- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Security Setting Policy
- Best Practice
- Business Use Cases
- TencentDB for MySQL
- CLB
- CMQ
- COS
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD
- Others
- API Documentation
- History
- Introduction
- API Category(CAM)
- API Category(STS)
- Making API Requests(CAM)
- Making API Requests(STS)
- Identity Provider APIs
- Policy APIs
- STS APIs
- Data Types(CAM)
- Data Types(STS)
- Error Codes(CAM)
- Error Codes(STS)
- Role APIs
- UpdateRoleDescription
- UpdateAssumeRolePolicy
- ListAttachedRolePolicies
- GetRole
- DetachRolePolicy
- DescribeRoleList
- DeleteRole
- CreateRole
- AttachRolePolicy
- UpdateRoleConsoleLogin
- GetServiceLinkedRoleDeletionStatus
- DeleteServiceLinkedRole
- CreateServiceLinkedRole
- PutRolePermissionsBoundary
- DeleteRolePermissionsBoundary
- DescribeSafeAuthFlag
- DescribeSafeAuthFlagIntl
- User APIs
- CreateGroup
- UpdateUser
- UpdateGroup
- RemoveUserFromGroup
- ListUsersForGroup
- ListUsers
- ListGroupsForUser
- ListGroups
- GetUser
- GetGroup
- DeleteUser
- DeleteGroup
- AddUserToGroup
- AddUser
- SetMfaFlag
- GetCustomMFATokenInfo
- ConsumeCustomMFAToken
- ListCollaborators
- ListAccessKeys
- PutUserPermissionsBoundary
- DeleteUserPermissionsBoundary
- DescribeSafeAuthFlagColl
- DescribeSubAccounts
- GetSecurityLastUsed
- GetAccountSummary
- FAQs
- Glossary
- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Security Setting Policy
- Best Practice
- Business Use Cases
- TencentDB for MySQL
- CLB
- CMQ
- COS
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD
- Others
- API Documentation
- History
- Introduction
- API Category(CAM)
- API Category(STS)
- Making API Requests(CAM)
- Making API Requests(STS)
- Identity Provider APIs
- Policy APIs
- STS APIs
- Data Types(CAM)
- Data Types(STS)
- Error Codes(CAM)
- Error Codes(STS)
- Role APIs
- UpdateRoleDescription
- UpdateAssumeRolePolicy
- ListAttachedRolePolicies
- GetRole
- DetachRolePolicy
- DescribeRoleList
- DeleteRole
- CreateRole
- AttachRolePolicy
- UpdateRoleConsoleLogin
- GetServiceLinkedRoleDeletionStatus
- DeleteServiceLinkedRole
- CreateServiceLinkedRole
- PutRolePermissionsBoundary
- DeleteRolePermissionsBoundary
- DescribeSafeAuthFlag
- DescribeSafeAuthFlagIntl
- User APIs
- CreateGroup
- UpdateUser
- UpdateGroup
- RemoveUserFromGroup
- ListUsersForGroup
- ListUsers
- ListGroupsForUser
- ListGroups
- GetUser
- GetGroup
- DeleteUser
- DeleteGroup
- AddUserToGroup
- AddUser
- SetMfaFlag
- GetCustomMFATokenInfo
- ConsumeCustomMFAToken
- ListCollaborators
- ListAccessKeys
- PutUserPermissionsBoundary
- DeleteUserPermissionsBoundary
- DescribeSafeAuthFlagColl
- DescribeSubAccounts
- GetSecurityLastUsed
- GetAccountSummary
- FAQs
- Glossary
Concept
Permissions boundary is an advanced feature used by Tencent Cloud to set a permissions boundary for a sub-account/role. After you set a permissions boundary for a sub-account/role, it can only perform operations allowed by both the associated policy and the permissions boundary. A permissions boundary only limits the maximum scope of permissions owned by a sub-account/role, but cannot be used to set permissions for the sub-account/role. For detailed evaluation logic, please see the following figure:
Use Cases
You can use a preset or custom policy to set permissions for a sub-account/role. This policy is the maximum scope of permissions that the sub-account/role can have. This document describes how to use a permissions boundary to set the maximum scope of permissions for a sub-account.
Suppose a company's Tencent Cloud resource admin needs to set permissions for OPS employees to meet the following requirements:
- The company has two OPS employees, each of whom has a sub-account:
test1andtest2respectively. - The employee with the sub-account
test1only needs to manage all COS permissions under the root account. - The employee with the sub-account
test2only needs to manage the operation permission for the server with the instance ID ofins-1under the root account. - The company stipulates that all operations on CVM and COS under the root account by sub-accounts must be performed in the IP range of the company (10.217.182.3/24 or 111.21.33.72/24).
Directions
Setting permissions for sub-account test1
- Log in to the admin account and enter the user list page.
- On the user list page, find the sub-account
test1and click the user's nickname to enter the user details page. - In the policy section, click Associate Policy and check the
QcloudCOSFullAccesspolicy to set all COS permissions for the sub-accounttest1. - In the permissions boundary section, click Set Boundary to enter the permissions boundary setting page.
- On the permissions boundary setting page, click Create Custom Policy to enter the custom policy creation page.
- On the custom policy creation page, set the policy name as policygen-1.
- In the Visual Policy Generator, check to add the following information:
- Effect: select Allow.
- Service: select COS.
- Action: select All actions and click OK.
- Resource: the default value is all resources (*).
- Condition: check the source IP and enter 10.217.182.3/24, 111.21.33.72/24 as the IP value.
- Click Create to enter the permissions boundary setting page.
- On the permissions boundary setting page, check the created custom policy in the policy list.
- Click Set Boundary.
Setting permissions for sub-account test2
- Log in to the admin account and create a custom policy syntax named
policygen-2by referring to the following policy syntax. For more information, please see "Create by Policy Syntax".
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"resource": [
"qcs::cvm:gz::instance/ins-1"
],
"action": [
"name/cvm:*"
]
}
]
}
- On the user list page, find the sub-account
test2and click the user's nickname to enter the user details page. - In the policy section, click Associate Policy and check the
policygen-2policy to set the operation permission of the CVM instance namedins-1for the sub-accounttest2. - In the permissions boundary section, click Set Boundary to enter the permissions boundary setting page.
- On the permissions boundary setting page, click Create Custom Policy to enter the custom policy creation page.
- On the custom policy creation page, set the policy name as policygen-3.
- In the Visual Policy Generator, check to add the following information:
- Effect: select Allow.
- Service: select CVM.
- Action: select All actions and click OK.
- Resource: the default value is all resources (*).
- Condition: check the source IP and enter 10.217.182.3/24, 111.21.33.72/24 as the IP value.
- Click Create to enter the permissions boundary setting page.
- On the permissions boundary setting page, check the
policygen-3policy in the policy list. - Click Set Boundary.
Yes
No
Was this page helpful?