Custom Policies

Last updated: 2020-10-29 14:56:21

    Note:

    This document describes the access management feature of SMS. For more information on access management for other Tencent Cloud services, please see CAM-Enabled Products.

    It is convenient to use a preset policy in SMS access control to implement authorization, but its granularity of permission control is coarse and cannot be refined to the SMS application and the TencentCloud API levels. If you need fine-grained permissions control, you need to create custom policies.

    Custom Policy Creation Methods

    There are multiple ways to create a custom policy. The table below shows a comparison of various methods. For detailed directions, please see further below.

    Creation Entry Creation Method Effect Resource Action Flexibility
    CAM console Policy generator Manual selection Syntax description Manual selection Medium
    CAM console Policy syntax Syntax description Syntax description Syntax description High
    CAM server API CreatePolicy Syntax description Syntax description Syntax description High

    Note:

    • SMS does not support creating custom policies by product feature or project.
    • Manual selection means that you can select an object from the candidate list displayed in the console.
    • Syntax description means that you can describe objects through the authorization policy syntax.

    Authorization Policy Syntax

    Resource syntax description

    As mentioned above, the resource granularity of permission management in SMS is the application. The application description in the policy syntax follows the CAM resource description method. In the example below, the developer's root account ID is 12345678, and the developer has created three applications with an App of 1400000000, 1400000001, and 1400000002, respectively.

    • Policy syntax description for all SMS applications
      "resource": ["qcs::sms::uin/12345678:app/*"]
    • Policy syntax description for a single SMS application
      "resource": [ "qcs::sms::uin/12345678:app/1400000001"]
    • Policy syntax description for multiple SMS applications
      "resource": [ "qcs::sms::uin/12345678:app/1400000000","qcs::sms::uin/12345678:app/1400000001"]

    Action syntax description

    As mentioned above, the action granularity of permission management in SMS is the TencentCloud API. For more information, please see Authorizable Resources and Actions. TencentCloud APIs such as DescribeAppList (getting application list) and DescribeAppInfo (getting application information) are used as examples below.

    • Policy syntax description for all SMS TencentCloud APIs
      "action": [
      "name/sms:*"
      ]
    • Policy syntax description for a single TencentCloud API
      "action": [
      "name/sms:DescribeAppList"
      ]
    • Policy syntax description for multiple TencentCloud APIs
      "action": [
      "name/sms:DescribeAppList",
      "name/sms:DescribeAppInfo"
      ]

    Custom Policy Use Cases

    Using the policy generator

    In the example below, we will create a custom policy, which allows all actions except the console API DeleteAppInfo to be performed on the SMS application 1400000001.

    1. Access the Policy page in the CAM console using a Tencent Cloud root account and click Create Custom Policy.
    2. Select Create by Policy Generator to access the policy creation page.
    3. Select the service and action.
      ● Select Allow for Effect.
      ● Select Short Message Service for Service.
      ● Check all items for Action.
      ● Enter qcs::sms::uin/12345678:app/1400000001 for Resource according to the resource syntax description.
      ● The Condition configuration item does not need to be configured.
      ● Click Add Statement and a statement saying that "Any action is allowed on the SMS application 1400000001" will appear at the bottom of the page.
    4. Continue adding another statement on the same page.
      ● Select Deny for Effect.
      ● Select Short Message Service for Service.
      ● Check DeleteAppInfo (which can be quickly found using the search engine) for Action.
      ● Enter qcs::sms::uin/12345678:app/1400000001 for Resource according to the resource syntax description.
      ● The Condition configuration item does not need to be configured.
      ● Click Add Statement and a statement saying that "The DeleteAppInfo action is denied on the SMS application 1400000001" will appear at the bottom of the page.
    5. Click Next and rename the policy as needed (or leave it unchanged).
    6. Click Done to create the custom policy.
      Subsequently, this policy can be granted to other sub-accounts in the same way as granting full access to SMS to an existing sub-account.

    Using the policy syntax

    In the example below, we will create a custom policy, which allows all actions to be performed on SMS applications 1400000001 and 1400000002 but denies DeleteAppInfo for application 1400000001.

    1. Access the Policy page in the CAM console using a Tencent Cloud root account and click Create Custom Policy.
    2. Select Create by Policy Syntax to access the policy creation page.
    3. In the Select a template type box, select Blank Template.

      Note:

      A policy template is used to create a policy by copying an existing policy (preset or custom) and then making adjustments to the copy. During actual use, you can choose an appropriate policy template based on the actual conditions to reduce the difficulty and workload of writing the policy content.

    4. Click Next and rename the policy as needed (or leave it unchanged).
    5. Enter the following policy content in the Policy Content box:
      {
      "version": "2.0",
      "statement": [
        {
             "effect": "allow",
             "action": [
                 "name/SMS:*"
             ],
             "resource": [
                 "qcs::sms::uin/12345678:app/1400000001",
                 "qcs::sms::uin/12345678:app/1400000002"
             ]
         },
         {
             "effect": "deny",
             "action": [
                 "name/SMS: DeleteAppInfo "
             ],
             "resource": [
                 "qcs::SMS::uin/12345678:app/1400000001"
             ]
         }
      ]
      }

      Note:

      The policy content should follow the CAM policy syntax logic, where the syntax of "resource" and "action" is as shown above in the Resource syntax description and the Action syntax description.

    6. Click Create Policy to create the custom policy.
      Subsequently, this policy can be granted to other sub-accounts in the same way as granting full access to SMS to existing sub-accounts.

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help