Note:
- To query sub-accounts created under the main account, log in to the CAM Console and view them under User List.
- To create a new sub-account, please refer to the Create New Sub-User document.
The following lists several authorization cases, which you can configure according to your actual needs.
The configuration is as follows:
Configuration Item | Description |
---|---|
Effect | Allow |
User type | Sub-account |
Account ID | UIN of the sub-account; the sub-account in question must be a sub-account under the current root account, such as 100000000011 |
Resource | Specified resource |
Resource path | Specified directory prefix, such as folder/sub-folder/* |
Operation name | All operations |
The configuration is as follows:
Configuration Item | Description |
---|---|
Effect | Allow |
User type | Sub-account |
Account ID | UIN of the sub-account, which must be a sub-account under the current root account, such as 100000000011 |
Resource | Specified resource |
Resource path | Specified directory prefix, such as folder/sub-folder/* |
Operation name | Read operations (including listing the object list) |
The configuration is as follows:
Configuration Item | Description |
---|---|
Effect | Allow |
User type | Sub-account |
Account ID | UIN of the sub-account; the sub-account in question must be a sub-account under the current root account, such as 100000000011 |
Resource | Specified resource |
Resource path | Specified object key, such as folder/sub-folder/example.jpg |
Operation name | All operations |
For this case, we need to add two policies: an Allow policy and a Deny policy.
Configuration Item | Description |
---|---|
Effect | Allow |
User type | Sub-account |
Account ID | UIN of the sub-account; the sub-account in question must be a sub-account under the current root account, such as 100000000011 |
Resource | Specified resource |
Resource path | Specified directory prefix, such as folder/sub-folder/* |
Operation name | All operations |
Configuration Item | Description |
---|---|
Effect | Deny |
User type | Sub-account |
Account ID | UIN of the sub-account; the sub-account in question must be a sub-account under the current root account, such as 100000000011 |
Resource | Specified resource |
Resource path | Object keys to be denied, such as folder/sub-folder/privateobject |
Operation name | All operations |
Configuration Item | Description |
---|---|
Effect | Allow |
User type | Sub-account |
Account ID | UIN of the sub-account; the sub-account in question must be a sub-account under the current root account, such as 100000000011 |
Resource | Specified resource |
Resource path | Specified prefix, such as folder/sub-folder/prefix |
Operation name | All operations |
If you need to authorize account dimension, please refer to the following documents:
Was this page helpful?