tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Cloud Access Management
    Documentation

    Cloud Access Management

    Last updated: 2024-05-02 09:03:57

      Fundamental information

      Product Abbreviation in CAM Console Authorization by Tag Authorization Granularity IP Restriction
      Cloud Access Management cam Supported not supported Operation level Partially supported

      Note:

      The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.

      • Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
      • Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
      • Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.

      API authorization granularity

      Two authorization granularity levels of API are supported: resource level, and operation level.

      • Resource level: It supports the authorization of a specific resource.
      • Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.

      Write operations

      API API Description Authorization Granularity Six-segment Resource Description IP Restriction
      AddSubAccount Console Create Message Recipient Operation level * Supported
      AddSubAccountCheckingMFA Console Create Sub-user and Collaborator Operation level * Supported
      AddSubAccountsToGroup Add user to group Operation level * Supported
      AddUser Add Sub-user Operation level * Supported
      AddUserToGroup Operation level * Supported
      AttachGroupPolicies Bind multiple policies to user groups Operation level * Supported
      AttachGroupPolicy Operation level * Supported
      AttachGroupsPolicy Bind a policy to multiple user groups Operation level * Supported
      AttachRolePolicy Operation level * Supported
      AttachUserPolicies Attach some policies to sub-user Operation level * Supported
      AttachUserPolicy Operation level * Supported
      AttachUsersPolicy Bind the policy to multiple users Operation level * Supported
      BatchOperateCamStrategy The binding strategy is for user details page Operation level * Supported
      BindToken Operation level * Supported
      CreateAssistApprover CreateAssistApprover Operation level * Supported
      CreateCollApiKey Create sub-account key Operation level * Supported
      CreateGroup Operation level * Supported
      CreateMessageReceiver Create message receiver Operation level * Supported
      CreateOIDCConfig CreateOIDCConfig Operation level * Supported
      CreatePolicy Operation level * Supported
      CreatePolicyVersion Operation level * Supported
      CreateRole Operation level * Supported
      CreateRoleByConsole Console creation role Operation level * Supported
      CreateSAMLProvider Operation level * Supported
      CreateServiceLinkedRole Create service linked role Operation level * Supported
      CreateSimulationPolicy Create Simulation Policy Data Operation level * Supported
      CreateSubAccountBindPolicy Operation level * Supported
      CreateSubAccountLoginIpPolicy Operation level * Supported
      CreateSubAccounts Create WeComUser Operation level * Supported
      CreateUserOIDCConfig CreateUserOIDCConfig Operation level * Supported
      CreateUserSAMLConfig Create user SAML configuration Operation level * Supported
      DeleteAccessKey delete access key Resource level qcs::cam::uin/${uin}:uin/${uin} Supported
      DeleteApiKey Operation level * Supported
      DeleteCollApiKey Delete sub-account key Operation level * Supported
      DeleteEntitiesPermissionsBoundary DeleteEntitiesPermissionsBoundary Operation level * Supported
      DeleteGroup Operation level * Supported
      DeleteOIDCConfig DeleteOIDCConfig Operation level * Supported
      DeletePolicy Operation level * Supported
      DeletePolicyVersion Operation level * Supported
      DeleteRole Delete role. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
      qcs::cam::uin/${uin}:role/{$RoleId}      		 Supported
      DeleteRolePermissionsBoundary DeleteRolePermissionsBoundary Operation level * Supported
      DeleteSAMLProvider Operation level * Supported
      DeleteServiceLinkedRole Delete service linked role Resource level qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRole/{$RoleId}      		 Supported
      DeleteSubAccount Operation level * Supported
      DeleteUser Operation level * Supported
      DeleteUserPermissionsBoundary DeleteUserPermissionsBoundary Operation level * Supported
      DetachGroupPolicy Operation level * Supported
      DetachRolePolicy Operation level * Supported
      DetachUserPolicies Unbinding strategy for details page Operation level * Supported
      DetachUserPolicy Operation level * Supported
      DisableApiKey Operation level * Supported
      DisableCollApiKey Disable sub-account key Operation level * Supported
      DisableUserSSO DisableUserSSO Operation level * Supported
      EnableApiKey Operation level * Supported
      EnableCollApiKey Enable sub-account key Operation level * Supported
      GenerateSafetyAnalysisReport - Operation level * Supported
      LogoutRoleSessions Log out of role Operation level * Supported
      ModifySubContactEmailWithVerifyCode sub-account modification contact email Operation level * Supported
      ModifySubContactPhoneWithVerifyCode sub-user modify contact phone Operation level * Supported
      ModifyUserContactInfo ModifyUserContactInfo Operation level * Supported
      PassRole Pass role for assume role. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
      qcs::cam::uin/${uin}:role/${RoleId}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}      		 Supported
      PutEntitiesPermissionsBoundary PutEntitiesPermissionsBoundary Operation level * Supported
      PutRolePermissionsBoundary PutRolePermissionsBoundary Operation level * Supported
      PutUserPermissionsBoundary PutUserPermissionsBoundary Operation level * Supported
      RemoveUserFromGroup Operation level * Supported
      SetDefaultPolicyVersion Operation level * Supported
      SetLoginSessionDuration - Operation level * Supported
      SetSafeAuthFlag Operation level * Supported
      SetSubAccountSessionLifetime - Operation level * Supported
      SyncAuthInfo - Operation level * Supported
      TagRole Tag role. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
      qcs::cam::uin/${uin}:role/${RoleId}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}      		 Supported
      UnbindContactInfo Unbind contact information Resource level qcs::cam::uin/${uin}:uin/${uin}
      qcs::cam::uin/${uin}:userName/${userName}      		 Supported
      UnbindSubAccount Unbind sub-user login method Operation level * Supported
      UnbindSubAccountStoken - Operation level * Supported
      UnbindSubAccountToken - Operation level * Supported
      UnbindSubAccountU2FToken unbind subaccount U2F Token Operation level * Supported
      UnbindToken Operation level * Supported
      UnbindU2FToken unbind account U2F Token Operation level * Supported
      UntagRole Untag role. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}role/${RoleId}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
      qcs::cam::uin/${uin}:role/${RoleId}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}      		 Supported
      UpdateAccessKey update access key Resource level qcs::cam::uin/${uin}:uin/${uin} Supported
      UpdateAssumeRolePolicy Update assume role policy. Resource level qcs::cam::uin/${uin}:roleName/${roleName}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${roleId}
      qcs::cam::uin/${uin}:role/${roleId}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${roleName}      		 Supported
      UpdateCollPassword - Operation level * Supported
      UpdateGroup Operation level * Supported
      UpdateOIDCConfig UpdateOIDCConfig Operation level * Supported
      UpdatePasswordRules Operation level * Supported
      UpdatePolicy Operation level * Supported
      UpdateRoleConsoleLogin Update role console login Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
      qcs::cam::uin/${uin}:role/${RoleId}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}      		 Supported
      UpdateRoleDescription Update role description. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
      qcs::cam::uin/${uin}:role/${RoleId}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}      		 Supported
      UpdateSAMLProvider Operation level * Supported
      UpdateSubAccount Operation level * Supported
      UpdateSubAccountAttr - Operation level * Supported
      UpdateUser Operation level * Supported
      UpdateUserOIDCConfig UpdateUserOIDCConfig Operation level * Supported
      UpdateUserSAMLConfig Modify user SAML configuration Operation level * Supported

      Read operations

      API API Description Authorization Granularity Six-segment Resource Description IP Restriction
      CheckGroupNameIsValid check whether the user group name is legal Operation level * Supported
      CheckSubAccountName Operation level * Supported
      CheckUserPolicyAttachment Operation level * Supported
      ConsumeCustomMFAToken Operation level * Supported
      CreateApiKey CreateApiKey Resource level qcs::cam::uin/${uin}:uin/${ApiUin} Supported
      DescribeAssistApprover Operation level * Supported
      DescribeContactInfoModifyStatus - Operation level * Supported
      DescribeMFADeviceColl 查询mfa设备 Operation level * Supported
      DescribeMfaStatus query mfa status Operation level * Supported
      DescribeOIDCConfig DescribeOIDCConfig Operation level * Supported
      DescribePermProject - Operation level * Supported
      DescribeRoleList Describe role list. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
      qcs::cam::uin/${uin}:role/${RoleId}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}      		 Supported
      DescribeSafeAuthFlagColl DescribeSafeAuthFlagColl Operation level * Supported
      DescribeSafeAuthInfo DescribeSafeAuthInfo Operation level * Supported
      DescribeSecretProjectId - Operation level * Supported
      DescribeSensitiveInfoHashValue - Operation level * Supported
      DescribeServiceLinkedRole Describe service linked role Operation level * Supported
      DescribeSubAccountBindPolicy Operation level * Supported
      DescribeSubAccountContacts DescribeSubAccountContacts Operation level * Supported
      DescribeSubAccountLoginIpPolicy Operation level * Supported
      DescribeSubAccountSessionSettings - Operation level * Supported
      DescribeSubAccounts Describe SubAccounts Operation level * Supported
      DescribeSubLoginUinList - Operation level * Supported
      DescribeUserAnalysisReport DescribeUserAnalysisReport Operation level * Supported
      DescribeUserAnalysisReportCheck - Operation level * Supported
      DescribeUserOIDCConfig DescribeUserOIDCConfig Operation level * Supported
      DescribeUserSAMLConfig Query user SAML configuration Operation level * Supported
      DescribeUserWeChatInfo - Operation level * Supported
      DescribeWechatUnionId - Operation level * Supported
      GetAccountSummary Operation level * Supported
      GetAllSubUser Operation level * Supported
      GetCustomMFATokenInfo Operation level * Supported
      GetCustomMfaCallback - Operation level * Supported
      GetGroup Operation level * Supported
      GetMFADevice Operation level * Supported
      GetMFADeviceColl - Operation level * Supported
      GetPasswordRules Operation level * Supported
      GetPolicy Operation level * Supported
      GetPolicyVersion Operation level * Supported
      GetReceiverInfo Operation level * Supported
      GetRole Get role detail. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
      qcs::cam::uin/${uin}:role/${RoleId}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}      		 Supported
      GetRolePermissionBoundary GetRolePermissionBoundary Operation level * Supported
      GetSAMLProvider Operation level * Supported
      GetSafeAuthFlag Operation level * Supported
      GetSafeAuthFlagColl - Operation level * Supported
      GetSecurityLastUsed GetSecurityLastUsed Operation level * Supported
      GetServiceLinkedRoleDeletionStatus Get service linked role deletion status Operation level * Supported
      GetStrategyNoticeFrequency Frequency of getting policy change notifications Operation level * Supported
      GetSubAccountBindInfo Operation level * Supported
      GetUidByUin Operation level * Supported
      GetUser Operation level * Supported
      GetUserAppId Get User AppId Operation level * not supported
      GetUserPermissionBoundary GetUserPermissionBoundary Operation level * Supported
      ListAccessKeys list access keys Resource level qcs::cam::uin/${uin}:userName/${userName} Supported
      ListAllGroupsPolicies Operation level * Supported
      ListAttachedGroupPolicies Operation level * Supported
      ListAttachedRolePolicies Operation level * Supported
      ListAttachedUserAllPolicies Operation level * Supported
      ListAttachedUserPolicies Operation level * Supported
      ListCollaborators List Collaborators Operation level * Supported
      ListEntitiesForPolicy Operation level * Supported
      ListGroups Operation level * Supported
      ListGroupsForConsole List Groups For Console Operation level * Supported
      ListGroupsForUser Operation level * Supported
      ListGroupsPolicies Operation level * Supported
      ListIdentityProvider Operation level * Supported
      ListLoginRoles Get subaccount user\'s role list for login. Operation level * Supported
      ListMaskedSubAccounts - Operation level * Supported
      ListPolicies Operation level * Supported
      ListPolicyVersions Operation level * Supported
      ListRoleTags List role tags. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
      qcs::cam::uin/${uin}:role/${RoleId}
      qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}      		 Supported
      ListSAMLProviders Operation level * Supported
      ListSimulationAuth ListSimulationAuth Operation level * Supported
      ListSubAccounts Operation level * Supported
      ListUserTags List user tags Resource level qcs::cam::uin/${uin}:userName/${userName} Supported
      ListUsers Operation level * Supported
      ListUsersForGroup List Users For Group Operation level * Supported
      ListUsersForPolicy Operation level * Supported
      ListWeChatWorkSubAccounts - Operation level * Supported
      LookupRecentlyLogin Operation level * Supported
      QueryApiKey Operation level * Supported
      QueryApiKeyRecord Query key access records Operation level * Supported
      QueryCollApiKey Query for sub-account key list Operation level * Supported
      QueryKeyBySecretId - Operation level * Supported

      List Operations

      API API Description Authorization Granularity Six-segment Resource Description IP Restriction
      DescribeOrganizationSubAccountPolicies Describe Organization SubAccount Policies List Operation level * Supported
      GetAllMaskedSubUser - Operation level * Supported
      ListEntitiesForPermissionsBoundary ListEntitiesForPermissionsBoundary Operation level * Supported
      ListPoliciesForPermissionsBoundary ListPoliciesForPermissionsBoundary Operation level * Supported
      ListPoliciesGrantingServiceAccess List policies granting service access. Operation level * Supported
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy