tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Short Message Service
    Documentation
    Download PDF

    Custom Policies

    Last updated: 2024-01-18 16:24:26
    Download PDF
      Note:
      This document describes the access management feature of SMS. For more information on access management for other Tencent Cloud services, please see CAM-Enabled Products.
      It is convenient to use a default policy in SMS access control to implement authorization, but its granularity of permission control is coarse and cannot be refined to the SMS application and the TencentCloud API levels. If you need fine-grained permissions control, you need to create custom policies.

      Custom Policy Creation Methods

      There are multiple ways to create a custom policy. The table below shows a comparison of various methods. For detailed directions, please see further below.
      Creation Entry
      Creation Method
      Effect
      Resource
      Action
      Flexibility
      Policy generator
      Manual selection
      Syntax description
      Manual selection
      Medium
      Policy syntax
      Syntax description
      Syntax description
      Syntax description
      High
      CAM server API
      Syntax description
      Syntax description
      Syntax description
      High
      Note:
      SMS does not support creating custom policies by product feature or project.
      Manual selection means that you can select an object from the candidate list displayed in the console.
      Syntax description means that you can describe objects through the authorization policy syntax.

      Authorization Policy Syntax

      Resource syntax description

      As mentioned above, the resource granularity of permission management in SMS is the application. The application description in the policy syntax follows the CAM resource description method. In the example below, the developer's root account ID is 12345678, and the developer has created three applications with an App of 1400000000, 1400000001, and 1400000002, respectively.
      Policy syntax description for all SMS applications
      "resource": ["qcs::sms::uin/12345678:app/*"]
      Policy syntax description for a single SMS application
      "resource": [ "qcs::sms::uin/12345678:app/1400000001"]
      Policy syntax description for multiple SMS applications
      "resource": [ "qcs::sms::uin/12345678:app/1400000000","qcs::sms::uin/12345678:app/1400000001"]

      Action syntax description

      As mentioned above, the action granularity of permission management in SMS is the TencentCloud API. For more information, please see Authorizable Resources and Actions. TencentCloud APIs such as DescribeAppList (getting application list) and DescribeAppInfo (getting application information) are used as examples below.
      Policy syntax description for all SMS TencentCloud APIs
      "action": [
      "name/sms:*"
      ]
      Policy syntax description for a single TencentCloud API
      "action": [
      "name/sms:DescribeAppList"
      ]
      Policy syntax description for multiple TencentCloud APIs
      "action": [
      "name/sms:DescribeAppList",
      "name/sms:DescribeAppInfo"
      ]

      Custom Policy Use Cases

      Using the policy generator

      In the example below, we will create a custom policy, which allows all actions except the console API DeleteAppInfo to be performed on the SMS application 1400000001.
      1. Access the Policy page in the CAM console using a Tencent Cloud root account and click Create Custom Policy.
      2. Select Create by Policy Generator to access the policy creation page.
      3. Select the service and action.
      Select Allow for Effect.
      Select Short Message Service (sms) for Service.
      Check all items for Action.
      Enter qcs::sms::uin/12345678:app/1400000001 for Resource according to the resource syntax description.
      The Condition configuration item does not need to be configured.
      Click Add Statement and a statement saying that "Any action is allowed on the SMS application 1400000001" will appear at the bottom of the page.
      4. Continue adding another statement on the same page.
      Select Deny for Effect.
      Select Short Message Service (sms) for Service.
      Check DeleteAppInfo (which can be quickly found using the search engine) for Action.
      Enter qcs::sms::uin/12345678:app/1400000001 for Resource according to the resource syntax description.
      The Condition configuration item does not need to be configured.
      Click Add Statement and a statement saying that "The DeleteAppInfo action is denied on the SMS application 1400000001" will appear at the bottom of the page.
      5. Click Next and rename the policy as needed (or leave it unchanged).
      6. Click Done to create the custom policy. Subsequently, this policy can be granted to other sub-accounts in the same way as granting full access to SMS to an existing sub-account.

      Using the policy syntax

      In the example below, we will create a custom policy, which allows all actions to be performed on SMS applications 1400000001 and 1400000002 but denies DeleteAppInfo for application 1400000001.
      1. Access the Policy page in the CAM console using a Tencent Cloud root account and click Create Custom Policy.
      2. Select Create by Policy Syntax to access the policy creation page.
      3. In the Select a template type box, select Blank Template.
      Note:
      A policy template is used to create a policy by copying an existing policy (preset or custom) and then making adjustments to the copy. During actual use, you can choose an appropriate policy template based on the actual conditions to reduce the difficulty and workload of writing the policy content.
      4. Click Next and rename the policy as needed (or leave it unchanged).
      5. Enter the following policy content in the Policy Content box:
      {
       "version": "2.0",
       "statement": [
        {
             "effect": "allow",
             "action": [
                 "name/SMS:*"
             ],
             "resource": [
                 "qcs::sms::uin/12345678:app/1400000001",
                 "qcs::sms::uin/12345678:app/1400000002"
             ]
         },
         {
             "effect": "deny",
             "action": [
                 "name/SMS: DeleteAppInfo "
             ],
             "resource": [
                 "qcs::SMS::uin/12345678:app/1400000001"
             ]
         }
        ]
      }
      Note:
      The policy content should follow the CAM policy syntax logic, where the syntax of "resource" and "action" is as shown above in the Resource syntax description and the Action syntax description.
      6. Click Complete to create the custom policy.
      Subsequently, this policy can be granted to other sub-accounts in the same way as granting full access to SMS to existing sub-accounts.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy