tencent cloud

Feedback

Granting Tencent Cloud Service Permissions

Last updated: 2024-01-27 17:35:59
    Tencent Cloud Observability Platform (TCOP) allows a root account to grant a sub-account access permissions via Cloud Access Management (CAM). This document describes how to manage access permissions for a sub-account.

    Overview

    By default, a root account is the resource owner and has full access to all resources in the account, while a sub-account has no access to any resources. The root account must grant a sub-account access permissions for the sub-account to access resources. You can use your root account to log in to the CAM console and grant a sub-account access permissions. For more information, see Authorization Management.
    TCOP policies are subject to the policies of other Tencent Cloud services. When granting TCOP permissions to a sub-account, you also need to grant the corresponding cloud service permissions so that the Tencent Cloud Observability Platform permissions can take effect.
    Note:
    Permissions are used to allow or deny operations to access specific resources under certain conditions.
    Policies are syntax rules used to define and describe one or more permissions.

    Common Permission Configurations

    Note:
    Below takes CVM permission configuration as an example. For more information on how to grant permissions for other Tencent Cloud services, see the following scenarios and TCOP-related Tencent Cloud service policies.

    Common permissions

    Permission list

    Permission Type
    Permission Name
    TCOP permission
    QcloudMonitorFullAccess (full read/write permissions) and QcloudMonitorReadOnlyAccess (read-only permissions)
    CVM permission
    QcloudCVMFullAccess (full read/write permissions) or QcloudCVMReadOnlyAccess (read-only permissions)

    Features and permissions

    Note:
    You must authorize a role or grant the access permissions of all Tencent Cloud services to a sub-account so that the sub-account can normally access the Monitor Overview page, because the access permissions of multiple services are involved here.
    Feature
    Operation Permissions
    Access Permissions
    QcloudMonitorFullAccess
    QcloudMonitorReadOnlyAccess
    QcloudMonitorFullAccess
    QcloudMonitorReadOnlyAccess
    Dashboard
    ×
    Instance group
    Integration center
    ×
    Resource consumption
    ×
    Alarm record
    Alarm policy
    ×
    Trigger condition template
    ×
    Notification template
    ×
    Traffic monitoring
    Tencent Cloud service monitoring
    Note:
    A user with full read/write access permissions for particular Tencent Cloud services also has full read/write access to TCOP resources by default. For example, if you have the full read/write access permission (QcloudCVMFullAccess) for CVM, you’ll have full read/write access to TCOP resources by default. You can go to CAM Console > Policies and click a policy name to check the access to what resources is allowed by this policy.
    
    
    Note:
    If you have been properly granted TCOP permissions, you can access Tencent Cloud service resources with the read-only permission for them. The following table lists permissions for some Tencent Cloud services. For more information, see CAM-Enabled Products.
    Tencent Cloud Service
    Policy
    Permission Description
    Reference
    QcloudCVMFullAccess
    Full access permissions for CVM, including monitoring permissions for CVM, CLB and VPC
    QcloudCVMReadOnlyAccess
    Read-only permissions for CVM resources
    QcloudCDBFullAccess
    Full access permissions for TencentDB for MySQL, including the access to TencentDB for MySQL, as well as the security group, monitoring, user group, COS, VPC and KMS permissions related to TencentDB for MySQL.
    QcloudCDBReadOnlyAccess
    Read-only permissions for TencentDB for MySQL resources
    QcloudMongoDBFullAccess
    Full access permissions for TencentDB for MongoDB
    QcloudMongoDBReadOnlyAccess
    Read-only permissions for TencentDB for MongoDB
    QcloudRedisFullAccess
    Full access permissions for TencentDB for Redis
    QcloudRedisReadOnlyAccess
    Read-only permissions for TencentDB for Redis
    QcloudTcaplusDBFullAccess
    Full access permissions for TencentDB for TcaplusDB
    Overview
    QcloudTcaplusDBReadOnlyAccess
    Read-only permissions for TencentDB for TcaplusDB
    TDSQL for PostgreSQL
    QcloudTBaseReadOnlyAccess
    Read-only permissions for TDSQL for PostgreSQL
    -
    QcloudElasticsearchServiceFullAccess
    Full access permissions for Elasticsearch Service
    QcloudElasticsearchServiceReadOnlyAccess
    Read-only permissions for Elasticsearch Service
    QcloudVPCFullAccess
    Full access permissions for VPC
    QcloudVPCReadOnlyAccess
    Read-only permissions for VPC
    QcloudDCFullAccess
    Full access permissions for DC
    -
    QcloudCmqQueueFullAccess
    Full access permissions for CMQ, including permissions for queues and Tencent Cloud Observability Platform
    -
    QcloudCKafkaFullAccess
    Full access permissions for Message Queue CKafka
    QcloudCkafkaReadOnlyAccess
    Read-only permissions for Message Queue Ckafka
    QcloudCOSFullAccess
    Full access permissions for COS
    QcloudCOSReadOnlyAccess
    Read-only permissions for COS
    QcloudCLBFullAccess
    Full access permissions for CLB
    QcloudCLBReadOnlyAccess
    Read-only permissions for CLB
    QcloudCFSFullAccess
    Full access permissions for CFS
    QcloudCFSReadOnlyAccess
    Read-only permissions for CFS
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support