Granting Tencent Cloud Service Permissions

Last updated: 2024-01-27 17:35:59

Tencent Cloud Observability Platform (TCOP) allows a root account to grant a sub-account access permissions via Cloud Access Management (CAM). This document describes how to manage access permissions for a sub-account.
Overview
By default, a root account is the resource owner and has full access to all resources in the account, while a sub-account has no access to any resources. The root account must grant a sub-account access permissions for the sub-account to access resources. You can use your root account to log in to the CAM console and grant a sub-account access permissions. For more information, see Authorization Management.
TCOP policies are subject to the policies of other Tencent Cloud services. When granting TCOP permissions to a sub-account, you also need to grant the corresponding cloud service permissions so that the Tencent Cloud Observability Platform permissions can take effect.
Note: 
Permissions are used to allow or deny operations to access specific resources under certain conditions.
Policies are syntax rules used to define and describe one or more permissions.
Common Permission Configurations
Note: 
Below takes CVM permission configuration as an example. For more information on how to grant permissions for other Tencent Cloud services, see the following scenarios and TCOP-related Tencent Cloud service policies.
Common permissions
Permission list
Permission Type
Permission Name
TCOP permission
QcloudMonitorFullAccess (full read/write permissions) and QcloudMonitorReadOnlyAccess (read-only permissions)
CVM permission
QcloudCVMFullAccess (full read/write permissions) or QcloudCVMReadOnlyAccess (read-only permissions)
Features and permissions
Note: 
You must authorize a role or grant the access permissions of all Tencent Cloud services to a sub-account so that the sub-account can normally access the Monitor Overview page, because the access permissions of multiple services are involved here.
Feature
Operation Permissions
﻿
Access Permissions
﻿
﻿
QcloudMonitorFullAccess
QcloudMonitorReadOnlyAccess
QcloudMonitorFullAccess
QcloudMonitorReadOnlyAccess
Dashboard
✓
×
✓
✓
Instance group
✓
✓
✓
✓
Integration center
✓
×
✓
✓
Resource consumption
✓
×
✓
✓
Alarm record
✓
✓
✓
✓
Alarm policy
✓
×
✓
✓
Trigger condition template
✓
×
✓
✓
Notification template
✓
×
✓
✓
Traffic monitoring
✓
✓
✓
✓
Tencent Cloud service monitoring
✓
✓
✓
✓
Note: 
A user with full read/write access permissions for particular Tencent Cloud services also has full read/write access to TCOP resources by default. For example, if you have the full read/write access permission (QcloudCVMFullAccess) for CVM, you’ll have full read/write access to TCOP resources by default. You can go to CAM Console > Policies and click a policy name to check the access to what resources is allowed by this policy.
﻿
﻿
TCOP-related Tencent Cloud service policies
Note: 
If you have been properly granted TCOP permissions, you can access Tencent Cloud service resources with the read-only permission for them. The following table lists permissions for some Tencent Cloud services. For more information, see CAM-Enabled Products.
Tencent Cloud Service
Policy
Permission Description
Reference
﻿Cloud Virtual Machine (CVM)﻿
QcloudCVMFullAccess
Full access permissions for CVM, including monitoring permissions for CVM, CLB and VPC
﻿Sample Console Configuration﻿
﻿
﻿
QcloudCVMReadOnlyAccess
Read-only permissions for CVM resources
﻿TencentDB for MySQL﻿
QcloudCDBFullAccess
Full access permissions for TencentDB for MySQL, including the access to TencentDB for MySQL, as well as the security group, monitoring, user group, COS, VPC and KMS permissions related to TencentDB for MySQL.
﻿Console Examples﻿
﻿
﻿
QcloudCDBReadOnlyAccess
Read-only permissions for TencentDB for MySQL resources
﻿TencentDB for MongoDB﻿
QcloudMongoDBFullAccess
Full access permissions for TencentDB for MongoDB
﻿Access Management﻿
﻿
﻿
QcloudMongoDBReadOnlyAccess
Read-only permissions for TencentDB for MongoDB
﻿TencentDB for Redis﻿
QcloudRedisFullAccess
Full access permissions for TencentDB for Redis
﻿Access Management﻿
﻿
﻿
QcloudRedisReadOnlyAccess
Read-only permissions for TencentDB for Redis
﻿TencentDB for TcaplusDB﻿
QcloudTcaplusDBFullAccess
Full access permissions for TencentDB for TcaplusDB
﻿Overview﻿
﻿
﻿
QcloudTcaplusDBReadOnlyAccess
Read-only permissions for TencentDB for TcaplusDB
TDSQL for PostgreSQL
QcloudTBaseReadOnlyAccess
Read-only permissions for TDSQL for PostgreSQL
-
﻿Elasticsearch Service﻿
QcloudElasticsearchServiceFullAccess
Full access permissions for Elasticsearch Service
﻿CAM-Based Access Control Configuration﻿
﻿
﻿
QcloudElasticsearchServiceReadOnlyAccess
Read-only permissions for Elasticsearch Service
﻿Virtual Private Cloud﻿
QcloudVPCFullAccess
Full access permissions for VPC
﻿Access Management﻿
﻿
﻿
QcloudVPCReadOnlyAccess
Read-only permissions for VPC
﻿Direct Connect (DC)﻿
QcloudDCFullAccess
Full access permissions for DC
-
﻿Cloud Message Queue (CMQ)﻿
QcloudCmqQueueFullAccess
Full access permissions for CMQ, including permissions for queues and Tencent Cloud Observability Platform
-
﻿Message Queue CKafka﻿
QcloudCKafkaFullAccess
Full access permissions for Message Queue CKafka
﻿Configuring ACL Policy﻿
﻿
﻿
QcloudCkafkaReadOnlyAccess
Read-only permissions for Message Queue Ckafka
﻿Cloud Object Storage (COS)﻿
QcloudCOSFullAccess
Full access permissions for COS
﻿Access Control and Permission Management﻿
﻿
﻿
QcloudCOSReadOnlyAccess
Read-only permissions for COS
﻿Cloud Load Balancer (CLB)﻿
QcloudCLBFullAccess
Full access permissions for CLB
﻿Cloud Access Management﻿
﻿
﻿
QcloudCLBReadOnlyAccess
Read-only permissions for CLB
﻿Cloud File Storage (CFS)﻿
QcloudCFSFullAccess
Full access permissions for CFS
﻿Access Management﻿
﻿
﻿
QcloudCFSReadOnlyAccess
Read-only permissions for CFS
﻿

tencent cloud

Recent Pages

Granting Tencent Cloud Service Permissions

Overview

Common Permission Configurations

Common permissions

Permission list

Features and permissions

Was this page helpful?

Was this page helpful?

Permission Type	Permission Name
TCOP permission	`QcloudMonitorFullAccess` (full read/write permissions) and `QcloudMonitorReadOnlyAccess` (read-only permissions)
CVM permission	`QcloudCVMFullAccess` (full read/write permissions) or `QcloudCVMReadOnlyAccess` (read-only permissions)

Feature	Operation Permissions			Access Permissions
Feature		QcloudMonitorFullAccess	QcloudMonitorReadOnlyAccess	QcloudMonitorFullAccess	QcloudMonitorReadOnlyAccess
Dashboard	✓	×	✓	✓
Instance group	✓	✓	✓	✓
Integration center	✓	×	✓	✓
Resource consumption	✓	×	✓	✓
Alarm record	✓	✓	✓	✓
Alarm policy	✓	×	✓	✓
Trigger condition template	✓	×	✓	✓
Notification template	✓	×	✓	✓
Traffic monitoring	✓	✓	✓	✓
Tencent Cloud service monitoring	✓	✓	✓	✓

Tencent Cloud Service	Policy	Permission Description	Reference
Cloud Virtual Machine (CVM)	QcloudCVMFullAccess	Full access permissions for CVM, including monitoring permissions for CVM, CLB and VPC	Sample Console Configuration
Cloud Virtual Machine (CVM)			Sample Console Configuration	QcloudCVMReadOnlyAccess	Read-only permissions for CVM resources
TencentDB for MySQL	QcloudCDBFullAccess	Full access permissions for TencentDB for MySQL, including the access to TencentDB for MySQL, as well as the security group, monitoring, user group, COS, VPC and KMS permissions related to TencentDB for MySQL.	Console Examples
TencentDB for MySQL			Console Examples	QcloudCDBReadOnlyAccess	Read-only permissions for TencentDB for MySQL resources
TencentDB for MongoDB	QcloudMongoDBFullAccess	Full access permissions for TencentDB for MongoDB	Access Management
TencentDB for MongoDB			Access Management	QcloudMongoDBReadOnlyAccess	Read-only permissions for TencentDB for MongoDB
TencentDB for Redis	QcloudRedisFullAccess	Full access permissions for TencentDB for Redis	Access Management
TencentDB for Redis			Access Management	QcloudRedisReadOnlyAccess	Read-only permissions for TencentDB for Redis
TencentDB for TcaplusDB	QcloudTcaplusDBFullAccess	Full access permissions for TencentDB for TcaplusDB	Overview
TencentDB for TcaplusDB			Overview	QcloudTcaplusDBReadOnlyAccess	Read-only permissions for TencentDB for TcaplusDB
TDSQL for PostgreSQL	QcloudTBaseReadOnlyAccess	Read-only permissions for TDSQL for PostgreSQL	-
Elasticsearch Service	QcloudElasticsearchServiceFullAccess	Full access permissions for Elasticsearch Service	CAM-Based Access Control Configuration
Elasticsearch Service			CAM-Based Access Control Configuration	QcloudElasticsearchServiceReadOnlyAccess	Read-only permissions for Elasticsearch Service
Virtual Private Cloud	QcloudVPCFullAccess	Full access permissions for VPC	Access Management
Virtual Private Cloud			Access Management	QcloudVPCReadOnlyAccess	Read-only permissions for VPC
Direct Connect (DC)	QcloudDCFullAccess	Full access permissions for DC	-
Cloud Message Queue (CMQ)	QcloudCmqQueueFullAccess	Full access permissions for CMQ, including permissions for queues and Tencent Cloud Observability Platform	-
Message Queue CKafka	QcloudCKafkaFullAccess	Full access permissions for Message Queue CKafka	Configuring ACL Policy
Message Queue CKafka			Configuring ACL Policy	QcloudCkafkaReadOnlyAccess	Read-only permissions for Message Queue Ckafka
Cloud Object Storage (COS)	QcloudCOSFullAccess	Full access permissions for COS	Access Control and Permission Management
Cloud Object Storage (COS)			Access Control and Permission Management	QcloudCOSReadOnlyAccess	Read-only permissions for COS
Cloud Load Balancer (CLB)	QcloudCLBFullAccess	Full access permissions for CLB	Cloud Access Management
Cloud Load Balancer (CLB)			Cloud Access Management	QcloudCLBReadOnlyAccess	Read-only permissions for CLB
Cloud File Storage (CFS)	QcloudCFSFullAccess	Full access permissions for CFS	Access Management
Cloud File Storage (CFS)			Access Management	QcloudCFSReadOnlyAccess	Read-only permissions for CFS

tencent cloud

Sign Up

Log in

Recent Pages

Granting Tencent Cloud Service Permissions

Overview

Common Permission Configurations

Common permissions

Permission list

Features and permissions

TCOP-related Tencent Cloud service policies

Was this page helpful?

Was this page helpful?