Cloud Access Management
Last updated: 2025-03-26 09:55:44
Fundamental information
| Product | Abbreviation in CAM | Console | Authorization by Tag | Authorization Granularity | IP Restriction |
|---|---|---|---|---|---|
| Cloud Access Management | cam | Supported | not supported | Operation level | Partially supported |
Note:
The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.
- Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
- Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
- Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.
API authorization granularity
Two authorization granularity levels of API are supported: resource level, and operation level.
- Resource level: It supports the authorization of a specific resource.
- Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.
Write operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| AddCollaborator | AddCollaborator | Operation level | * | Supported |
| AddSubAccount | Console Create Message Recipient | Operation level | * | Supported |
| AddSubAccountCheckingMFA | create sub account | Resource level | qcs::cam::uin/${uin}:uin/${subUin} | Supported |
| AddSubAccountsToGroup | Add user to group | Operation level | * | Supported |
| AddUser | addUser | Operation level | * | Supported |
| AddUserToGroup | User joins user group | Operation level | * | Supported |
| AttachGroupPolicies | Bind multiple policies to user groups | Operation level | * | Supported |
| AttachGroupPolicy | Operation level | * | Supported | |
| AttachGroupsPolicy | Bind a policy to multiple user groups | Operation level | * | Supported |
| AttachRolePolicy | Operation level | * | Supported | |
| AttachUserPolicies | Attach some policies to sub-user | Operation level | * | Supported |
| AttachUserPolicy | Operation level | * | Supported | |
| AttachUsersPolicy | Bind the policy to multiple users | Operation level | * | Supported |
| BanSensitiveOperation | ban sensitive operations for risky uin | Operation level | * | Supported |
| BatchOperateCamStrategy | The binding strategy is for user details page | Operation level | * | Supported |
| BindToken | Operation level | * | Supported | |
| CreateApiKey | CreateApiKey | Resource level | qcs::cam::uin/${uin}:uin/${ApiUin} | Supported |
| CreateAssistApprover | CreateAssistApprover | Operation level | * | Supported |
| CreateCICUserSAMLConfig | Create CIC User SAML Identity Provider | Operation level | * | Supported |
| CreateCollApiKey | Create sub-account key | Operation level | * | Supported |
| CreateGroup | Operation level | * | Supported | |
| CreateMessageReceiver | Create message receiver | Operation level | * | Supported |
| CreateOIDCConfig | CreateOIDCConfig | Operation level | * | Supported |
| CreatePolicy | Operation level | * | Supported | |
| CreatePolicyVersion | Operation level | * | Supported | |
| CreateRole | Create Role | Operation level | * | Supported |
| CreateRoleByConsole | Console creation role | Operation level | * | Supported |
| CreateSAMLProvider | Operation level | * | Supported | |
| CreateServiceLinkedRole | Create service linked role | Operation level | * | Supported |
| CreateSimulationPolicy | Create Simulation Policy Data | Operation level | * | Supported |
| CreateSubAccountBindPolicy | Operation level | * | Supported | |
| CreateSubAccountLoginIpPolicy | Operation level | * | Supported | |
| CreateSubAccounts | Create WeComUser | Operation level | * | Supported |
| CreateUserOIDCConfig | CreateUserOIDCConfig | Operation level | * | Supported |
| CreateUserSAMLConfig | Create user SAML configuration | Operation level | * | Supported |
| DeleteApiKey | Operation level | * | Supported | |
| DeleteCollApiKey | Delete sub-account key | Operation level | * | Supported |
| DeleteEntitiesPermissionsBoundary | DeleteEntitiesPermissionsBoundary | Operation level | * | Supported |
| DeleteGroup | Operation level | * | Supported | |
| DeleteMessageReceiver | Delete message recipient | Operation level | * | Supported |
| DeleteOIDCConfig | DeleteOIDCConfig | Operation level | * | Supported |
| DeletePolicy | Delete Policy | Operation level | * | Supported |
| DeletePolicyVersion | Operation level | * | Supported | |
| DeleteRole | Delete role. | Resource level | qcs::cam::uin/${uin}:roleName/${RoleName} qcs::cam::uin/${uin}:role/{$RoleId} |
Supported |
| DeleteRolePermissionsBoundary | DeleteRolePermissionsBoundary | Operation level | * | Supported |
| DeleteSAMLProvider | Operation level | * | Supported | |
| DeleteServiceLinkedRole | Delete service linked role | Resource level | qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName} qcs::cam::uin/${uin}:role/tencentcloudServiceRole/{$RoleId} |
Supported |
| DeleteSubAccount | delete sub account | Operation level | * | Supported |
| DeleteUser | delete sub user | Operation level | * | Supported |
| DeleteUserPermissionsBoundary | DeleteUserPermissionsBoundary | Operation level | * | Supported |
| DetachGroupPolicy | Operation level | * | Supported | |
| DetachRolePolicy | Operation level | * | Supported | |
| DetachUserPolicies | Unbinding strategy for details page | Operation level | * | Supported |
| DetachUserPolicy | Operation level | * | Supported | |
| DisableApiKey | Operation level | * | Supported | |
| DisableCollApiKey | Disable sub-account key | Operation level | * | Supported |
| DisableUserSSO | DisableUserSSO | Operation level | * | Supported |
| EnableApiKey | Operation level | * | Supported | |
| EnableCollApiKey | Enable sub-account key | Operation level | * | Supported |
| GenerateSafetyAnalysisReport | - | Operation level | * | Supported |
| LogoutRoleSessions | Log out of role | Operation level | * | Supported |
| ModifySubContactEmailWithVerifyCode | sub-account modification contact email | Operation level | * | Supported |
| ModifySubContactPhoneWithVerifyCode | sub-user modify contact phone | Operation level | * | Supported |
| ModifyUserContactInfo | ModifyUserContactInfo | Operation level | * | Supported |
| PassRole | Pass role for assume role. | Resource level | qcs::cam::uin/${uin}:roleName/${RoleName} qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId} qcs::cam::uin/${uin}:role/${RoleId} qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName} |
Supported |
| PutEntitiesPermissionsBoundary | PutEntitiesPermissionsBoundary | Operation level | * | Supported |
| PutRolePermissionsBoundary | PutRolePermissionsBoundary | Operation level | * | Supported |
| PutUserPermissionsBoundary | PutUserPermissionsBoundary | Operation level | * | Supported |
| RemoveUserFromGroup | Remove users from the user group | Operation level | * | Supported |
| SetAccountAlias | Set main account alias | Operation level | * | not supported |
| SetDefaultPolicyVersion | Operation level | * | Supported | |
| SetLoginSessionDuration | - | Operation level | * | Supported |
| SetMfaFlag | set the user\\\\\\\'s login protection and sensitive operation verification method | Operation level | * | Supported |
| SetSafeAuthFlag | Operation level | * | Supported | |
| SetSubAccountDefaultMFASettingV2 | set mfa setting v2 | Operation level | * | Supported |
| SetSubAccountSessionLifetime | - | Operation level | * | Supported |
| SyncAuthInfo | - | Operation level | * | Supported |
| TagRole | Tag role. | Resource level | qcs::cam::uin/${uin}:role/${roleId} | Supported |
| UnbanSensitiveOperation | unban sensitive operations for risky uin | Operation level | * | Supported |
| UnbindContactInfo | Unbind contact information | Resource level | qcs::cam::uin/${uin}:uin/${uin} qcs::cam::uin/${uin}:userName/${userName} |
Supported |
| UnbindSubAccount | Unbind sub-user login method | Operation level | * | Supported |
| UnbindSubAccountStoken | - | Operation level | * | Supported |
| UnbindSubAccountToken | - | Operation level | * | Supported |
| UnbindSubAccountU2FToken | unbind subaccount U2F Token | Operation level | * | Supported |
| UnbindToken | Operation level | * | Supported | |
| UnbindU2FToken | unbind account U2F Token | Operation level | * | Supported |
| UntagRole | Untag role. | Resource level | qcs::cam::uin/${uin}:roleName/${RoleName}role/${RoleId} qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId} qcs::cam::uin/${uin}:role/${RoleId} qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName} |
Supported |
| UpdateAccessKeyAttribute | UpdateAccessKeyAttribute | Resource level | qcs::cam::uin/${uin}:uin/${uin} | Supported |
| UpdateAssumeRolePolicy | Update assume role policy. | Resource level | qcs::cam::uin/${uin}:roleName/${roleName} qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${roleId} qcs::cam::uin/${uin}:role/${roleId} qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${roleName} |
Supported |
| UpdateCollPassword | - | Operation level | * | Supported |
| UpdateGroup | UpdateGroup | Resource level | qcs::cam::uin/:groupid/${GroupId} | Supported |
| UpdateOIDCConfig | UpdateOIDCConfig | Operation level | * | Supported |
| UpdatePasswordRules | Operation level | * | Supported | |
| UpdatePolicy | Operation level | * | Supported | |
| UpdateRoleConsoleLogin | Update role console login | Resource level | qcs::cam::uin/${uin}:roleName/${RoleName} qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId} qcs::cam::uin/${uin}:role/${RoleId} qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName} |
Supported |
| UpdateRoleDescription | Update role description. | Resource level | qcs::cam::uin/${uin}:roleName/${RoleName} qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId} qcs::cam::uin/${uin}:role/${RoleId} qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName} |
Supported |
| UpdateSAMLProvider | Operation level | * | Supported | |
| UpdateSubAccount | update sub account | Operation level | * | Supported |
| UpdateSubAccountAttr | - | Operation level | * | Supported |
| UpdateUser | update user | Operation level | * | Supported |
| UpdateUserOIDCConfig | UpdateUserOIDCConfig | Operation level | * | Supported |
| UpdateUserSAMLConfig | Modify user SAML configuration | Operation level | * | Supported |
Other Operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| BuildDataFlowAuthToken | BuildDataFlowAuthToken | Resource level | qcs::cam:${ResourceRegion}:uin/:resourceUser/${ResourceId}/${ResourceAccount} | Supported |
Read operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| CheckGroupNameIsValid | check whether the user group name is legal | Operation level | * | Supported |
| CheckSubAccountName | Operation level | * | Supported | |
| CheckUserPolicyAttachment | Operation level | * | Supported | |
| ConsumeCustomMFAToken | Operation level | * | Supported | |
| DescribeAccountAlias | Get the main account alias settings | Operation level | * | not supported |
| DescribeAssistApprover | Operation level | * | Supported | |
| DescribeBanRecord | Query ban record | Operation level | * | Supported |
| DescribeContactInfoModifyStatus | - | Operation level | * | Supported |
| DescribeMFADeviceColl | 查询mfa设备 | Operation level | * | Supported |
| DescribeMessageReceiverList | Message recipient list | Operation level | * | not supported |
| DescribeMfaStatus | query mfa status | Operation level | * | Supported |
| DescribeOIDCConfig | DescribeOIDCConfig | Operation level | * | Supported |
| DescribePermProject | - | Operation level | * | Supported |
| DescribeRoleList | DescribeRoleList | Operation level | * | Supported |
| DescribeSafeAuthFlagColl | DescribeSafeAuthFlagColl | Operation level | * | Supported |
| DescribeSafeAuthInfo | DescribeSafeAuthInfo | Operation level | * | Supported |
| DescribeSecretProjectId | - | Operation level | * | Supported |
| DescribeSensitiveInfoHashValue | - | Operation level | * | Supported |
| DescribeServiceLinkedRole | Describe service linked role | Operation level | * | Supported |
| DescribeSubAccountBindPolicy | Operation level | * | Supported | |
| DescribeSubAccountContacts | DescribeSubAccountContacts | Operation level | * | Supported |
| DescribeSubAccountDefaultMFASetting | get MFA default settings of sub account | Operation level | * | Supported |
| DescribeSubAccountLoginIpPolicy | Operation level | * | Supported | |
| DescribeSubAccountSessionSettings | - | Operation level | * | Supported |
| DescribeSubAccounts | Describe SubAccounts | Operation level | * | Supported |
| DescribeSubLoginUinList | - | Operation level | * | Supported |
| DescribeSubUsers | Sub account details | Operation level | * | not supported |
| DescribeUserAnalysisReport | DescribeUserAnalysisReport | Operation level | * | Supported |
| DescribeUserAnalysisReportCheck | - | Operation level | * | Supported |
| DescribeUserOIDCConfig | DescribeUserOIDCConfig | Operation level | * | Supported |
| DescribeUserSAMLConfig | Query user SAML configuration | Operation level | * | Supported |
| DescribeUserWeChatInfo | - | Operation level | * | Supported |
| DescribeWechatUnionId | - | Operation level | * | Supported |
| GetAccountSummary | Operation level | * | Supported | |
| GetAllSubUser | Operation level | * | Supported | |
| GetBanRecord | Query the sensitive operation ban records | Operation level | * | not supported |
| GetCustomMFATokenInfo | Operation level | * | Supported | |
| GetCustomMfaCallback | - | Operation level | * | Supported |
| GetGroup | Operation level | * | Supported | |
| GetMFADevice | Operation level | * | Supported | |
| GetMFADeviceColl | - | Operation level | * | Supported |
| GetMfaStatusBySubUins | Query the MFA status through the UIN of sub accounts | Operation level | * | Supported |
| GetPasswordRules | Operation level | * | Supported | |
| GetPolicy | Operation level | * | Supported | |
| GetPolicyVersion | Operation level | * | Supported | |
| GetReceiverInfo | Operation level | * | Supported | |
| GetRole | Get Role Detail | Resource level | qcs::cam::uin/${uin}:roleName/${RoleName} qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId} qcs::cam::uin/${uin}:role/${RoleId} qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName} |
Supported |
| GetRolePermissionBoundary | GetRolePermissionBoundary | Operation level | * | Supported |
| GetSAMLProvider | Operation level | * | Supported | |
| GetSafeAuthFlag | Operation level | * | Supported | |
| GetSafeAuthFlagColl | - | Operation level | * | Supported |
| GetSecurityLastUsed | GetSecurityLastUsed | Operation level | * | Supported |
| GetServiceLinkedRoleDeletionStatus | Get service linked role deletion status | Operation level | * | Supported |
| GetStrategyNoticeFrequency | Frequency of getting policy change notifications | Operation level | * | Supported |
| GetSubAccountBindInfo | Operation level | * | Supported | |
| GetUidByUin | Operation level | * | Supported | |
| GetUser | Get user info | Operation level | * | Supported |
| GetUserAppId | Get User AppId | Operation level | * | not supported |
| GetUserPermissionBoundary | GetUserPermissionBoundary | Operation level | * | Supported |
| ListAccessKeys | list access keys | Resource level | qcs::cam::uin/${uin}:uin/${uin} | Supported |
| ListAllGroupsPolicies | Operation level | * | Supported | |
| ListAttachedGroupPolicies | Operation level | * | Supported | |
| ListAttachedRolePolicies | Lists all managed policies that are attached to the specified role | Operation level | * | Supported |
| ListAttachedUserAllPolicies | Operation level | * | Supported | |
| ListAttachedUserPolicies | Operation level | * | Supported | |
| ListCollaborators | List Collaborators | Operation level | * | Supported |
| ListEntitiesForPolicy | Operation level | * | Supported | |
| ListGroups | Operation level | * | Supported | |
| ListGroupsForConsole | List Groups For Console | Operation level | * | Supported |
| ListGroupsForUser | List the user groups associated with the user | Operation level | * | Supported |
| ListGroupsPolicies | Operation level | * | Supported | |
| ListIdentityProvider | Operation level | * | Supported | |
| ListLoginRoles | Get subaccount user\'s role list for login. | Operation level | * | Supported |
| ListMaskedSubAccounts | - | Operation level | * | Supported |
| ListMaskedUsers | Pull the list of coding sub users | Operation level | * | Supported |
| ListPolicies | Operation level | * | Supported | |
| ListPolicyVersions | Operation level | * | Supported | |
| ListRoleTags | List role tags. | Resource level | qcs::cam::uin/${uin}:roleName/${RoleName} qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId} qcs::cam::uin/${uin}:role/${RoleId} qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName} |
Supported |
| ListSAMLProviders | Operation level | * | Supported | |
| ListSimulationAuth | ListSimulationAuth | Operation level | * | Supported |
| ListSubAccounts | Operation level | * | Supported | |
| ListSubUsers | Sub Account List | Operation level | * | Supported |
| ListUserTags | List user tags | Resource level | qcs::cam::uin/${uin}:userName/${userName} | Supported |
| ListUsers | Operation level | * | Supported | |
| ListUsersForGroup | List Users For Group | Operation level | * | Supported |
| ListUsersForPolicy | Operation level | * | Supported | |
| ListWeChatWorkSubAccounts | - | Operation level | * | Supported |
| LookupRecentlyLogin | Operation level | * | Supported | |
| QueryApiKey | Operation level | * | Supported | |
| QueryApiKeyRecord | Query key access records | Operation level | * | Supported |
| QueryCollApiKey | Query for sub-account key list | Operation level | * | Supported |
| QueryKeyBySecretId | - | Operation level | * | Supported |
List Operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| DescribeOrganizationSubAccountPolicies | Describe Organization SubAccount Policies List | Operation level | * | Supported |
| GetAllMaskedSubUser | - | Operation level | * | Supported |
| ListEntitiesForPermissionsBoundary | ListEntitiesForPermissionsBoundary | Operation level | * | Supported |
| ListPoliciesForPermissionsBoundary | ListPoliciesForPermissionsBoundary | Operation level | * | Supported |
| ListPoliciesGrantingServiceAccess | List policies granting service access. | Operation level | * | Supported |
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No