Tencent Cloud Observability Platform
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Application Performance Management
- Pay-as-you-go (Postpaid)
- Packages (Prepaid)
- Mobile App Performance Monitoring
- Real User Monitoring
- Cloud Automated Testing
- Prometheus Monitoring
- Pay-as-You-Go (Postpaid)
- Quick Start
- EventBridge
- Cloud Product Monitoring
- Tencent Cloud Service Metrics
- Microservice
- Networking
- TencentDB
- TencentDB for Redis Monitoring Metrics
- CPM
- CDN And EdgeOne
- Operation Guide
- Cloud Monitoring Overview
- Monitoring View
- CM Connection to Grafana
- Troubleshooting
- Application Performance Management
- Access Guide
- Accessing Go Application
- Accessing Java Application
- Accessing Python Application
- Accessing Node.js Application
- Accessing PHP Application
- Accessing .NET Application
- Operation Guide
- Resource Management
- Application Monitoring
- Application Diagnosis
- Database Call Monitoring
- Access Management
- Alarm Service
- System Configuration
- Associate Logs
- Inject TraceID Into Logs
- Practical Tutorial
- Parameter Information
- APM Data Protocol Standard
- Mobile App Performance Monitoring
- Access Guide
- Android Use Cases
- iOS Use Cases
- Tencent Cloud Real User Monitoring
- Operation Guide
- Application Management
- Access Management
- Resource Tag
- Connection Guide
- Web Use Cases
- Cloud Automated Testing
- Operation Guide
- Creating Test Task
- Testing Statistics
- Access Management
- References
- Testing Nodes
- FAQs
- Performance Testing Service
- Operation Guide
- Performance Testing in Script Mode
- Script Examples
- HTTP-based Performance Testing
- Performance Testing in JMeter Mode
- Project Management
- Scenario Management
- Advanced Configuration
- Export Stress Test Indicators
- Traffic Recording
- Performance Testing Report
- Access Control
- Alarm Management
- Tag Management
- Practice Tutorial
- JavaScript API List
- pts/http
- Response
- pts/dataset
- pts/grpc
- pts/jsonpath
- pts/redis
- pts/url
- URL
- pts/util
- pts/ws
- pts/socketio
- socketio
- pts/socket
- Prometheus Monitoring
- Product Introduction
- Access Guide
- EMR Integration
- Java Application Integration
- Exporter Integration
- Operation Guide
- Instance
- Recording Rule
- Alerting Rule
- Access Control
- TKE Metrics
- Practical Tutorial
- Terraform
- Grafana
- Operation Guide
- Instance
- Tencent Cloud Service Integration
- Plugin Management
- Dashboard
- Operation Guide
- Configuring Dashboard
- Monitoring Charts
- Creating Chart
- Use Cases of Different Chart Types
- Alarm Management
- Console Operation Guide
- Alarm Policy
- Configuring alert trigger conditions
- Alarm Notification
- Alarm Callback
- Alarm Receiving Channels and SMS Quota
- Dynamic Threshold Alarm
- Silencing Alarm
- EventBridge
- Product Introduction
- Practical Tutorial
- Migrating Event Alarm
- FAQs
- Related Agreements
- API Documentation
- Making API Requests
- Monitoring Data Query APIs
- Alarm APIs
- Notification Template APIs
- Legacy Alert APIs
- Prometheus Service APIs
- Grafana Service APIs
- Event Center APIs
- TencentCloud Managed Service for Prometheus APIs
- Monitoring APIs
DocumentationTencent Cloud Observability PlatformAlarm ManagementConsole Operation GuideAccess ManagementAuthorization Policy Syntax
Authorization Policy Syntax
Last updated: 2024-01-27 17:35:59
Overview
An access policy that employs the JSON-based access policy language is used to grant access to Tencent Cloud Observability Platform (TCOP) resources. You can authorize a specified principal to perform actions on a specified TCOP resource through the access policy language.
Policy Syntax
CAM policy:
{"version":"2.0","statement":[{"effect":"effect","action":["action"],"resource":["resource"],"condition": {"key":{"value"}}}]}
Element description
version is required. Currently, only "2.0" is allowed.
statement describes the details of one or more permissions. This element contains a permission or permission set of other elements such as
effect, action, resource, and condition. One policy has only one statement.effect is required. It describes whether the declaration result is
allow or explicit deny.action is required. It specifies whether to allow or deny the operation. The operation can be an API (prefixed with
name) or a feature set (a group of APIs, prefixed with permid).resource is required. It describes the authorization details. For more information on how to specify a resource, see the documentation for the product for which you are writing a resource declaration.
condition describes the condition for the policy to take effect. Conditions consist of operators, operation keys, and operation values, while condition values include information such as time and IP addresses. TCOP currently does not support special conditions, so this element can be left empty.
Specifying effect
If you don't explicitly grant access to (
allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource to ensure that a user cannot access it, even if another policy has granted access to it. The following example specifies an allow effect."effect" : "allow"
Specifying action
You can specify any API operation from any CAM-enabled service in a CAM policy statement. If the service is TCOP, use an API prefixed with
name/monitor:, such as name/monitor:GetMonitorData.You can also specify multiple API operations using a wildcard. For example, you can specify all operations whose names begin with "Describe" as shown below:
"action": ["name/monitor:Describe*"]
To specify all operations in TCOP, use a wildcard (*) as follows:
"action":["name/monitor:*"]
Specifying resource
The
resource element describes one or multiple operation objects, such as TCOP resource. All the resources can be described with the following 6-segment format.qcs:service_type:account:resource
The parameters are described as follows:
Parameter | Description | Required |
qcs | Abbreviation for “qcloud service”, which indicates a Tencent Cloud service | Yes |
service_type | Product name abbreviation, which is monitor here | Yes |
account | Root account information of the resource owner, which is the root account ID in the format of uin/${OwnerUin}, such as uin/100000000001 | Yes |
resource | Resource information description, such as cm-policy/policy-p1234abc | Yes |
You can control the access to the following resources:
Resource Type | Resource Description Method in Authorization Policy |
Alarm policy/cm-policy | qcs::monitor::uin/:cm-policy/${policyId} |
Notification template/cm-notice | qcs::monitor::uin/:cm-notice/${noticeId} |
Example of specifying a resource
You can specify a resource by its ID as follows:
"resource":["qcs::monitor:uin/1250000000:cm-policy/policy-p1234abc"]
If you want to specify all resources or if a specific API operation does not support resource-level permission, you can use the wildcard (*) in the
resource element as shown below:"resource": ["*"]
Console Example
Granting particular alarm policy permissions to a user
1. Create a custom policy as instructed in Creating Custom Policy.
The sample policy grants the operation permission for two alarm policies (IDs:
policy-p1234abc and policy-p5678abc). You can refer to the following policy syntax to configure the policy content:{"version": "2.0","statement": [{"action": "monitor:*","resource": ["qcs::monitor:uin/1250000000:cm-policy/policy-p1234abc","qcs::monitor:uin/1250000000:cm-policy/policy-p5678abc"],"effect": "allow"}]}
2. Find the created policy and click Associate Users/Groups in the Operation column.
3. In the pop-up window, select the user/group you want to authorize and click OK.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No