Multi-Identity Personnel Permission Management

Last updated: 2021-08-04 17:44:10

    Overview

    If your company has management personnel with different identities, you can use CAM to divide permissions and grant different permissions to different people to facilitate management and control. This document uses a typical case to describe how to manage the permissions of different identities through sub-accounts.

    Suppose that:

    • The company account CompanyExample has two OPS engineers DevA and DevB.
    • The OPS engineer DevA is responsible for server OPS and has all operation permissions of CVM instances under the company account CompanyExample.
    • The OPS engineer DevB is responsible for TencentDB for MySQL OPS and has all operation permissions of TencentDB for MySQL instances under the company account CompanyExample.

    Directions

    1. Log in to the CAM console with the company account CompanyExample.
    2. Create two sub-accounts with usernames of DevA and DevB through custom sub-user creation.
    3. On the User List page, find the just created sub-user DevA and click Authorize in the Operation column on the right as shown below:
    4. In the Associate Policy window that pops up, search for and select QcloudCVMFullAccess and click OK as shown below:
    5. Associate the QcloudCDBFullAccess policy with the sub-account DevB as instructed in steps 2 and 3.
    6. After the authorization is successful, the sub-account DevA has all the operation permissions of CVM instances, while the sub-account DevB has all the operation permissions of TencentDB for MySQL instances.
      Note:

      If you need to configure a CAM user as another role, you can follow the above process and search for and select the corresponding permissions policy name in steps 2 and 3. For specific permissions, please see System Permissions

    System Permissions

    OwnerPolicy NameDescription
    Admin AdministratorAccessThis policy allows you to manage all users and their permissions, related financial info, and cloud service assets under this account.
    Financial admin QCloudFinanceFullAccessThis policy allows you to manage related financial information under the account, such as payment and invoicing.
    Database admin QcloudCynosDBFullAccess Full access to TDSQL-C
    QcloudMariaDBFullAccess Full access to TencentDB for MariaDB
    QcloudSQLServerFullAccess Full access to TencentDB for SQL Server
    QcloudCDWPGFullAccess Full access to TencentDB for PostgreSQL
    Network admin QcloudCLBFullAccessFull access to CLB
    QcloudVPCFullAccess Full access to VPC
    QcloudDCFullAccess Full access to Direct Connect
    Monitoring admin QcloudMonitorFullAccessFull access to Cloud Monitor, including the permission to view user groups
    QcloudCATFullAccess Full access to CAT