Authorization Policy Syntax

Tencent Smart Advisor

Release Notes

Product Introduction

Overview

Features

Introduction to TSA - Cloud Risk Assessment

Introduction to TSA - Chaotic Fault Generator

Strengths

Strenths to TSA - Cloud Risk Assessment

Strenths to TSA - Chaotic Fault Generator

Use Cases

Purchase Guide

Getting Started

Quick Start to TSA - Cloud Risk Assessment

Quick Start to TSA - Chaotic Fault Generator

Quick Start with the Console

Quick Start with API

Operation Guide

Operation Guide to TSA - Cloud Risk Assessment

Inspection Report

Generating Report

Subscribing to Report

Managing Custom Report Templates

Assessment Items

Enabling/Disabling Assessment Items

Modifying Custom Rules

Ignoring/Adding Resources

Risks

Querying Risk Trends

Querying Risk Details

Operation Guide to TSA - Chaotic Fault Generator

Template Library

Using Industry Template Library

Creating a Template Library

Experiments

Pre-Checking Environment for Chaos Engineering Experiments

Creating an Experiment

Exporting Experiment Reports

Fault Action

Editing Action Parameters

Concurrent Injection of Multiple Action Groups in Experiments

Guide to Viewing Action Execution Duration Data

Guardrail Monitoring

Using Guardrails

Tag

Managing Permissions with Tags

Agent Management

Fault Action Library

Compute

JVM Process CPU at Full Load

Cross-AZ Experiment in CVM

CVM DNS Unavailability Experiment

CVM Domain Name Parsing Tampering Experiment

CVM System Time Skew

CVM Disk IO Hang Fault Experiment

CVM Memory OOM and Disk IO Load

Experiments on CVM Intra-host Network Disorder

CVM Kernel Faults

Experiments on CVM Intra-host Network Latency

High Utilization of CVM Resources (CPU, Memory, and Disk)

Experiments on CVM Intra-host Network Corruption

Experiments on CVM Intra-host Network Duplication

Experiments on CVM Intra-host Network Occupation

CVM Network Interruption

CVM Ping Unreachable

Cloud API Ban in CVM

Database

Primary-secondary Switch in TencentDB for PostgreSQL

MySQL Instance Overall Unavailable

Primary-secondary Switch in MySQL

Setting Maximum Number of Connections in MySQL

Primary Node Fault Experiment on TencentDB for MySQL

TencentDB for MySQL Read-only Instance Group Unavailable

Primary-secondary Switch in TDSQL for MySQM

Primary-secondary Switch in MariaDB

Primary/Replica Switch in TDSQL-C

Practice of TencentDB for Redis Proxy Node Faults

TencentDB for Redis Primary Node Fault

Primary-secondary Nodes in TencentDB for Redis Instance Unavailable

Simulating Primary-secondary Switch in Redis

Simulating MongoDB Storage Node Fault

Simulating Self-Built MySQL Crash Through Network Blocking

Restart TencentDB for MySQL

Primary-secondary Switch in SQL Server

Network

VPC Subnet Network Isolation

NAT Gateway Fault Experiment Case

Container

Simulating Container Resource Network Faults

Experiment on Container Resource Pod Operation Faults

Experiment on Container Resource Node Faults

Experiment on Container Resource Application Process Faults

Standard Cluster and Serverless Cluster Super Node Faults

Serverless Pod Fault Experiment Case

Cluster Node Resource (CPU, Memory, Disk) Stress Test Faults

Serverless Pod Virtual Node Shutdown Faults

Simulating Serverless Cluster Pod Network Faults

High Cluster Pod Resource (CPU, Memory, and Disk) Utilization Rate

Cluster Pod TencentCloud API Ban

Big Data

Elasticsearch Service Node Down

Cloud Load Balancer

CLB Stop Fault

Message Queue

CKafka Broker High Disk IO Load

CKafka Broker High CPU Load

CKafka Broker Down

TDMQ for RabbitMQ Broker Down

Direct Connect

Simulating DC Tunnel Disconnection Faults

Custom Actions

Expanding Fault Injection Actions with Custom Scripts

Performing Single-Core CPU Stress Test with Custom Actions

Implementing CPU Accumulation Faults with Custom Actions

Implementing CRS Connection Count Increase with Custom Actions

Injecting PowerShell Scripts for Windows Systems

Cloud Streaming Services (CSS)

Stream Push Interruption

Stream Push Disabled

Primary-Secondary Stream Switch

Primary-secondary Stream Single Path Interruption

Permission Management

Role Permissions Related to Service Authorization

Permission Management Guide to TSA - Chaotic Fault Generator

Overview

Authorization Policy Syntax

Authorizable Resource Types

Service Authorization and Role Permissions

Sub-users and Authorization

FAQs

FAQs: TSA - Cloud Risk Assessment

FAQs: TSA - Chaotic Fault Generator

Related Protocol

DATA PRIVACY AND SECURITY AGREEMENT MODULE CHAOTIC FAULT GENERATOR

DocumentationTencent Smart AdvisorOperation GuidePermission ManagementPermission Management Guide to TSA - Chaotic Fault GeneratorAuthorization Policy Syntax

Authorization Policy Syntax

Download PDF

Last updated: 2025-03-24 15:29:55

Authorization Policy Syntax

Last updated: 2025-03-24 15:29:55

Download PDF

Policy Syntax
CAM policy:
{	 
        "version":"2.0", 
        "statement": 
        [ 
           { 
              "effect":"effect", 
              "action":["action"], 
              "resource":["resource"]
           } 
       ] 
} 
version: Required. Currently, only the value 2.0 is allowed.
statement: It is used to describe the detailed information of one or more permissions. This element covers permissions or permission sets of several other elements such as effect, action, resource, and condition. A policy has only one statement element.
effect: Required. This element describes the statement results. Value options: allow (allow) and deny (explicitly deny).
action: Required. This element describes the allowing or denial actions. Actions can be APIs (prefixed with cfg:).
resource: Required. This element describes the specific data of authorization. The resources are described in a six-segment format, and the resource definition details of each product are different.
Tencent Cloud Smart Advisor-Chaotic Fault Generator (CFG) Operations
In the CFG policy statement, you can specify any API operation from any service that supports Tencent Cloud Smart Advisor-Chaotic Fault Generator. For CFG, use the API prefixed with cfg:. Example: cfg:CreateTask or cfg:CreateTemplate.
To specify multiple operations in one statement, separate them with commas as follows:
"action":["cfg:action1","cfg:action2"]
You can also use wildcards to specify multiple operations. For example, you can specify all operations that begin with the word "Describe" as follows:
"action":["cfg:Describe*"]
If you want to specify all operations in the cloud database, use the * wildcard character as follows:
"action": ["cfg:*"]
CFG Resources
Each CAM policy statement is applicable to specific resources. The general format of resources is as follows:
qcs:project_id:service_type:region:account:resource
project_id: Describe the project information. It is only for compatibility with early CAM logic and does not need to be filled in.
service_type: product abbreviation, such as cfg.
region : regional information, such as ap-guangzhou.
account: root account of the resource owner, such as uin/653339763.
resource: specific resource details of each product, such as instanceId/instance_id1 or instanceId/*
For example, you can specify the specific task ID (1) in the statement as follows:
"resource":[ "qcs::cfg:ap-guangzhou:uin/11111:taskid/1"]
You can also use the * wildcard character to specify all instances belonging to a specific account, as follows:
"resource":[ "qcs::cfg:ap-guangzhou:uin/11111:taskid/*"]
If you want to specify all resources, or if a particular API action does not support resource-level permissions, use the * wildcard character in the Resource element, as follows:
"resource": ["*"]
To specify multiple resources in one instruction, separate them with a comma. The following is an example of specifying two resources:
"resource":["resource1","resource2"]
The following table describes the resources that can be used by CFG and the corresponding resource description methods. The word prefixed by $ is an alias, region refers to the target region, and account refers to the account ID.
Resource
Resource Description Method in Authorization Policy
Experiment
qcs::cfg:$region:$account:taskid/$TaskId
Template library
qcs::cfg::$account:templateid/$TemplateId
Custom action
qcs::cfg::$account:actionid/$ActionId

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

Resource	Resource Description Method in Authorization Policy
Experiment	`qcs::cfg:$region:$account:taskid/$TaskId`
Template library	`qcs::cfg::$account:templateid/$TemplateId`
Custom action	`qcs::cfg::$account:actionid/$ActionId`

tencent cloud

New User Offers

Next-Generation CDN：EdgeOne

Elasticsearch Service Special Offers

Free Tier

Tencent Cloud Startup Program

Special Offers

Lighthouse Special Offers

Cloud Object Storage Special Offers

Featured Products

New Products

Education

Tencent Cloud Online Education Solutions

Gaming

Gaming Solution

Game Media Solutions

Financial Services

Financial Services Solution

Audio & Video

Audio/Video Solution

LVB Recording Solution

Interactive Classroom Solution

Interactive Live Streaming Solution

Audio Chat Social Networking Solution

Real Estate

Tencent Cloud LinkBase(Weiling)

E-commerce

E-commerce retail solutions

Compute

Cloud Virtual Machine

Auto Scaling

Batch Compute

CVM Dedicated Host

Database

TencentDB for MySQL

TencentDB for Redis®

TencentDB for CTSDB

TDSQL for MySQL

Data Transfer Service

TencentDB for MongoDB

TencentDB for PostgreSQL

TencentDB for SQL Server

TencentDB for TcaplusDB

Video Service

Cloud Streaming Services

Video on Demand

Media Processing Service

Cloud Application Rendering

Cloud Contact Center

Game Multimedia Engine

Chat

Real-time Communication

Tencent Effect SDK

AI and Machine Learning

Image Creation Large Model

Face Fusion

eKYC

Optical Character Recognition

Video Creation Large Model

Industry Applications

Tencent HealthCare Omics Platform

Container and Middleware

TDMQ for CKafka

Serverless Cloud Function

Tencent Kubernetes Engine

Tencent Kubernetes Engine for Serverless

Networking

Cloud Load Balancer

Virtual Private Cloud

Direct Connect

Cloud Connect Network

NAT Gateway

VPN Connection

Bandwidth Package

Anycast Internet Acceleration

Elastic Network Interface

Flow Logs

Global Application Acceleration Platform

Security

Captcha