tencent cloud

All product documents
Cloud Access Management
DocumentationCloud Access ManagementCAM-Enabled APIData SecurityBastion Host
Bastion Host
Download PDF
Last updated: 2025-03-26 09:55:18
Bastion Host
Last updated: 2025-03-26 09:55:18
Download PDF

Fundamental information

Product Abbreviation in CAM Console Authorization by Tag Authorization Granularity IP Restriction
Operation and Maintenance Security Center (Bastion Host) bh Supported not supported Operation level Partially supported

Note:

The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.

  • Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
  • Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
  • Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.

API authorization granularity

Two authorization granularity levels of API are supported: resource level, and operation level.

  • Resource level: It supports the authorization of a specific resource.
  • Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.

Read operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
AccessDevice Access Device Operation level * Supported
AccessDevices External client access to assets Operation level * Supported
CanCreateTrialResource CanCreateTrialResource Operation level * Supported
DescribeAccessControlRule Describe Access Control Rule Operation level * Supported
DescribeAccessEntry Describe Access Entry Operation level * Supported
DescribeAlarmSetting Describe Alarm Setting Operation level * Supported
DescribeAssetSyncStatus Describe Asset Sync Status Operation level * Supported
DescribeCdcSetting Describe Cdc Setting Operation level * Supported
DescribeDeviceCount Describe Device Count Operation level * Supported
DescribeDeviceCountSummary Describe device count summary Operation level * Supported
DescribeDomainInstallScript Describe Domain InstallScript Operation level * Supported
DescribeEnvSetting DescribeEnvSetting Operation level * Supported
DescribeExportAuditLogTask Describe Audit Log Export Tasks Operation level * Supported
DescribeExportUserTask Describe Export User Task Operation level * Supported
DescribeLogOutputSettings Describe Log Output Settings Operation level * Supported
DescribeMFAPreCheck Describe MFA Pre Check Operation level * Supported
DescribeOperationTaskDetail Describe Operation Task Detail Operation level * Supported
DescribeSecuritySetting Describe Security Setting Operation level * Supported
DescribeSystemTaskStatistics Describe System Task Statistics Operation level * Supported
DescribeTicketHideFlag Describe Ticket Hide Flag Operation level * not supported
DescribeTicketSubmitFlag Describe Ticket Submit Flag Operation level * Supported
DescribeTrialGuide DescribeTrialGuide Operation level * Supported
DescribeUserCount Describe User Count Operation level * Supported
LoginOpserver LoginOpserver Operation level * Supported
ReplaySession Replay Session Operation level * Supported
SearchKeyboardLogger Search Keyboard Logger Operation level * Supported
ShowGraph Show Graph Operation level * Supported
ShowTop Show Top Operation level * Supported
ViewReport View Report Operation level * Supported

Write operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
AccessTrackPage Access Track Page Operation level * Supported
AddAppAssetGroupMembers Add App Asset Group Members Operation level * Supported
AddDeviceGroupMembers Add Device Group Members Operation level * Supported
AddUserGroupMembers Add User Group Members Operation level * Supported
BindAppAsset Bind App Asset Operation level * Supported
BindDeviceAccountKubeconfig Bind Device Account Kubeconfig Operation level * not supported
BindDeviceAccountPassword Bind Device Account Password Operation level * Supported
BindDeviceAccountPrivateKey Bind Device Account Private Key Operation level * Supported
BindDeviceResource Bind Device Resource Operation level * Supported
CreateAccessControlRule Create Access Control Rule Operation level * Supported
CreateAccessControlTemplate Create Access Control Template Operation level * Supported
CreateAccessControlTemplateRule Create Access Control Template Rule Operation level * Supported
CreateAccessWhiteListRule Create Access WhiteList Rule Operation level * Supported
CreateAcl Create Acl Operation level * Supported
CreateAppAsset Create App Asset Operation level * Supported
CreateAssetSyncJob Create Asset Sync Job Operation level * Supported
CreateChangePwdTask Create Change Pwd Task Operation level * Supported
CreateCmdTemplate Create Cmd Template Operation level * Supported
CreateDepartment Create Department Operation level * Supported
CreateDeviceAccount Create Device Account Operation level * Supported
CreateDeviceAccountBatch Create Device Account Batch Operation level * Supported
CreateDeviceGroup Create Device Group Operation level * Supported
CreateDomain Create Domain Operation level * Supported
CreateExportAuditLogTask Create Audit Log Export Task Operation level * Supported
CreateExportDeviceTask Create Export Device Task Operation level * Supported
CreateExportUserTask Create User Export Task Operation level * Supported
CreateLogDelivery Create Log Delivery Operation level * Supported
CreatePushAccountTask Create Push Account Task Operation level * Supported
CreateReportTask Create Report Task Operation level * Supported
CreateResource Create Resource Operation level * Supported
CreateUKey Bind UKey and user Operation level * Supported
CreateUKeyBatch Batch create UKey and bind user Operation level * Supported
CreateUser Create User Operation level * Supported
CreateUserBatch Create User Batch Operation level * Supported
CreateUserGroup Create User Group Operation level * Supported
DeleteAccessControlRules Delete Access Control Rules Operation level * Supported
DeleteAccessControlTemplate Delete Access Control Template Operation level * Supported
DeleteAccessControlTemplateRule Delete Access Control Template Rule Operation level * Supported
DeleteAccessWhiteListRules Delete Access White List Rules Operation level * Supported
DeleteAcls Delete Acls Operation level * Supported
DeleteAppAssetGroupMembers Delete App Asset Group Members Operation level * Supported
DeleteAppAssets Delete App Assets Operation level * Supported
DeleteChangePwdTask Delete Change Pwd Task Operation level * Supported
DeleteCmdTemplates Delete Cmd Templates Operation level * Supported
DeleteDepartment Delete Department Operation level * Supported
DeleteDeviceAccounts Delete Device Accounts Operation level * Supported
DeleteDeviceGroupMembers Delete Device Group Members Operation level * Supported
DeleteDeviceGroups Delete Device Groups Operation level * Supported
DeleteDevices Delete Devices Operation level * Supported
DeleteDomains Delete Domains Operation level * Supported
DeleteExportAuditLogTask Delete Audit Log Export Task Operation level * Supported
DeleteExportDeviceTask Delete Export DeviceT ask Operation level * Supported
DeleteExportUserTask Delete Export User Task Operation level * Supported
DeletePushAccountTasks Delete Push Account Tasks Operation level * Supported
DeleteReportTask Delete Report Task Operation level * Supported
DeleteReportTaskHistory Delete Report Task History Operation level * Supported
DeleteUKeys Delete UKey Operation level * Supported
DeleteUserGroupMembers Delete User Group Members Operation level * Supported
DeleteUserGroups Delete User Groups Operation level * Supported
DeleteUsers Delete Users Operation level * Supported
DisableIntranetAccess DisableIntranetAccess Operation level * Supported
EnableIntranetAccess EnableIntranetAccess Operation level * Supported
ImportDeviceAccount Import Device Account Operation level * Supported
ImportDevices Import Devices Operation level * Supported
ImportExternalDevice ImportExternalDevice Operation level * Supported
LeaveTrackPage Leave Track Page Operation level * Supported
ModifyAccessControlRule Modify Access Control Rule Operation level * Supported
ModifyAccessControlTemplate Modify Access Control Template Operation level * Supported
ModifyAccessControlTemplateRuleOrder Modify Access Control Template Rule Order Operation level * Supported
ModifyAccessTimePolicy Modify Access Time Policy Operation level * Supported
ModifyAccessWhiteListAutoStatus Modify Access WhiteList Auto Status Operation level * Supported
ModifyAccessWhiteListRule Modify Access WhiteList Rule Operation level * Supported
ModifyAccessWhiteListStatus Modify Access WhiteList Status Operation level * Supported
ModifyAcl Modify Acl Operation level * Supported
ModifyAlarmSetting Modify Alarm Setting Operation level * Supported
ModifyAppAsset Modify App Asset Operation level * Supported
ModifyAppAssetsDepartment Modify App Assets Department Operation level * Supported
ModifyAssetSyncFlag Modify Asset Sync Flag Operation level * Supported
ModifyAuthModeSetting Modify Auth Mode Setting Operation level * Supported
ModifyChangePwdTask Modify Change Pwd Task Operation level * Supported
ModifyCmdTemplate Modify Cmd Template Operation level * Supported
ModifyDepartment Modify Department Operation level * Supported
ModifyDevice Modify Device Operation level * Supported
ModifyDeviceGroup Modify Device Group Operation level * Supported
ModifyDevicesDepartment Modify Devices Department Operation level * Supported
ModifyDevicesPort Modify Devices Port Operation level * Supported
ModifyDevicesSSL Modify devices ssl configuration Operation level * Supported
ModifyDomain Modify Domain Operation level * Supported
ModifyExternalDevice Modify External Device Operation level * Supported
ModifyLDAPSetting Modify LDAP Setting Operation level * Supported
ModifyLogDelivery Modify Log Delivery Operation level * Supported
ModifyLogOutputSettings Modify Log Output Settings Operation level * Supported
ModifyLoginSetting Modify Login Setting Operation level * Supported
ModifyOAuthSetting Modify OAuth Setting Operation level * Supported
ModifyPasswordSetting Modify Password Setting Operation level * Supported
ModifyPushAccountTask Modify Push Account Task Operation level * Supported
ModifyReconnectionSetting ModifyReconnectionSetting Operation level * Supported
ModifyReportTask Modify Report Task Operation level * Supported
ModifyResource Modify Resource Operation level * Supported
ModifyTicketHideFlag Modify Ticket Hide Flag Operation level * not supported
ModifyTicketSubmitFlag Modify Ticket Submit Flag Operation level * Supported
ModifyUKey Modify UKey bind user Operation level * Supported
ModifyUser Modify User Operation level * Supported
ModifyUserBatch Batch Modify User Operation level * Supported
ModifyUserGroup Modify User Group Operation level * Supported
ModifyUsersDepartment Modify Users Department Operation level * Supported
ResetDeviceAccountKubeconfig Reset Device Account Kubeconfig Operation level * not supported
ResetDeviceAccountPassword Reset Device Account Password Operation level * Supported
ResetDeviceAccountPrivateKey Reset Device Account Private Key Operation level * Supported
SyncUserFromCam SyncUserFromCam Operation level * Supported
UpdateTicketStatus Update Ticket Status Operation level * not supported
UpdateTrialGuideStep UpdateTrialGuideStep Operation level * Supported
VisitTrackPage Visit Track Page Operation level * Supported

Other Operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
ApproveTicket Approve Ticket Operation level * Supported
CheckLDAPConnection Check LDAP Connection Operation level * Supported
ConnectDomain Connect Domain Operation level * Supported
DeployResource Deploy Resource Operation level * Supported
DisconnectDomain Disconnect Domain Operation level * Supported
KillSession Kill Session Operation level * Supported
LockUser Lock User Operation level * Supported
MonitorSession Monitor Session Operation level * Supported
ResetLogDelivery Reset Log Delivery Operation level * Supported
ResetUser Reset User Operation level * Supported
RunChangePwdTask Run Change Pwd Task Operation level * Supported
RunPushAccountTask Run Push Account Task Operation level * Supported
SetLDAPSyncFlag Set LDAP Sync Flag Operation level * Supported
UnlockUser Unlock User Operation level * Supported

List Operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
DescribeAccessControlRules Describe Access Control Rules Operation level * Supported
DescribeAccessControlTemplateRules Describe Access Control Template Rules Operation level * Supported
DescribeAccessControlTemplates Describe Access Control Templates Operation level * Supported
DescribeAccessWhiteListRules Describe Access White List Rules Operation level * Supported
DescribeAccountsWithDeviceCount Describe Accounts With Device Count Operation level * Supported
DescribeAcls Describe Acls Operation level * Supported
DescribeAppAssetGroupMembers Describe App Asset Group Members Operation level * Supported
DescribeAppAssets Describe App Assets Operation level * Supported
DescribeAssetSyncFlag Describe Asset Sync Flag Operation level * Supported
DescribeAvailableInstanceTypes Describe Available Instance Types Operation level * Supported
DescribeChangePwdTask Describe Change Pwd Task Operation level * Supported
DescribeChangePwdTaskDetail Describe Change Pwd Task Detail Operation level * Supported
DescribeCkafkaInstanceList Describe Ckafka Instance List Operation level * Supported
DescribeCmdTemplates Describe Cmd Templates Operation level * Supported
DescribeDepartments Describe Departments Operation level * Supported
DescribeDeviceAccounts Describe Device Accounts Operation level * Supported
DescribeDeviceGroupMembers Describe Device Group Members Operation level * Supported
DescribeDeviceGroups Describe Device Groups Operation level * Supported
DescribeDevices Describe Devices Operation level * Supported
DescribeDomains Describe Domains Operation level * Supported
DescribeExportDeviceTask Describe Export Device Task Operation level * Supported
DescribeInstanceIds Describe InstanceIds Operation level * Supported
DescribeLDAPUnitSet Describe LDAP Unit Set Operation level * Supported
DescribeLogDelivery Describe Log Delivery Operation level * Supported
DescribeLoginEvent Describe Login Event Operation level * Supported
DescribeOperationEvent Describe Operation Event Operation level * Supported
DescribeOperationTaskStatistics Describe Operation Task Statistics Operation level * Supported
DescribeOperationTasks Describe Operation Tasks Operation level * Supported
DescribeOperationType Describe Operation Type Operation level * Supported
DescribePushAccountTask Describe Push Account Task Operation level * Supported
DescribePushAccountTaskDetail Describe Push Account Task Detail Operation level * Supported
DescribeReportTask Describe Report Task Operation level * Supported
DescribeReportTaskHistory Describe Report Task History Operation level * Supported
DescribeResources Describe Resources Operation level * Supported
DescribeTaskTemplate Describe Task Template Operation level * Supported
DescribeTickets Describe Tickets Operation level * Supported
DescribeUKeys List UKey and user Operation level * Supported
DescribeUserGroupMembers Describe User Group Members Operation level * Supported
DescribeUserGroups Describe User Groups Operation level * Supported
DescribeUsers Describe Users Operation level * Supported
SearchAuditLog Search Audit Log Operation level * Supported
SearchChangePwdTaskInfo Search Change Pwd TaskInfo Operation level * Supported
SearchCommand Search Command Operation level * Supported
SearchCommandBySid Search Command By Sid Operation level * Supported
SearchEvent Search Event Operation level * Supported
SearchFile Search File Operation level * Supported
SearchFileBySid Search File By Sid Operation level * Supported
SearchFileSession Search File Session Operation level * Supported
SearchPushAccountTaskInfo Search Push Account Task Info Operation level * Supported
SearchSession Search Session Operation level * Supported
SearchSessionCommand Search Session Command Operation level * Supported
SearchStatement Search Statement Operation level * Supported
SearchStatementBySid Search Statement By Sid Operation level * Supported
SearchSubtaskResultById Search Subtask Result By Id Operation level * Supported
SearchTaskResult Search Task Result Operation level * Supported
SearchTaskResultDetail Search Task Result Detail Operation level * Supported
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback

Contact Us

Contact our sales team or business advisors to help your business.

Contact Us
Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 available.

Submit a Ticket
7x24 Phone Support
Hong Kong, China
+852 800 906 020 (Toll Free)
United States
+1 844 606 0804 (Toll Free)
United Kingdom
+44 808 196 4551 (Toll Free)
Canada
+1 888 605 7930 (Toll Free)
Australia
+61 1300 986 386 (Toll Free)
EdgeOne hotline
+852 300 80699
More local hotlines coming soon