- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Best Practices
- Business Use Cases
- TencentDB for MySQL Cases
- CLB Cases
- CMQ Cases
- COS Cases
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM Cases
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC Cases
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD Cases
- Other Cases
- API Documentation
- Introduction
- API Category
- Making API Requests
- Policy APIs
- Role APIs
- DeleteRolePermissionsBoundary
- CreateServiceLinkedRole
- AttachRolePolicy
- DescribeSafeAuthFlag
- DeleteServiceLinkedRole
- CreateRole
- DeleteRole
- DescribeRoleList
- DetachRolePolicy
- GetServiceLinkedRoleDeletionStatus
- GetRole
- PutRolePermissionsBoundary
- ListAttachedRolePolicies
- UpdateAssumeRolePolicy
- UpdateRoleConsoleLogin
- UpdateRoleDescription
- Identity Provider APIs
- User APIs
- AddUser
- AddUserToGroup
- ConsumeCustomMFAToken
- DeleteUserPermissionsBoundary
- DescribeSafeAuthFlagColl
- CreateGroup
- DeleteGroup
- DeleteUser
- GetCustomMFATokenInfo
- GetGroup
- ListAccessKeys
- GetUser
- ListGroups
- ListCollaborators
- ListGroupsForUser
- ListUsers
- PutUserPermissionsBoundary
- ListUsersForGroup
- RemoveUserFromGroup
- SetMfaFlag
- UpdateGroup
- UpdateUser
- STS APIs
- Data Types(STS)
- Data Types(CAM)
- Error Codes
- FAQs
- Glossary
- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Best Practices
- Business Use Cases
- TencentDB for MySQL Cases
- CLB Cases
- CMQ Cases
- COS Cases
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM Cases
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC Cases
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD Cases
- Other Cases
- API Documentation
- Introduction
- API Category
- Making API Requests
- Policy APIs
- Role APIs
- DeleteRolePermissionsBoundary
- CreateServiceLinkedRole
- AttachRolePolicy
- DescribeSafeAuthFlag
- DeleteServiceLinkedRole
- CreateRole
- DeleteRole
- DescribeRoleList
- DetachRolePolicy
- GetServiceLinkedRoleDeletionStatus
- GetRole
- PutRolePermissionsBoundary
- ListAttachedRolePolicies
- UpdateAssumeRolePolicy
- UpdateRoleConsoleLogin
- UpdateRoleDescription
- Identity Provider APIs
- User APIs
- AddUser
- AddUserToGroup
- ConsumeCustomMFAToken
- DeleteUserPermissionsBoundary
- DescribeSafeAuthFlagColl
- CreateGroup
- DeleteGroup
- DeleteUser
- GetCustomMFATokenInfo
- GetGroup
- ListAccessKeys
- GetUser
- ListGroups
- ListCollaborators
- ListGroupsForUser
- ListUsers
- PutUserPermissionsBoundary
- ListUsersForGroup
- RemoveUserFromGroup
- SetMfaFlag
- UpdateGroup
- UpdateUser
- STS APIs
- Data Types(STS)
- Data Types(CAM)
- Error Codes
- FAQs
- Glossary
Concept
Permissions boundary is an advanced feature used by Tencent Cloud to set a permissions boundary for a sub-account/role. After you set a permissions boundary for a sub-account/role, it can only perform operations allowed by both the associated policy and the permissions boundary. A permissions boundary only limits the maximum scope of permissions owned by a sub-account/role, but cannot be used to set permissions for the sub-account/role. For detailed evaluation logic, please see the following figure:
Use Cases
You can use a preset or custom policy to set permissions for a sub-account/role. This policy is the maximum scope of permissions that the sub-account/role can have. This document describes how to use a permissions boundary to set the maximum scope of permissions for a sub-account.
Suppose a company's Tencent Cloud resource admin needs to set permissions for OPS employees to meet the following requirements:
● The company has two OPS employees, each of whom has a sub-account: test1 and test2 respectively.
● The employee with the sub-account test1 only needs to manage all COS permissions under the root account.
● The employee with the sub-account test2 only needs to manage the operation permission for the server with the instance ID of ins-1 under the root account.
● The company stipulates that all operations on CVM and COS under the root account by sub-accounts must be performed in the IP range of the company (10.217.182.3/24 or 111.21.33.72/24).
Directions
Setting permissions for sub-account test1
- Log in to the admin account and enter the user list page.
- On the user list page, find the sub-account
test1and click the user's nickname to enter the user details page. - In the policy section, click Associate Policy and check the
QcloudCOSFullAccesspolicy to set all COS permissions for the sub-accounttest1. - In the permissions boundary section, click Set Boundary to enter the permissions boundary setting page.
- On the permissions boundary setting page, click Create Custom Policy to enter the custom policy creation page.
- On the custom policy creation page, set the policy name as policygen-1.
- In the Visual Policy Generator, check to add the following information:
● Effect: select Allow.
● Service: select COS.
● Action: select All actions and click OK.
● Resource: the default value is all resources ().
● Condition: check the source IP and enter *10.217.182.3/24, 111.21.33.72/24** as the IP value. - Click Create to enter the permissions boundary setting page.
- On the permissions boundary setting page, check the created custom policy in the policy list.
- Click Set Boundary.
Setting permissions for sub-account test2
- Log in to the admin account and create a custom policy syntax named
policygen-2by referring to the following policy syntax. For more information, please see "Create by Policy Syntax".
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"resource": [
"qcs::cvm:gz::instance/ins-1"
],
"action": [
"name/cvm:*"
]
}
]
}
- On the user list page, find the sub-account
test2and click the user's nickname to enter the user details page. - In the policy section, click Associate Policy and check the
policygen-2policy to set the operation permission of the CVM instance namedins-1for the sub-accounttest2. - In the permissions boundary section, click Set Boundary to enter the permissions boundary setting page.
- On the permissions boundary setting page, click Create Custom Policy to enter the custom policy creation page.
- On the custom policy creation page, set the policy name as policygen-3.
- In the Visual Policy Generator, check to add the following information:
● Effect: select Allow.
● Service: select CVM.
● Action: select All actions and click OK.
● Resource: the default value is all resources ().
● Condition: check the source IP and enter *10.217.182.3/24, 111.21.33.72/24** as the IP value. - Click Create to enter the permissions boundary setting page.
- On the permissions boundary setting page, check the
policygen-3policy in the policy list. - Click Set Boundary.
Was this page helpful?