Policy

Last updated: 2019-05-10 09:59:33

PDF

The policy is the syntax rule used to define and describe one or more permissions. CAM supports two types of policies: preset policy and custom policy.

1. Preset policy

The preset policy is a collection of common permissions created and managed by Tencent Cloud, such as SuperAdmin and resource management permissions. Preset policy does not provide granular control and it is non-editable.

In the interface of preset policy, we can search by service type or keyword. Here, we choose "All" in the service type and enter "ad" as the keyword for the search.

2. Custom policy

The policy created by users, which allows you to assign permissions with a finer granularity. For example, you can associate a policy with a DBA to authorize him/her to only manage CDB instances, instead of CVM instances.

Custom policies are created by using three methods: policy generator, business permission, and syntax.

For the policies created using policy generator, the policy syntax is generated automatically after you select the service and operation from the policy guide and define resources. With convenience and flexibility in use, these policies are preferred. The policies created using business permission are configured by users, with permission granularity being controlled during business connection, to satisfy the needs of users for less-complex permission assignment. The policies created using syntax are configured by users, with flexible permission granularity being controlled by users, to satisfy the needs of users with high requirement on fine-grained permission assignment.

3. Create a custom policy

3.1 Create a policy using policy generator

Step 1: Go to policy management console, click "Create Custom Policy", and select "Policy by policy generator".

Step 2: Select desired service and operation from the list, click "Add Statement", and then click Next. For the operation of a certain service that needs to be associated with an object, "Resource Description" is required. As shown below, the operation is required to be associated with an object. You can click "Note" on the left for the detailed definition and example of "Resource Description".

If the operation of a certain service does not need to be associated with an object, "Resource Description" is not required. As shown below, the operation is not required to be associated with an object. You will find that the field of "Resource Description" is unavailable.

We can add multiple declarations in one policy. Here, we select AboutVaultLock of Archive Storage and SmsQcloudcom of SMS.

Step 3: Click Create Policy. The policy name is generated automatically, in which, "policygen" is prefixed, and the numbers are confirmed based on the creation time. The policy content generated automatically corresponds to the service and operation selected in the previous step, to which we can make a few adjustments. For any questions, click "Policy Syntax Description" and List of "Supported Businesses" at the bottom left.

3.2 Create a policy using business permission

Step 1: Go to policy management console, click "Create Custom Policy", and select "Create by Service Permission".

Step 2: Add a business to the policy and name it, and then click "Next".

Step 3: "Enable" permissions of some of the features, and click "Next".

Step 4: If an action scope should be specified for a feature, you need to add relevant resources, and click "Save".

Step 5: Policies can be found in "Policy List".

3.3 Create a policy using policy syntax:

Step 1: Go to policy management console, click "Create Custom Policy", and select "Create by Policy Syntax".

Step 2: You can choose a template type in this step. After selecting the type, you can perform a keyword search and select one of the searched templates, and then click "Next". Here, we choose "All" in the service type and enter "a" as the keyword for search, and then select the template AdministratorAccess.

Step 3: The policy content of the corresponding template will show up here. We can make some modifications to the content and then click "Create Policy". The policy name is generated automatically, in which, "policygen" is prefixed, and the numbers are confirmed based on the creation time. For any questions, click "Policy Syntax Description" and "List of Supported Businesses" at the bottom left.