CSS supports permission control via CAM, allowing you to manage access to your CSS domains, settings, and other data. You can create, manage, or terminate users or user groups and grant API access permissions to them to achieve identity management and policy control.
You can use CAM to bind a user or user group to a policy which allows or denies them access to specified resources to complete specified tasks.
Concepts
Root account: A Tencent Cloud account
Sub-user: A user created and fully owned by a root account.
Collaborator: You can add another root account as a collaborator to your account. The added account becomes a sub-account of your account.
User group: Users that perform the same functions and can be bound with a permission policy for centralized access management.
Note:
For more information on the concepts and permissions, see User Types.
Directions
Step 1. Create a sub-user or user group
One or more sub-users can be created under each root account and can be associated with specific roles and policies. A sub-user has a unique ID and identity credential that can be used to log in to the Tencent Cloud console. It also has API access. You can log in to the CAM console to create a sub-user.
Step 2. Add a policy to the sub-user or user group
You can associate policies on the user/user group management page or policy management page. For detailed directions, see Authorization Management.
Method 1. Add a policy to a sub-user or user group
Method 2. Associate a policy with a user/user group
Go to the user/user group page and select the user/user group to which you want to add a policy.
Select Users > User List or User Groups on the left sidebar of the CAM console. Find the user/user group to which you want to add a policy, click Authorize on the right, select a CSS policy, and click OK.
Select Users > User List or User Groups on the left sidebar and click the name of the user/user group to which you want to add a policy. Click Associate Policy, select a CSS policy, and click OK.
Select Policies on the left sidebar of the CAM console, find the policy you want to associate, and click Associate User/User Group/Role in the Operation column. Select the user/user group you want to associate the policy with, and click OK.
Addable policies
Preset policies: You can view all preset policies on the Policies page.
Custom policy: Go to the Policies page, click Create Custom Policy, and select Create by Policy Generator. For more information, see Custom Policy.
Note:
Currently, some APIs of CSS support resource-level authorization.
Example: If you want to allow a sub-user to use the DescribeLiveDomains API, follow the steps below to grant the permission.
1.1 Create a domain-level policy that allows access to the API: Go to the Create by Policy Generator page and complete the following settings:
Item
Required
Setting
Effect
Yes
Select Allow
Service
Yes
Select Cloud Streaming Services
Action
Yes
Select DescribeLiveDomains
Resource
Yes
Select all resources or specific resources.
Tencent Cloud services for which the authorization granularity is operation or service don't support six-segment resource descriptions; for them, select “All resources”.
For Tencent Cloud services that support resource-level authorization, you can select specific resources. For the resource description method and authorization granularity of Tencent Cloud services, see CAM-Enabled Products.
Condition
No
Set the condition for the authorization to take effect. If you enter IP addresses, the API will be accessible only if a request is from the specified IP range. You can also add other conditions. For more information, see Conditions.
Note:
If you want to authorize multiple services, click Add Permissions.
1.2 Click Next to generate the policy. Then, associate it using either of the two methods above.
Step 3. Use a sub-account
You can now use the sub-user’s account (the account ID and password) to call the API authorized (such as DescribeLiveDomains) and get the corresponding CSS data (such as all the domains under the current account).
Yes
No
Was this page helpful?