- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Security Setting Policy
- Best Practice
- Business Use Cases
- TencentDB for MySQL
- CLB
- CMQ
- COS
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD
- Others
- API Documentation
- History
- Introduction
- API Category(CAM)
- API Category(STS)
- Making API Requests(CAM)
- Making API Requests(STS)
- Identity Provider APIs
- Policy APIs
- ListAttachedUserAllPolicies
- UpdatePolicy
- ListPolicies
- ListEntitiesForPolicy
- ListAttachedUserPolicies
- ListAttachedGroupPolicies
- GetPolicy
- DetachUserPolicy
- DetachGroupPolicy
- DeletePolicy
- CreatePolicy
- AttachUserPolicy
- AttachGroupPolicy
- SetDefaultPolicyVersion
- ListPolicyVersions
- GetPolicyVersion
- DeletePolicyVersion
- CreatePolicyVersion
- User APIs
- CreateGroup
- UpdateUser
- UpdateGroup
- RemoveUserFromGroup
- ListUsersForGroup
- ListUsers
- ListGroupsForUser
- ListGroups
- GetUser
- GetGroup
- DeleteUser
- DeleteGroup
- AddUserToGroup
- AddUser
- SetMfaFlag
- GetCustomMFATokenInfo
- ConsumeCustomMFAToken
- ListCollaborators
- ListAccessKeys
- PutUserPermissionsBoundary
- DeleteUserPermissionsBoundary
- DescribeSafeAuthFlagColl
- DescribeSubAccounts
- GetSecurityLastUsed
- GetAccountSummary
- Role APIs
- UpdateRoleDescription
- UpdateAssumeRolePolicy
- ListAttachedRolePolicies
- GetRole
- DetachRolePolicy
- DescribeRoleList
- DeleteRole
- CreateRole
- AttachRolePolicy
- UpdateRoleConsoleLogin
- GetServiceLinkedRoleDeletionStatus
- DeleteServiceLinkedRole
- CreateServiceLinkedRole
- PutRolePermissionsBoundary
- DeleteRolePermissionsBoundary
- DescribeSafeAuthFlag
- DescribeSafeAuthFlagIntl
- STS APIs
- Data Types(CAM)
- Data Types(STS)
- Error Codes(CAM)
- Error Codes(STS)
- FAQs
- Glossary
- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- Security Setting Policy
- Best Practice
- Business Use Cases
- TencentDB for MySQL
- CLB
- CMQ
- COS
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD
- Others
- API Documentation
- History
- Introduction
- API Category(CAM)
- API Category(STS)
- Making API Requests(CAM)
- Making API Requests(STS)
- Identity Provider APIs
- Policy APIs
- ListAttachedUserAllPolicies
- UpdatePolicy
- ListPolicies
- ListEntitiesForPolicy
- ListAttachedUserPolicies
- ListAttachedGroupPolicies
- GetPolicy
- DetachUserPolicy
- DetachGroupPolicy
- DeletePolicy
- CreatePolicy
- AttachUserPolicy
- AttachGroupPolicy
- SetDefaultPolicyVersion
- ListPolicyVersions
- GetPolicyVersion
- DeletePolicyVersion
- CreatePolicyVersion
- User APIs
- CreateGroup
- UpdateUser
- UpdateGroup
- RemoveUserFromGroup
- ListUsersForGroup
- ListUsers
- ListGroupsForUser
- ListGroups
- GetUser
- GetGroup
- DeleteUser
- DeleteGroup
- AddUserToGroup
- AddUser
- SetMfaFlag
- GetCustomMFATokenInfo
- ConsumeCustomMFAToken
- ListCollaborators
- ListAccessKeys
- PutUserPermissionsBoundary
- DeleteUserPermissionsBoundary
- DescribeSafeAuthFlagColl
- DescribeSubAccounts
- GetSecurityLastUsed
- GetAccountSummary
- Role APIs
- UpdateRoleDescription
- UpdateAssumeRolePolicy
- ListAttachedRolePolicies
- GetRole
- DetachRolePolicy
- DescribeRoleList
- DeleteRole
- CreateRole
- AttachRolePolicy
- UpdateRoleConsoleLogin
- GetServiceLinkedRoleDeletionStatus
- DeleteServiceLinkedRole
- CreateServiceLinkedRole
- PutRolePermissionsBoundary
- DeleteRolePermissionsBoundary
- DescribeSafeAuthFlag
- DescribeSafeAuthFlagIntl
- STS APIs
- Data Types(CAM)
- Data Types(STS)
- Error Codes(CAM)
- Error Codes(STS)
- FAQs
- Glossary
Concept
Permissions boundary is an advanced feature used by Tencent Cloud to set a permissions boundary for a sub-account/role. After you set a permissions boundary for a sub-account/role, it can only perform operations allowed by both the associated policy and the permissions boundary. A permissions boundary only limits the maximum scope of permissions owned by a sub-account/role, but cannot be used to set permissions for the sub-account/role. For detailed evaluation logic, please see the following figure:
Use Cases
You can use a preset or custom policy to set permissions for a sub-account/role. This policy is the maximum scope of permissions that the sub-account/role can have. This document describes how to use a permissions boundary to set the maximum scope of permissions for a sub-account.
Suppose a company's Tencent Cloud resource admin needs to set permissions for OPS employees to meet the following requirements:
- The company has two OPS employees, each of whom has a sub-account:
test1andtest2respectively. - The employee with the sub-account
test1only needs to manage all COS permissions under the root account. - The employee with the sub-account
test2only needs to manage the operation permission for the server with the instance ID ofins-1under the root account. - The company stipulates that all operations on CVM and COS under the root account by sub-accounts must be performed in the IP range of the company (10.217.182.3/24 or 111.21.33.72/24).
Directions
Setting permissions for sub-account test1
- Log in to the admin account and enter the user list page.
- On the user list page, find the sub-account
test1and click the user's nickname to enter the user details page. - In the Permissions Policy section under the Permission tab, click Associate Policy and select the
QcloudCOSFullAccesspolicy to set all COS permissions for the sub-accounttest1. - In the Permissions Boundary section under the Permission tab, click Set Boundary to enter the Set Permissions Boundary page.
- On the permissions boundary setting page, click Create Custom Policy to enter the custom policy creation page.
- On the custom policy creation page, set the policy name as policygen-1.
- In the Visual Policy Generator, check to add the following information:
- Effect: select Allow.
- Service: select COS.
- Action: select All actions and click OK.
- Resource: the default value is All resources (*).
- Condition: select Source IP and enter
10.217.182.3/24, 111.21.33.72/24as the IP value.
- Click Create to enter the permissions boundary setting page.
- On the permissions boundary setting page, check the created custom policy in the policy list.
- Click Set Boundary.
Setting permissions for sub-account test2
Log in to the admin account and create a custom policy syntax named
policygen-2by referring to the following policy syntax. For more information, please see "Create by Policy Syntax".{ "version": "2.0", "statement": [ { "effect": "allow", "resource": [ "qcs::cvm:gz::instance/ins-1" ], "action": [ "name/cvm:*" ] } ] }On the user list page, find the sub-account
test2and click the user's nickname to enter the user details page.In the Permissions Policy section under the Permission tab, click Associate Policy and select the
policygen-2policy to set the operation permission of the CVM instance namedins-1for the sub-accounttest2.In the Permissions Boundary section under the Permission tab, click Set Boundary to enter the Set Permissions Boundary page.
On the permissions boundary setting page, click Create Custom Policy to enter the custom policy creation page.
On the custom policy creation page, set the policy name as policygen-3.
In the Visual Policy Generator, check to add the following information:
- Effect: select Allow.
- Service: select CVM.
- Action: select All actions and click OK.
- Resource: the default value is All resources (*).
- Condition: select Source IP and enter
10.217.182.3/24, 111.21.33.72/24as the IP value.
Click Create to enter the permissions boundary setting page.
On the permissions boundary setting page, check the
policygen-3policy in the policy list.Click Set Boundary.
Yes
No
Was this page helpful?