Configuring Basic Permissions
ダウンロード
フォーカスモード
フォントサイズ
This document serves as a guide for configuring Stream Compute Service sub-user permissions. Sub-user permissions must be granted by the root account. (If you are a sub-user, contact the holder of your root account to configure the authorization.) For specific authorization steps, refer to the following sections. After permissions are granted as described, sub-users can use the product normally.
Permission 1: CAM Access Management
SCS uses Tencent Cloud's unified CAM service to help customers manage access permissions for different users to resources within their enterprises. For details, see CAM.
Granting SCS Access Permissions to a Sub-user
The root account has permission to access all SCS resources by default, while a sub-account does not have permission to access SCS resources by default. If you attempt to access SCS with a sub-account, you will receive a CAM authentication error.
To resolve this, refer to Authorization Management or go to CAM to grant the preset policy to the user.
Preset Policy | Permission Scope | Description |
AdministratorAccess | Tencent Cloud Management Permissions | Sub-users automatically obtain SCS super administrator permissions, and no additional role authorization configuration is required within the SCS space (they do not appear in the SCS user list by default, but can be manually added if needed). |
QcloudOceanusManageAccess | SCS Manager Permissions | Sub-users automatically obtain SCS super administrator permissions, and no additional role authorization configuration is required within the SCS space (they do not appear in the SCS user list by default, but can be manually added if needed). |
QcloudOceanusFullAccess | SCS Full Read-Write Permissions | Sub-users obtain access permissions to SCS resources, but the permissions still need to be configured by an administrator within the SCS product to take effect. After configuration, they have the full operational permissions of the corresponding role. See Space Role Authorization. |
QcloudOceanusReadOnlyAccess | SCS Read-Only Permissions | Sub-users can only obtain read-only access permissions to SCS resources, but the permissions still need to be configured by an administrator within the SCS product to take effect. After configuration, they have at most read-only permissions (even if they are assigned a role with higher permissions, the actual effective permissions remain read-only). See Space Role Authorization. |
Granting Tag Access Permissions to a Sub-user
The root account has permission to access Tags by default. If you attempt to set SCS job Tags or cluster information Tags with a sub-account, you will receive a CAM authentication error.
To resolve this, refer to Authorization Management or go to CAM to grant the preset policy
QcloudTAGFullAccess to the user. By granting the policy QcloudTAGFullAccess from the root account to the sub-account, the sub-account gains permission to access Tags.Granting TCOP Access Permissions to a Sub-user
The root account has permission to access TCOP by default and can monitor and set alarms for SCS. If you attempt to access TCOP with a sub-account, you will receive a CAM authentication error.
To resolve this, refer to Authorization Management or go to CAM to grant the preset policy
QcloudMonitorFullAccess to the user. By granting the policy QcloudMonitorFullAccess from the root account to the sub-account, the sub-account gains permission to access TCOP.Permission 2: Service Delegation Authorization
The underlying system services of SCS require your authorization delegation to properly access various cloud service resources such as CKafka, COS, and CLS within your VPC. This is the most fundamental authorization required for the normal operation of the SCS system. When this authorization is involved during your use of SCS, the system automatically displays an authorization page, where automatic authorization can be performed.
This authorization creates the default service role
Oceanus_QCSRole. Both root accounts and sub-accounts can perform the service delegation authorization operation, but the sub-account must have the corresponding role management permissions:Note:
If you use a sub-account for authorization, only sub-accounts with role creation permissions can successfully create the
Oceanus_QCSRole service role. First, add the QcloudCamRoleFullAccess or QcloudCamSubaccountsAuthorizeRoleFullAccess permission policy to the sub-account before proceeding. If the sub-account does not have any of the above permission policies, the authorization operation will fail.Operation Steps
1. During your first use of SCS, the system automatically displays an authorization page. Complete the authorization operation as prompted to successfully create the Oceanus_QCSRole role.
2. Go to the authorization page:
3. After authorization is completed, the Oceanus_QCSRole role name appears in the role list.
フィードバック