Basic Concepts

Last updated: 2020-02-25 16:30:04

PDF

Before you start using roles, you need to understand some basic terms, including roles, service roles, custom roles, role entity, Permission strategy, and so on. For more introduction of terms, please refer to Glossary .

Role

Have a group of virtual identities of Permission. Access and Permission, who is used to award services, operations and resources to Tencent Cloud by role entity. These Permission are attached to roles, not to specific users or user groups.
CAM supports two types of roles:

  • Service (preset) role: the predefined role is performed by Tencent Cloud service. The service role needs to be authorized by the user, and the service can perform Access operation on the user resources by playing the service role.
  • Custom role: the role defined by the user, the user can freely and flexibly decide role entity and the role Permission.

Roles can be used by:

  • The main account of Tencent Cloud that can be used as a role.
  • Tencent Cloud sub-users and collaborators who can act as roles.

In addition, the role can also be used by Tencent Cloud products and services that support the role. To query whether Tencent Tencent Cloud services service supports the use of service roles, please refer to Products that support CAM .

Service Role

The service role is a unique type of CAM preset role directly provided by various products and services of Tencent Cloud. Associate Permission of the service role is predefined by the relevant products and services. Once the relevant products and services are assigned by you to the service role, that is, the product service can fully invoke other Tencent Cloud products and services within the scope of the service role Permission on your behalf. The service role makes it easier for you to use the service, because you do not have to add Permission manually in the role-granting process, you only need to choose whether or not to grant the service role to the relevant Permission.

In the process of assigning a service role to a related product service, the relevant Permission and role entity of the service role have been defined, and only the service can be substituted for the role unless otherwise defined. The predefinition of service role includes role name, role entity and Permission strategy.

Custom Role

Custom roles are defined by users themselves for CAM roles. The role name, role entity and Permission of the custom role are all determined by the user. Custom roles give you more freedom and flexibility to use Permission for Assign on Access of your cloud resources.

Objects that you grant a role to are only given permissions when using the role. This helps prevent security problems caused by using persistent keys.

Role Entity

Role entity is the object who is allowed to carry the character Permission. You can edit the role by role entity, add or delete corresponding objects to allow or deny them to play the role to Access your Tencent Cloud resources. At present, the types of role entity supported by Tencent Cloud are: Tencent Cloud account and Tencent Cloud service that supports the role. To query whether Tencent Tencent Cloud services service supports the use of service roles, please refer to Products that support CAM .

Permission's strategy

Permission document in JSON format. You can define the operations and resources available to the role in the Permission policy. This document rule relies on CAM policy language rules.

Trust strategy

Permission document in JSON format. You can define the objects that can play a role and the conditions that need to be met when playing a role in the trust policy. This document rule relies on CAM policy language rules.