tencent cloud

Cloud Access Management

Product Introduction

Getting Started

Creating Admin User

Creating and Authorizing Sub-account

Logging In to Console with Sub-account

User Guide

Users

Root Account

Root Account Permissions

Root Account Message Subscription

Sub-Users

Creating Sub-User

Setting Sub-User Permissions

Sub-User Security Credentials

Logging in as a Sub-User

Resetting Login Passwords for Sub-Users

Setting Security Protection for Sub-Users

Sub-User Message Subscriptions

Querying Sub-User Information

Deleting Sub-Users

Disabling Sub-User

Enabling Disabled Sub-User

Collaborators

Creating Collaborator

Setting Collaborator Permissions

Collaborator Security Credentials

Collaborator Login

Setting Security Protection for Collaborators

Collaborator Message Subscriptions

Querying Collaborator Information

Deleting Collaborators

Switching Collaborator Identities

Message Recipients

Creating Message Recipient

Message Recipient Message Subscriptions

Setting Message Recipient User Groups

Deleting Message Recipients

User Information

User Settings

Login Restrictions

Advanced Settings

Access Key

Root Account Access Key Management

Sub-Account Access Key Management

User Groups

Creating User Group

Managing User Groups

Associating/Unassociating Policy with/from User Group

Deleting User Groups

Role

Deleting a Role

Authorizing Sub-account with Role Assuming Policy

Resource-based Service Roles

Identity Provider

Policies

Definition

Authorization Guide

Creating Custom Policy

Creating Custom Polices through Tag Authorization

Creating Custom Policies through Policy Syntax

Authorization Management

IP Access Restrictions

Syntax Logic

Element Reference

Element Reference Overview

Syntax Structure

Evaluation Logic

Resource Description Method

Policy Variable

Conditions

Overview of Effective Conditions

Condition Keys and Condition Operators

Policy Version Control

Scenarios where 'deny' in permission policy is ineffective

Policy Analyzer

Permissions Boundary

Troubleshooting

Creating Policy Based on Fault Report

Creating Permissions Policy as Prompted

Downloading Security Analysis Report

CAM-Enabled Role

Compute

Cloud Virtual Machine

Tencent Cloud Lighthouse

Tencent Cloud Automation Tools

Container

Tencent Kubernetes Engine

Microservice

Tencent Cloud Elastic Microservice

Essential Storage Service

Cloud Object Storage

Data Process and Analysis

Cloud Log Service

Data Migration

Migration Service Platform

Relational Database

TDSQL-C for MySQL

TencentDB for MySQL

TencentDB for PostgreSQL

TencentDB for SQL Server

Enterprise Distributed DBMS

TDSQL for MySQL

NoSQL Database

TencentDB for MongoDB

Database SaaS Tool

TencentDB for DBbrain

Database Management Center

Networking

Virtual Private Cloud

Cloud Load Balancer

CDN and Acceleration

Content Delivery Network

Global Application Acceleration Platform

Network Security

Tencent Cloud Firewall

Tencent Cloud EdgeOne

Data Security

Data Security Governance Center

Application Security

Web Application Firewall

Domains & Websites

SSL Certificate Service

Big Data

Elastic MapReduce

Elasticsearch Service

Cloud Data Warehouse

Cloud Data Warehouse for PostgreSQL

Data Lake Compute

Middleware

Message Queue CKafka

TDMQ for RocketMQ

Interactive Video Services

Tencent Real-Time Communication

Low-code Interactive Classroom

Media On-Demand

Video on Demand

Cloud Real-time Rendering

Cloud Application Rendering

Game Services

Game Multimedia Engine

Cloud Resource Management

Tencent Cloud Infrastructure as Code

Tencent Smart Advisor

Tencent Cloud Mini Program Platform

Management and Audit Tools

Cloud Access Management

Tencent Cloud Organization

Monitor and Operation

Application Performance Management

CAM-Enabled API

Compute

Cloud Virtual Machine

Tencent Cloud Lighthouse

BM Cloud Physical Machine

Tencent Cloud Automation Tools

Cloud Dedicated Zone

Edge Computing

Edge Computing Machine

Container

Tencent Kubernetes Engine

Tencent Cloud Mesh

Tencent Container Registry

Distributed cloud

本地专用集群

Microservice

Tencent Cloud Elastic Microservice

Serverless

Serverless Cloud Function

Essential Storage Service

Cloud Object Storage

Cloud File Storage

Data Process and Analysis

Cloud Log Service

Data Migration

Migration Service Platform

Relational Database

TDSQL-C for MySQL

TencentDB for MySQL

TencentDB for PostgreSQL

TencentDB for SQL Server

Enterprise Distributed DBMS

TDSQL for MySQL

NoSQL Database

TencentDB for MongoDB

TencentDB for TcaplusDB

TencentDB for CTSDB

Database SaaS Tool

Data Transfer Service

Database Expert Service

TencentDB for DBbrain

Database Management Center

Networking

Virtual Private Cloud

Cloud Load Balancer

CDN and Acceleration

Content Delivery Network

Enterprise Content Delivery Network

Global Application Acceleration Platform

Network Security

Tencent Cloud Firewall

Tencent Cloud EdgeOne

Endpoint Security

Cloud Workload Protection Platform

Tencent Container Security Service

Data Security

Data Security Center

Key Management Service

Secrets Manager

Business Security

Text Moderation System

Image Moderation System

Audio Moderation System

Video Moderation System

Customer Identity and Access Management

Risk Control Engine

Application Security

Web Application Firewall

Vulnerability Scan Service

Mobile Security

Security Token Service

Domains & Websites

SSL Certificate Service

Big Data

Elastic MapReduce

Elasticsearch Service

Cloud Data Warehouse

Cloud Data Warehouse for PostgreSQL

Data Lake Compute

Data Development and Governance Platform

Stream Compute Service

Voice Technology

Automatic Speech Recognition

Image Creation

AI Platform Service

Tencent Cloud AI Digital Human

Image Creation Large Model

Natural Language Processing

Tencent Machine Translation

Optical Character Recognition

Optical Character Recognition

Middleware

Message Queue CKafka

TDMQ for RabbitMQ

TDMQ for RocketMQ

Cloud Message Queue

Communication

Short Message Service

Tencent Push Notification Service

Simple Email Service

Interactive Video Services

Tencent Real-Time Communication

Low-code Interactive Classroom

Real-time Teleoperation

Stream Services

Media On-Demand

Video on Demand

Media Process Services

Media Processing Service

Cloud Real-time Rendering

Cloud Application Rendering

Game Services

Game Multimedia Engine

Education Sevices

Tencent Interactive Whiteboard

Cloud Resource Management

TencentCloud API

Tencent Cloud Infrastructure as Code

Tencent Smart Advisor

Identity Aware Platform

Tencent Cloud Mini Program Platfor

Tencent Cloud Super App as a Service

Management and Audit Tools

Cloud Access Management

Tencent Cloud Organization

Monitor and Operation

Application Performance Management

Real User Monitoring

Cloud Automated Testing

Performance Testing Service

More

International Partners

Practical Tutorial

Security Practical Tutorial

Multi-Identity Personnel Permission Management

Authorizing Certain Operations by Tag

Supporting Isolated Resource Access for Employees

Authorization by Resource ID

Authorization by Tag

Enterprise Multi-Account Permissions Management

Tencent Cloud Organization

Reviewing Employee Operation Records on Tencent Cloud

Implementing Attribute-Based Access Control for Employee Resource Permissions Management

Application Scenarios

During tag-based authentication, only tag key matching is supported

Business Use Cases

TencentDB for MySQL

Allowing Account to View TencentDB for MySQL Instances Under Specified Tag

Granting a Sub-account View Permission for Specified TencentDB for MySQL Instances

CLB

Authorizing Sub-account Full Access to CLB （Includes payment permission）

Authorizing Sub-account Full CLB Access other than the Payment Permission

Authorizing Sub-account Read-only Access to CLB

CMQ

Authorizing a Sub-account Full Permissions to Use Messaging Services

Authorizing a Sub-account Full Permissions to Access the Message Queue It Created

Authorizing a Sub-account Permission to Read a Topic-based Message Queue

COS

Authorizing Sub-account Full Access to Specific Directory

Authorizing Sub-account Read-only Access to Files in Specific Directory

Authorizing Sub-account Read/Write Access to Specific File

Authorizing Sub-account Read-only Access to COS Resources

Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files

Authorizing Sub-account Read/Write Access to Files with Specified Prefix

Authorizing Another Account Read/Write Access to Specific Files

Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File

Authorizing Sub-account Full Access to COS Resources under the Account

CVM

Authorizing Sub-account Full Access to CVMs

Authorizing Sub-account Read-only Access to CVMs

Authorizing Sub-account Read-only Access to CVM-related Resources

Authorizing Sub-account Access to Perform Operations on CBSs

Authorizing Sub-account Access to Perform Operations on Security Groups

Authorizing Sub-account Access to Perform Operations on EIPs

Authorizing Sub-account Access to Perform Operations on Specific CVM

Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region

Authorizing Sub-account Full Access to CVMs Except Payment

VPC

Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC

Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table

Authorizing Sub-account Access to Perform Operations on VPN

Authorizing Sub-account Full Access to VPCs

Authorizing a Sub-account Full Access to VPCs Except Payment

Authorizing Sub-account Read-only Access to VPCs

VOD

Authorizing a Sub-account with Full Permissions to Manage VOD Services

Others

Granting Management or Read-Only Permissions for Specified Product

Authorizing Sub-account Access to Perform Operations on All Resources

Authorizing Sub-account Read-only Access to All Resources

Authorizing Different Sub-accounts Separate Permissions to Manage Tencent Cloud Resources

API Documentation

User APIs

Role APIs

UpdateRoleDescription

UpdateAssumeRolePolicy

ListAttachedRolePolicies

DetachRolePolicy

DescribeRoleList

AttachRolePolicy

UpdateRoleConsoleLogin

GetServiceLinkedRoleDeletionStatus

DeleteServiceLinkedRole

CreateServiceLinkedRole

PutRolePermissionsBoundary

DeleteRolePermissionsBoundary

DescribeSafeAuthFlag

DescribeSafeAuthFlagIntl

Making API Requests

Request Structure

Identity Provider APIs

UpdateSAMLProvider

ListSAMLProviders

GetSAMLProvider

DeleteSAMLProvider

CreateSAMLProvider

UpdateUserSAMLConfig

DescribeUserSAMLConfig

CreateUserSAMLConfig

UpdateUserOIDCConfig

DescribeUserOIDCConfig

CreateUserOIDCConfig

UpdateOIDCConfig

DescribeOIDCConfig

DeleteOIDCConfig

CreateOIDCConfig

Policy APIs

ListEntitiesForPolicy

ListAttachedUserPolicies

ListAttachedGroupPolicies

DetachUserPolicy

DetachGroupPolicy

AttachUserPolicy

AttachGroupPolicy

SetDefaultPolicyVersion

ListPolicyVersions

GetPolicyVersion

DeletePolicyVersion

CreatePolicyVersion

ListAttachedUserAllPolicies

FAQs

CAM Users and Permissions

DocumentationCloud Access ManagementBusiness Use CasesCOSAuthorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files

Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files

Last updated: 2024-01-23 18:02:53

Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files

Last updated: 2024-01-23 18:02:53

The organizational account CompanyExample (ownerUin: 12345678; appId: 1250000000) has a sub-account Developer that requires read/write permissions for all objects except the Object1 object in the dir1 directory of the Bucket1 bucket of the COS service in the Shanghai region under the CompanyExample account.
Solution A:
Step 1. Create the following policy according to the policy syntax:
 {
    "version": "2.0",
    "statement":
    [
     {
         "effect": "allow",
         "action": "cos:*",
         "resource": "qcs::cos:ap-shanghai:uid/1250000000:Bucket1-1250000000/dir1/*"
     },
     {
         "effect": "deny",
         "action": "cos:*",
         "resource": "qcs::cos:ap-shanghai:uid/1250000000:Bucket1-1250000000/dir1/Object1"
     }     
    ]
}
Step 2. Associate the policy with the sub-account. For more information on authorization, please see Authorization Management.
Solution B:
Set the policy and ACL in the COS Console. For more information, please see ACL Practices.

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

No

Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

7x24 Phone Support