tencent cloud

Feedback

Advanced Custom Configuration

Last updated: 2024-01-16 17:43:54

    Overview

    If you use the Tencent Push Notification Service service in Tencent Cloud, and the service is managed by different users sharing your Tencent Cloud account key, the following problems may occur:
    The risk of your key being compromised is high since multiple users are sharing it.
    Your users might introduce security risks from misoperations due to the lack of user access control.
    You can allow different users to manage different services through sub-accounts to avoid the above problems. By default, a sub-account does not have permission to use a Tencent Push Notification Service service or related resources. Therefore, you need to create a policy to grant the required permission to the sub-account. Tencent Cloud’s Cloud Access Management (CAM) is a web service that helps you manage the access permissions for resources under your Tencent Cloud accounts. With CAM, you can create, manage, or terminate users (groups), and manage identities and policies to allow specific users to access and use specific Tencent Cloud resources. You can use CAM to associate a user/user group with a policy, which allows/denies the user to use specified resources to perform specified tasks. For CAM policy basics, please see Syntax Logic. For the use of CAM policies, please see Policy.
    Note:
    If you do not need to manage access permissions to Tencent Push Notification Service resources for sub-accounts, you can skip this part. This will not affect your understanding and use of other parts of the documentation.

    Policy Syntax Description

    A CAM policy must authorize or deny the use of one or more Tencent Push Notification Service operations. At the same time, it must specify the resources that can be used for the operations (which can be all resources or partial resources for certain operations). For Tencent Push Notification Service operations that do not support resource-level authorization, you need to specify the authorized object as all resources. CAM policy syntax description:
    {
    "version":"2.0",
    "statement":
    [
    {
    "effect":"effect",
    "action":["action"],
    "resource":["resource"],
    "condition": {"key":{"value"}}
    }
    ]
    }
    Parameter description:
    Parameter
    Required
    Description
    version
    Yes
    Version number. Currently, only "2.0" is supported.
    statement
    Yes
    This element describes the details of one or more permissions. It contains a permission or permission set of other elements such as effect, action, resource, and condition. One policy has only one statement. An action (operation) describes an allowed or denied operation, which can be an API or a feature set (a set of specific APIs prefixed with permid).
    resource
    Yes
    The specific resource. A resource is described in a six-segment format. Detailed resource definitions vary with the products. For more information about how to specify a resource, please see the documentation of the corresponding product.
    condition
    No
    The condition for the policy to take effect. A condition consists of the operator, action key, and action value. A condition value may be the time, IP address, etc. Some services allow you to specify additional values in a condition.
    effect
    Yes
    Describes whether the statement result is "allowed" (allow) or "explicitly denied" (deny).

    Creating Policy and Granting Permissions

    Two types of system-level policies are preset for you to quickly grant permissions. You can go to the console > Cloud Access Management > Policies, click Create Custom Policy, and select Create by Policy Syntax, as shown below:
    
    On the Create by Policy Syntax page, you can search and find two preset policy templates, which grants full access and read-only access, respectively (you can view the list of specific permissions during policy creation). You can select a template and edit it or create a blank template.
    
    After creating a policy, you can find it on the Policies page in the CAM console and associate it with a sub-user to complete the permission configuration. This document describes how to perform CAM authorization in Tencent Push Notification Service.

    Authorizable Tencent Push Notification Service Resources

    Resource-level permission can be used to specify which resources a user can manipulate. The type of resources that can be authorized in Tencent Push Notification Service is "app", that is, you can grant resource-level permissions in CAM at the app granularity. The resource description method is as follows:
    qcs::tpns::uin/1000000000:app/*
    Here, * indicates all resources at the app granularity, which can be replaced with the Access ID. You can find the app's Access ID in the Product Management module in the Tencent Push Notification Service Console. For the uin, get the account ID on the Account Info page in the console and replace the uin with it (such as 1000000000, which is a sample Tencent Cloud ID of a root account).
    When authorizing multiple resources, separate them with commas.

    Tencent Push Notification Service Operations That Can Be Authorized

    In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed withname/tpns: should be used for Tencent Push Notification Service, such as name/tpns:CreateProduct. To specify multiple operations in a single statement, separate them with commas as shown below:
    "action":["tpns:action1","tpns:action2"]
    You can also specify multiple operations using a wildcard. For example, you can specify all operations whose names begin with "Describe" as shown below:
    "action":["tpns:Describe*"]
    To specify all Tencent Push Notification Service operations, use an asterisk (*) as follows:
    "action"["tpns:*"]
    The following table describes the list of authorizable operations:
    Note:
    Only operations that support resource-level permissions can be authorized at the app level.
    Operation
    Description
    Resource-Level Permission Supported
    AddChannelInfo
    Adds vendor-specific channel
    Yes
    CancelPush
    Cancels scheduled push task
    Yes
    CreateApp
    Creates app
    No
    CreateAppTrialRequest
    Applies for product trial
    Yes
    CreateProduct
    Creates product
    No
    DeleteAppInfo
    Deletes app
    Yes
    DeleteProductInfo
    Deletes product
    No
    DescribeApnsCertInfo
    Queries APNS certificate information
    Yes
    DescribeAppAllTags
    Queries all tag information
    Yes
    DescribeAppInfo
    Queries app information
    Yes
    DescribeAppVipInfo
    Queries VIP information
    Yes
    DescribeChannelInfo
    Queries vendor-specific channel information
    Yes
    DescribeProductInfo
    Queries product information
    No
    DescribeTagTokenNums
    Queries the number of devices under the tag
    Yes
    DownloadPushPackage
    Downloads push number package
    Yes
    DescribeAccountByToken
    Queries account bound to device
    Yes
    DescribeAccountPushStatInfo
    Queries the total number of push messages under account
    No
    DescribeAccountPushStatInfoAllZone
    Queries the total number of messages supposed to be sent by all apps in cluster
    No
    DescribeAppSecretInfo
    Queries AppSecret information
    Yes
    DescribeDeviceStatOverview
    Queries the number of accumulated and daily active devices of app
    Yes
    DescribeProductDeviceStatWithRatioOverview
    Queries app statistics
    Yes
    DescribePushPackaDescribeoken
    Uploads number package to get temporary COS token
    Yes
    DescribePushTaskGroupStatAllChannel
    Queries the aggregated data of pushes in all channels
    Yes
    DescribePushTaskStatAllChannel
    Queries the data of each push channel
    Yes
    DescribeTagsByToken
    Queries tags bound to device
    Yes
    DescribeTokenInfos
    Queries tokenInfo information
    No
    DescribePushInfos
    Queries push list
    Yes
    ModifyAppInfo
    Updates app information
    Yes
    ModifyProductInfo
    Updates product information
    No
    CreatePush
    Creates push
    Yes
    UpdateAppStatus
    Updates app status
    Yes
    UploadCert
    Uploads iOS certificate
    Yes
    UploadPushPackage
    Uploads push number package
    Yes
    DescribePlanPushInfos
    Queries the task list under the push plan
    Yes
    DescribePushPlans
    Queries the list information about the push plan
    Yes
    UpdatePushPlan
    Modifies a push plan
    Yes
    DeletePushPlan
    Deletes a push plan
    Yes
    CreatePushPlan
    Creates a push plan
    Yes

    Sample Policy for Operations Personnel

    Suppose that the main responsibilities of the operations personnel are to view push records and create pushes. Then, the operation permissions can be queried according to the list of authorizable operations above:
    All query operations
    Canceling scheduled push tasks
    Creating pushes
    Uploading push number packages
    Downloading push number packages
    Assume that the root account ID is 1000000000, and the Access_id values of the authorized applications are 1500000000 and 1500000001, respectively. The corresponding policy syntax should be as follows:
    //
    {
    "version": "2.0",
    "statement": [
    {
    "action": [
    "tpns:Describe*",
    "tpns:CancelPush",
    "tpns:DownloadPushPackage",
    "tpns:CreatePush",
    "tpns:UploadPushPackage"
    ],
    "resource": [
    "qcs::tpns::uin/1000000000:app/1500000000","qcs::tpns::uin/1000000000:app/1500000001"
    ],
    "effect": "allow"
    },
    {
    "action": [
    "tpns:Describe*"
    ],
    "resource": [
    "qcs::tpns::uin/1000000000:other/*"
    ],
    "effect": "allow"
    }
    
    ]
    }
    The created policy can be found at Policies in the CAM console. You can associate it with the sub-user to complete the permission configuration. Note that the policy can also be associated with other sub-users.

    Sample Policy for Developers

    Suppose that the main responsibilities of developers are to access and test. Then, all operation permissions should be granted. Assume that the root account ID is 1000000000, and the Access_id values of the authorized applications are 1500000000 and 1500000001, respectively. The corresponding policy syntax should be as follows:
    //
    {
    "version": "2.0",
    "statement": [
    {
    "action": "*",
    "resource": [
    "qcs::tpns::uin/1000000000:app/1500000000","qcs::tpns::uin/1000000000:app/1500000001"
    ],
    "effect": "allow"
    },
    {
    "action": [
    "tpns:Describe*"
    ],
    "resource": [
    "qcs::tpns::uin/1000000000:other/*"
    ],
    "effect": "allow"
    }
    
    ]
    }
    The created policy can be found at Policies in the CAM console. You can associate it with the sub-user to complete the permission configuration. Note that the policy can also be associated with other sub-users.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support