- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practices
- API Documentation
- SDK Documentation
- General References
- FAQs
- Service Level Agreement (New Version)
- Glossary
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practices
- API Documentation
- SDK Documentation
- General References
- FAQs
- Service Level Agreement (New Version)
- Glossary
Basic CAM Concepts
The root account authorizes sub-accounts by binding policies. The policy setting can be specific to the level of API, Resource, User/User Group, Allow/Deny, and Condition.
Accounts
- Root account: A root accounts owns all the resources in Tencent Cloud and can access any of these resources.
- Sub-account: This includes sub-users and collaborators.
- Sub-user: Sub-users created and fully owned by the root account.
- Collaborator: When a root account is added as the collaborator of the current root account, it becomes one of the sub-accounts of the current root account. The account can be switched from collaborator back to root account.
- Identity credential: Includes login credentials and access certificates. Login credential refers to a user’s login name and password. Access certificate refers to Cloud API keys (SecretID and SecretKey).
Resources and Permissions
- Resource: An object that Tencent Cloud services operate on, such as a CVM instance, a COS bucket, or a VPC instance.
- Permission: An authorization to allow or forbid users to perform certain operations. By default, a root account has full access to all resources under the account, while a sub-account does not have access to any resources under its root account.
- Policy: Syntax rule to define and describe one or more permissions. A root account performs authorization by associating policies with users/user groups.
Click here to view more CAM documents >>
Related Documents
| Document Description | Link |
|---|---|
| Relationship between policy and user | Policy Management |
| Basic policy structure | Policy Syntax |
| More CAM-compatible products | List of Tencent Cloud CAM-compatible Products |
CAM Policy Examples
Full Read/Write Permission Policy for CKafka
Granting a sub-user full permission to manage CKafka services (creating, managing, etc.).
{
"version": "2.0",
"statement": [
{
"action": [
"name/ckafka:*",
"name/monitor:GetMonitorData"
],
"resource": "*",
"effect": "allow"
}
]
}You can also configure the system’s full read/write policy to support this permission.
- Log in to the CAM Console.
- On the left sidebar, click Policy.
- In the policy list, click Create Custom Policy.
- Select Create by Policy Syntax in the pop-up window.
- In the Template Type field, search for "CKafka", select QcloudCKafkaFullAccess (for full read/write permission in CKafka), and click Next.
- Click Create a Policy.
Read-only Policy for a CKafka Instance
Create a policy with the Policy Generator and grant permission for lists and product monitoring.
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "name/ckafka:ListInstance", "name/monitor:GetMonitorData" ], "resource": [ "*" ] } ] }Grant read-only permission for a single instance.
Note:
List* API does not support authentication at the resource level.
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "name/monitor:GetMonitorData", "name/ckafka:Get*" ], "resource": [ "qcs::ckafka:gz::ckafkaId/uin/$createUin/$instanceId" ] } ] }
You can also configure the system’s read-only policy to support this permission.
- Log in to the CAM Console.
- On the left sidebar, click Policy.
- In the policy list, click Create Custom Policy.
- Select Create by Policy Syntax in the pop-up window.
- In the Template Type field, search for "CKafka", select QcloudCkafkaReadOnlyAccess (for read-only permission in CKafka), and click Next.
- Click Create a Policy.
Yes
No
Was this page helpful?