Permissions boundary is an advanced feature used by Tencent Cloud to set a permissions boundary for a sub-account/role. After you set a permissions boundary for a sub-account/role, it can only perform operations allowed by both the associated policy and the permissions boundary. A permissions boundary only limits the maximum scope of permissions owned by a sub-account/role, but cannot be used to set permissions for the sub-account/role. For detailed evaluation logic, please see the following figure:
You can use a preset or custom policy to set permissions for a sub-account/role. This policy is the maximum scope of permissions that the sub-account/role can have. This document describes how to use a permissions boundary to set the maximum scope of permissions for a sub-account.
Suppose a company's Tencent Cloud resource admin needs to set permissions for OPS employees to meet the following requirements:
● The company has two OPS employees, each of whom has a sub-account: test1
and test2
respectively.
● The employee with the sub-account test1
only needs to manage all COS permissions under the root account.
● The employee with the sub-account test2
only needs to manage the operation permission for the server with the instance ID of ins-1
under the root account.
● The company stipulates that all operations on CVM and COS under the root account by sub-accounts must be performed in the IP range of the company (10.217.182.3/24 or 111.21.33.72/24).
test1
and click the user's nickname to enter the user details page.QcloudCOSFullAccess
policy to set all COS permissions for the sub-account test1
.test2
policygen-2
by referring to the following policy syntax. For more information, please see "Create by Policy Syntax".{
"version": "2.0",
"statement": [
{
"effect": "allow",
"resource": [
"qcs::cvm:gz::instance/ins-1"
],
"action": [
"name/cvm:*"
]
}
]
}
test2
and click the user's nickname to enter the user details page.policygen-2
policy to set the operation permission of the CVM instance named ins-1
for the sub-account test2
.policygen-3
policy in the policy list.
Was this page helpful?