qcs::sms::uin/12345678:app/1400000001"]
Policy syntax description for multiple SMS applications
"resource": [ "qcs::sms::uin/12345678:app/1400000000","qcs::sms::uin/12345678:app/1400000001"]
As mentioned above, the action granularity of permission management in SMS is the TencentCloud API. For more information, please see Authorizable Resources and Actions. TencentCloud APIs such as DescribeAppList
(getting application list) and DescribeAppInfo
(getting application information) are used as examples below.
Policy syntax description for all SMS TencentCloud APIs
"action": [
"name/sms:*"
]
Policy syntax description for a single TencentCloud API
"action": [
"name/sms:DescribeAppList"
]
Policy syntax description for multiple TencentCloud APIs
"action": [
"name/sms:DescribeAppList",
"name/sms:DescribeAppInfo"
]
In the example below, we will create a custom policy, which allows all actions except the console API DeleteAppInfo
to be performed on the SMS application 1400000001.
qcs::sms::uin/12345678:app/1400000001
for Resource according to the resource syntax description.DeleteAppInfo
(which can be quickly found using the search engine) for Action.qcs::sms::uin/12345678:app/1400000001
for Resource according to the resource syntax description.DeleteAppInfo
action is denied on the SMS application 1400000001" will appear at the bottom of the page.In the example below, we will create a custom policy, which allows all actions to be performed on SMS applications 1400000001 and 1400000002 but denies DeleteAppInfo
for application 1400000001.
Note:A policy template is used to create a policy by copying an existing policy (preset or custom) and then making adjustments to the copy. During actual use, you can choose an appropriate policy template based on the actual conditions to reduce the difficulty and workload of writing the policy content.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"name/SMS:*"
],
"resource": [
"qcs::sms::uin/12345678:app/1400000001",
"qcs::sms::uin/12345678:app/1400000002"
]
},
{
"effect": "deny",
"action": [
"name/SMS: DeleteAppInfo "
],
"resource": [
"qcs::SMS::uin/12345678:app/1400000001"
]
}
]
}
Note:The policy content should follow the CAM policy syntax logic, where the syntax of "resource" and "action" is as shown above in the Resource syntax description and the Action syntax description.
6. Click Complete to create the custom policy.
Subsequently, this policy can be granted to other sub-accounts in the same way as granting full access to SMS to existing sub-accounts.
Was this page helpful?