tencent cloud

Feedback

Access Policy Templates

Last updated: 2024-12-17 20:53:57
    For custom permission policies, the following permission policy templates can be used based on the scenario.
    Module
    Application Scenario
    Overall Operation (Best Practices)
    Classify topics, machine groups, and dashboards by using tags, and configure permissions by tag:
    Data collection
    Topic management and search/analysis
    Viewing/Managing Topics and Performing Search/Analysis
    Using APIs to Perform Search and Analysis
    Dashboard
    Monitoring alarm
    Data Processing
    Data Processing
    Performing Scheduled SQL Analysis
    Data shipping and consumption
    Shipping to CKafka
    Shipping to COS
    Shipping to SCF
    Kafka Protocol Consumption
    Shipping Metric Topics
    Custom Consumption
    Independent DataSight console
    
    Manage DataSight consoles:
    Developer
    Using CLS Through Grafana

    Overall operation (best practices)

    Users can classify topics, machine groups, and dashboards by using tags and configure permissions by tag. Tags are required for resources during resource creation. Users have management or read-only permissions only for resources with specified tags, which helps them manage various types of resources in CLS in batches.

    Management Permission for Resources with Specified Tags

    Note:
    Delete comments to use this policy.
    {
    "statement": [{
    "action": [ //Required read-only permission for related products
    "monitor:GetMonitorData",
    "monitor:DescribeBaseMetrics",
    "cam:ListGroups",
    "cam:GetGroup",
    "cam:DescribeSubAccountContacts",
    "cam:ListAttachedRolePolicies",
    "cam:GetRole",
    "vpc:DescribeSubnetEx",//Required for creating DataSight consoles accessed via the private network
    "vpc:DescribeVpcEx",//Required for creating DataSight consoles accessed via the private network
    "tag:TagResources",
    "tag:DescribeResourceTagsByResourceIds",
    "tag:GetTags",
    "tag:GetTagKeys",
    "tag:GetTagValues",
    "kms:GetServiceStatus"
    ],
    "effect": "allow",
    "resource": "*"
    },
    {
    "action": [ //Specify that tags such as testCAM:test1 are required for creating dashboards, logsets, topics, alarm policies, notification channel groups, machine groups, and DataSight consoles. Tags are not supported for creating other types of resources.
    "cls:CreateDashboard",
    "cls:CreateLogset",
    "cls:CreateTopic",
    "cls:CreateAlarm",
    "cls:CreateAlarmNotice",
    "cls:CreateMachineGroup",
    "cls:CreateConsole"
    ],
    "condition": {
    "for_any_value:string_equal": {
    "qcs:request_tag": [
    "testCAM&test1"
    ]
    }
    },
    "effect": "allow",
    "resource": "*"
    },
    {
    "action": [ //Grant permission on all related APIs if tags are specified for resources. (APIs should support permission control by tag.)
    "cls:*"
    ],
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "testCAM&test1"
    ]
    }
    },
    "effect": "allow",
    "resource": "*"
    },
    {
    "action": [ //Some APIs do not support permission control by tag or resource scope limit. Most of the APIs below involve read operations, while some APIs of auxiliary features involve write operations. All these APIs do not affect the core data security of products.
    "cls:CheckAlarmChannel",
    "cls:CheckAlarmRule",
    "cls:CheckDomainRepeat",
    "cls:CheckFunction",
    "cls:CheckRechargeKafkaServer",
    "cls:DescribeClsPrePayDetails",
    "cls:DescribeClsPrePayInfos",
    "cls:DescribeConfigMachineGroups",
    "cls:DescribeConfigs",
    "cls:DescribeAgentConfigs",
    "cls:DescribeTopicExtendConfig",
    "cls:DescribeDataTransformFailLogInfo",
    "cls:DescribeDataTransformInfo",
    "cls:DescribeDataTransformPreviewDataInfo",
    "cls:DescribeDataTransformPreviewInfo",
    "cls:DescribeDataTransformProcessInfo",
    "cls:DescribeDemonstrations",
    "cls:DescribeExceptionResources",
    "cls:DescribeExternalDataSourcePreview",
    "cls:DescribeFunctions",
    "cls:DescribeResources",
    "cls:DescribeShipperPreview",
    "cls:DescribeScheduledSqlProcessInfo",
    "cls:DescribeConfigurationTemplates",
    "cls:DescribeFolders",
    "cls:GetClsService",
    "cls:GetConfigurationTemplateApplyLog",
    "cls:PreviewKafkaRecharge",
    "cls:agentHeartBeat",
    "cls:CreateDemonstrations",
    "cls:DeleteDemonstrations",
    "cls:DescribeNoticeContents",
    "cls:DescribeWebCallbacks"
    ],
    "effect": "allow",
    "resource": "*"
    },
    {
    "action": [ //Some APIs do not support permission control by tag or resource scope limit. The APIs below involve write operations of core features. It is recommended to grant permissions only to certain users as required. APIs require no permission grants can be deleted.
    "cls:RealtimeProducer", //Upload data by using Kafka
    "cls:CreateConfigurationTemplate", //Configuration template API
    "cls:ModifyConfigurationTemplate",
    "cls:DeleteConfigurationTemplate",
    "cls:CreateFolder", //Folder API
    "cls:ModifyFolder",
    "cls:DeleteFolder",
    "cls:ModifyResourceAndFolderRelation",
    "cls:CreateDataTransform",//Data processing API
    "cls:ModifyDataTransform",
    "cls:DeleteDataTransform",
    "cls:RetryShipperTask",//COS shipping API
    "cls:ModifyDashboardSubscribeAck",//Dashboard subscription API
    "cls:DeleteDashboardSubscribe",
    "cls:ModifyConfigExtra",//Collection configuration API
    "cls:DeleteConfigExtra",
    "cls:RemoveMachine",//Machine group API
    "cls:UpgradeAgentNormal",
    "cls:CreateNoticeContent",//API related to alarm notification templates
    "cls:DeleteNoticeContent",
    "cls:ModifyNoticeContent",
    "cls:CreateWebCallback",//API related to alarm integration configuration
    "cls:ModifyWebCallback",
    "cls:DeleteWebCallback"
    ],
    "effect": "allow",
    "resource": "*"
    }
    ],
    "version": "2.0"
    }

    Read-Only Permission for Resources with Specified Tags

    Note:
    Delete comments to use this policy.
    {
    "statement": [{
    "action": [ //Required read-only permission for related products
    "monitor:GetMonitorData",
    "monitor:DescribeBaseMetrics",
    "cam:ListGroups",
    "cam:GetGroup",
    "cam:DescribeSubAccountContacts",
    "cam:ListAttachedRolePolicies",
    "tag:DescribeResourceTagsByResourceIds",
    "tag:GetTags",
    "tag:GetTagKeys",
    "tag:GetTagValues"
    ],
    "effect": "allow",
    "resource": "*"
    },
    {
    "action": [ //Grant read-only permission on related APIs if tags are specified for resources.
    "cls:DescribeConsumer",
    "cls:DescribeConsumerPreview",
    "cls:DescribeCosRecharges",
    "cls:DescribeDashboardSubscribes",
    "cls:DescribeDashboards",
    "cls:DescribeExports",
    "cls:DescribeIndex",
    "cls:DescribeIndexs",
    "cls:DescribeKafkaConsume",
    "cls:DescribeKafkaConsumer",
    "cls:DescribeKafkaRecharges",
    "cls:DescribeLatestJsonLog",
    "cls:DescribeLatestUserLog",
    "cls:DescribeLogContext",
    "cls:DescribeLogFastAnalysis",
    "cls:DescribeLogHistogram",
    "cls:DescribeMachineGroupConfigs",
    "cls:DescribeMachines",
    "cls:DescribePartitions",
    "cls:DescribeScheduledSqlInfo",
    "cls:DescribeScheduledSqlProcessInfo",
    "cls:DescribeShipperPreview",
    "cls:DescribeTopics",
    "cls:EstimateRebuildIndexTask",
    "cls:GetAlarm",
    "cls:GetAlarmLog",
    "cls:GetMetricLabelValues",
    "cls:GetMetricSeries",
    "cls:MetricsLabelValues",
    "cls:MetricsLabels",
    "cls:MetricsQuery",
    "cls:MetricsQueryExemplars",
    "cls:MetricsQueryRange",
    "cls:MetricsSeries",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:SearchCosRechargeInfo",
    "cls:SearchDashboardSubscribe",
    "cls:SearchLog",
    "cls:DescribeAlarmNotices",
    "cls:DescribeAlarms",
    "cls:DescribeAlertRecordHistory",
    "cls:DescribeExternalDataSources",
    "cls:DescribeLogsets",
    "cls:DescribeMachineGroups",
    "cls:DescribeConsoles",
    "cls:DescribeShipperTasks",
    "cls:DescribeShippers",
    "cls:DescribeRebuildIndexTasks"
    ],
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "testCAM&test1"
    ]
    }
    },
    "effect": "allow",
    "resource": "*"
    },
    {
    "action": [ //Some APIs do not support permission control by tag or resource scope limit. Most of the APIs below involve read operations, while some APIs of auxiliary features involve write operations. All these APIs do not affect the core data security of products.
    "cls:CheckAlarmChannel",
    "cls:CheckAlarmRule",
    "cls:CheckDomainRepeat",
    "cls:CheckFunction",
    "cls:CheckRechargeKafkaServer",
    "cls:DescribeClsPrePayDetails",
    "cls:DescribeClsPrePayInfos",
    "cls:DescribeConfigMachineGroups",
    "cls:DescribeConfigs",
    "cls:DescribeAgentConfigs",
    "cls:DescribeTopicExtendConfig",
    "cls:DescribeDataTransformFailLogInfo",
    "cls:DescribeDataTransformInfo",
    "cls:DescribeDataTransformPreviewDataInfo",
    "cls:DescribeDataTransformPreviewInfo",
    "cls:DescribeDataTransformProcessInfo",
    "cls:DescribeDemonstrations",
    "cls:DescribeExceptionResources",
    "cls:DescribeExternalDataSourcePreview",
    "cls:DescribeFunctions",
    "cls:DescribeResources",
    "cls:DescribeShipperPreview",
    "cls:DescribeScheduledSqlProcessInfo",
    "cls:DescribeConfigurationTemplates",
    "cls:DescribeFolders",
    "cls:GetClsService",
    "cls:GetConfigurationTemplateApplyLog",
    "cls:PreviewKafkaRecharge",
    "cls:CreateDemonstrations",
    "cls:DeleteDemonstrations",
    "cls:CreateExport",
    "cls:DeleteExport"
    "cls:DescribeNoticeContents",
    "cls:DescribeWebCallbacks"
    ],
    "effect": "allow",
    "resource": "*"
    }
    ],
    "version": "2.0"
    }

    Data Collection

    Server Data Collection by Using LogListener

    Users can use LogListener on Agent to collect and upload log data. (The sample code below demonstrates the minimum permission for data upload by using LogListener installed on Agent.)
    {
    "version": "2.0",
    "statement": [{
    "action": [
    "cls:pushLog",
    "cls:getConfig",
    "cls:agentHeartBeat"
    ],
    "resource": "*",
    "effect": "allow"
    }]
    }
    Note:
    If the LogListener version is earlier than 2.6.5, add cls:listLogset to the code.

    Self-built Kubernetes Data Collection by Using LogListener

    Users can use Logagent to collect and upload log data from self-built Kubernetes clusters. (The sample code below demonstrates the minimum permission for data upload from a self-built Kubernetes cluster.)
    {
    "version": "2.0",
    "statement": [
    {
    "action": [
    "cls:pushLog",
    "cls:agentHeartBeat",
    "cls:getConfig",
    "cls:CreateConfig",
    "cls:DeleteConfig",
    "cls:ModifyConfig",
    "cls:DescribeConfigs",
    "cls:DescribeMachineGroupConfigs",
    "cls:DeleteConfigFromMachineGroup",
    "cls:ApplyConfigToMachineGroup",
    "cls:DescribeConfigMachineGroups",
    "cls:ModifyTopic",
    "cls:DeleteTopic",
    "cls:CreateTopic",
    "cls:DescribeTopics",
    "cls:CreateLogset",
    "cls:DeleteLogset",
    "cls:DescribeLogsets",
    "cls:CreateIndex",
    "cls:ModifyIndex",
    "cls:CreateMachineGroup",
    "cls:DeleteMachineGroup",
    "cls:DescribeMachineGroups",
    "cls:ModifyMachineGroup",
    "cls:CreateConfigExtra",
    "cls:DeleteConfigExtra",
    "cls:ModifyConfigExtra"
    ],
    "resource": "*",
    "effect": "allow"
    }
    ]
    }

    Data Upload by Using APIs/SDKs

    Users can use APIs/SDKs to upload data to CLS. (The sample code below demonstrates the minimum permission for data upload by using APIs/SDKs.)
    {
    "version": "2.0",
    "statement": [{
    "action": [
    "cls:pushLog",
    "cls:UploadLog",
    "cls:MetricsRemoteWrite"
    ],
    "resource": "*",
    "effect": "allow"
    }]
    }

    Data Upload by Using Kafka

    Users can upload log data to CLS over Kafka protocol. (The sample code below demonstrates the minimum permission for data upload over Kafka protocol.)
    {
    "version": "2.0",
    "statement": [{
    "action": [
    "cls:RealtimeProducer"
    ],
    "resource": "*",
    "effect": "allow"
    }]
    }

    Data Upload Through Cloud Product Metric Subscription

    Users can upload metric data to CLS through cloud product metric subscription. (The sample code below demonstrates the minimum permission for data upload through cloud product metric subscription.)
    {
    "version": "2.0",
    "statement": [{
    "action": [
    "cls:CreateMetricSubscribe",
    "cls:DescribeMetricCorrectDimension",
    "cls:DescribeMetricSubscribePreview",
    "monitor:DescribeBaseMetrics",
    "monitor:DescribeProductList"
    ],
    "resource": "*",
    "effect": "allow"
    }]
    }

    Subscription to MySQL Binlog Data

    Users can upload MySQL binlog data to CLS through subscription. (The sample code below demonstrates the minimum permission for MySQL binlog data upload through subscription.)
    {
    "version": "2.0",
    "statement": [{
    "action": [
    "cls:CreateBinlogSubscribe",
    "cls:DescribeBinlogSubscribes",
    "cls:ModifyBinlogSubscribe",
    "cls:DescribeBinlogSubscribeConnectivity",
    "cls:DescribeBinlogSubscribePreview",
    ],
    "resource": "*",
    "effect": "allow"
    }]
    }

    Subscription to Kafka Data

    Users can upload Kafka cluster data to CLS through subscription. (The sample code below demonstrates the minimum permission for Kafka cluster data upload through subscription.)
    {
    "version": "2.0",
    "statement": [{
    "action": [
    "cls:PreviewKafkaRecharge",
    "cls:CreateKafkaRecharge",
    "cls:ModifyKafkaRecharge",
    ],
    "resource": "*",
    "effect": "allow"
    }]
    }

    FluentBit Log Uploading

    Users can upload Fluent Bit data to CLS by using Fluent Bit plugins in Go. (The sample code below demonstrates the minimum permission for data upload by using Fluent Bit plugins in Go.)
    {
    "version": "2.0",
    "statement": [{
    "action": [
    "cls:pushLog",
    ],
    "resource": "*",
    "effect": "allow"
    }]
    }

    Logstash Log Upload

    Users can upload Logstash data to CLS by using Logstash plugins. (The sample code below demonstrates the minimum permission for data upload by using Logstash plugins.)
    {
    "version": "2.0",
    "statement": [{
    "action": [
    "cls:pushLog",
    ],
    "resource": "*",
    "effect": "allow"
    }]
    }

    Managing Collection Configurations and Machine Groups

    Related operations include creation, modification, and deletion of collection configurations and machine groups.
    Config-related APIs correspond to resources related to collection configurations.
    MachineGroup-related APIs correspond to resources related to machine groups.
    The three ConfigExtra-related APIs are used to manage the cluster configuration for uploading self-built Kubernetes cluster data. They can be ignored if no self-built Kubernetes cluster data is uploaded.
    {
    "version": "2.0",
    "statement": [{
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:CreateConfig",
    "cls:CreateConfig",
    "cls:DeleteConfig",
    "cls:DescribeConfigs",
    "cls:ModifyConfig",
    "cls:CreateConfigExtra",
    "cls:DeleteConfigExtra",
    "cls:ModifyConfigExtra",
    "cls:CreateMachineGroup",
    "cls:DeleteMachineGroup",
    "cls:DescribeMachineGroups",
    "cls:DeleteConfigFromMachineGroup",
    "cls:ApplyConfigToMachineGroup",
    "cls:ModifyMachineGroup"
    ],
    "resource": "*",
    "effect": "allow"
    }
    ]
    }

    Topic Management and Search/Analysis

    View/manage topics and perform search/analysis:

    Management Permission: Operations on All Topics

    Users can search for and manage all topics. Related operations include topic creation, topic deletion, and index configuration modification but exclude collection configuration, log shipping, and log processing.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:CreateLogset",
    "cls:CreateTopic",
    "cls:CreateExport",
    "cls:CreateIndex",
    "cls:DeleteLogset",
    "cls:DeleteTopic",
    "cls:DeleteExport",
    "cls:DeleteIndex",
    "cls:ModifyLogset",
    "cls:ModifyTopic",
    "cls:ModifyIndex",
    "cls:MergePartition",
    "cls:SplitPartition",
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:DescribeExports",
    "cls:DescribeIndex",
    "cls:DescribeIndexs",
    "cls:DescribePartitions",
    "cls:SearchLog",
    "cls:DescribeLogHistogram",
    "cls:DescribeLogContext",
    "cls:DescribeLogFastAnalysis",
    "cls:DescribeLatestJsonLog",
    "cls:DescribeRebuildIndexTasks",
    "cls:CreateRebuildIndexTask",
    "cls:EstimateRebuildIndexTask",
    "cls:CancelRebuildIndexTask",
    "cls:MetricsLabelValues",
    "cls:MetricsLabels",
    "cls:MetricsQuery",
    "cls:MetricsQueryRange",
    "cls:MetricsSeries",
    "cls:MetricsQueryExemplars",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": [
    "*"
    ]
    }
    ]
    }

    Management Permission: Operations on Specified Topics

    Users can search for and manage specific topics. Related operations include topic creation, topic deletion, and index configuration modification but exclude collection configuration, log shipping, and log processing.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:CreateLogset",
    "cls:CreateTopic",
    "cls:CreateExport",
    "cls:CreateIndex",
    "cls:DeleteLogset",
    "cls:DeleteTopic",
    "cls:DeleteExport",
    "cls:DeleteIndex",
    "cls:ModifyLogset",
    "cls:ModifyTopic",
    "cls:ModifyIndex",
    "cls:MergePartition",
    "cls:SplitPartition",
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:DescribeExports",
    "cls:DescribeIndex",
    "cls:DescribeIndexs",
    "cls:DescribePartitions",
    "cls:SearchLog",
    "cls:DescribeLogHistogram",
    "cls:DescribeLogContext",
    "cls:DescribeLogFastAnalysis",
    "cls:DescribeLatestJsonLog",
    "cls:DescribeRebuildIndexTasks",
    "cls:CreateRebuildIndexTask",
    "cls:EstimateRebuildIndexTask",
    "cls:CancelRebuildIndexTask",
    "cls:MetricsLabelValues",
    "cls:MetricsLabels",
    "cls:MetricsQuery",
    "cls:MetricsQueryRange",
    "cls:MetricsSeries",
    "cls:MetricsQueryExemplars",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": [
    "qcs::cls:ap-guangzhou:100007*827:logset/1c012db7-2cfd-4418-**-7342c7a42516",
    "qcs::cls:ap-guangzhou:100007*827:topic/380fe1f1-0c7b-4b0d-**-d514959db1bb"
    ]
    }
    ]
    }

    Management Permission: Operations on Topics with Specified Tags

    Users can search for and manage topics with specific tags. Related operations include topic creation, topic deletion, and index configuration modification but exclude collection configuration, log shipping, and log processing. Tags are required for both topics and their logsets.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:CreateLogset",
    "cls:CreateTopic",
    "cls:CreateExport",
    "cls:CreateIndex",
    "cls:DeleteLogset",
    "cls:DeleteTopic",
    "cls:DeleteExport",
    "cls:DeleteIndex",
    "cls:ModifyLogset",
    "cls:ModifyTopic",
    "cls:ModifyIndex",
    "cls:MergePartition",
    "cls:SplitPartition",
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:DescribeExports",
    "cls:DescribeIndex",
    "cls:DescribeIndexs",
    "cls:DescribePartitions",
    "cls:SearchLog",
    "cls:DescribeLogHistogram",
    "cls:DescribeLogContext",
    "cls:DescribeLogFastAnalysis",
    "cls:DescribeLatestJsonLog",
    "cls:DescribeRebuildIndexTasks",
    "cls:CreateRebuildIndexTask",
    "cls:EstimateRebuildIndexTask",
    "cls:CancelRebuildIndexTask",
    "cls:MetricsLabelValues",
    "cls:MetricsLabels",
    "cls:MetricsQuery",
    "cls:MetricsQueryRange",
    "cls:MetricsSeries",
    "cls:MetricsQueryExemplars",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": [
    "*"
    ],
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "testCAM&test1"
    ]
    }
    }
    }
    ]
    }

    Read-Only Permission: Operations on All Topics

    Users can search for all topics.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:DescribeExports",
    "cls:DescribeIndex",
    "cls:DescribeIndexs",
    "cls:DescribePartitions",
    "cls:SearchLog",
    "cls:DescribeLogHistogram",
    "cls:DescribeLogContext",
    "cls:DescribeLogFastAnalysis",
    "cls:DescribeLatestJsonLog",
    "cls:DescribeRebuildIndexTasks",
    "cls:MetricsLabelValues",
    "cls:MetricsLabels",
    "cls:MetricsQuery",
    "cls:MetricsQueryRange",
    "cls:MetricsSeries",
    "cls:MetricsQueryExemplars",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": [
    "*"
    ]
    }
    ]
    }

    Read-Only Permission: Operations on Specified Topics

    Users can search for specified topics.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:DescribeExports",
    "cls:DescribeIndex",
    "cls:DescribeIndexs",
    "cls:DescribePartitions",
    "cls:SearchLog",
    "cls:DescribeLogHistogram",
    "cls:DescribeLogContext",
    "cls:DescribeLogFastAnalysis",
    "cls:DescribeLatestJsonLog",
    "cls:DescribeRebuildIndexTasks",
    "cls:MetricsLabelValues",
    "cls:MetricsLabels",
    "cls:MetricsQuery",
    "cls:MetricsQueryRange",
    "cls:MetricsSeries",
    "cls:MetricsQueryExemplars",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": [
    "qcs::cls:ap-guangzhou:100007*827:logset/1c012db7-2cfd-4418-**-7342c7a42516",
    "qcs::cls:ap-guangzhou:100007*827:topic/380fe1f1-0c7b-4b0d-**-d514959db1bb"
    ]
    }
    ]
    }

    Read-Only Permission: Operations on Topics with Specified Tags

    Users can search for topics with specified tags.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:DescribeExports",
    "cls:DescribeIndex",
    "cls:DescribeIndexs",
    "cls:DescribePartitions",
    "cls:SearchLog",
    "cls:DescribeLogHistogram",
    "cls:DescribeLogContext",
    "cls:DescribeLogFastAnalysis",
    "cls:DescribeLatestJsonLog",
    "cls:DescribeRebuildIndexTasks",
    "cls:MetricsLabelValues",
    "cls:MetricsLabels",
    "cls:MetricsQuery",
    "cls:MetricsQueryRange",
    "cls:MetricsSeries",
    "cls:MetricsQueryExemplars",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": [
    "*"
    ],
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "testCAM&test1"
    ]
    }
    }
    }
    ]
    }

    Use APIs to perform search and analysis:

    Read-Only Permission: Search and Analysis on All Topics

    Users can perform search and analysis on all topics by using APIs.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:SearchLog",
    "cls:MetricsLabelValues",
    "cls:MetricsLabels",
    "cls:MetricsQuery",
    "cls:MetricsQueryRange",
    "cls:MetricsSeries",
    "cls:MetricsQueryExemplars",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries",
    "cls:MetricsRemoteRead"
    ],
    "resource": [
    "*"
    ]
    }
    ]
    }

    Read-Only Permission: Search and Analysis on Specified Topics

    Users can perform search and analysis on specified topics by using APIs.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:SearchLog",
    "cls:MetricsLabelValues",
    "cls:MetricsLabels",
    "cls:MetricsQuery",
    "cls:MetricsQueryRange",
    "cls:MetricsSeries",
    "cls:MetricsQueryExemplars",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries",
    "cls:MetricsRemoteRead"
    ],
    "resource": [
    "qcs::cls:ap-guangzhou:100007*827:logset/1c012db7-2cfd-4418-**-7342c7a42516",
    "qcs::cls:ap-guangzhou:100007*827:topic/380fe1f1-0c7b-4b0d-**-d514959db1bb"
    ]
    }
    ]
    }

    Read-Only Permission: Search and Analysis on Topics with Specified Tags

    Users can perform search and analysis on topics with specified tags by using APIs.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:SearchLog",
    "cls:MetricsLabelValues",
    "cls:MetricsLabels",
    "cls:MetricsQuery",
    "cls:MetricsQueryRange",
    "cls:MetricsSeries",
    "cls:MetricsQueryExemplars",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries",
    "cls:MetricsRemoteRead"
    ],
    "resource": [
    "*"
    ],
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "testCAM&test1"
    ]
    }
    }
    }
    ]
    }

    Dashboard

    Management Permission: Operations on All Dashboards

    Users can manage all dashboards. Related operations include creation, deletion, editing, viewing, and subscription. Dashboards can use data of all topics.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:GetChart",
    "cls:GetDashboard",
    "cls:ListChart",
    "cls:CreateChart",
    "cls:CreateDashboard",
    "cls:DeleteChart",
    "cls:DeleteDashboard",
    "cls:ModifyChart",
    "cls:ModifyDashboard",
    "cls:DescribeDashboards",
    "cls:CreateFolder",
    "cls:DeleteFolder",
    "cls:DescribeFolders",
    "cls:ModifyFolder",
    "cls:ModifyResourceAndFolderRelation",
    "cls:SearchDashboardSubscribe",
    "cls:CreateDashboardSubscribe",
    "cls:ModifyDashboardSubscribe",
    "cls:DescribeDashboardSubscribes",
    "cls:DeleteDashboardSubscribe",
    "cls:ModifyDashboardSubscribeAck"
    ],
    "resource": "*"
    },
    {
    "effect": "allow",
    "action": [
    "cls:SearchLog",
    "cls:DescribeTopics",
    "cls:DescribeLogFastAnalysis",
    "cls:DescribeIndex",
    "cls:DescribeLogsets",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": "*"
    }
    ]
    }

    Management Permission: Operations on Dashboards with Specified Tags

    Users can manage dashboards with specified tags. Related operations include creation, deletion, editing, viewing, and subscription. Dashboards can use data of topics with specified tags.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:GetChart",
    "cls:GetDashboard",
    "cls:ListChart",
    "cls:CreateChart",
    "cls:CreateDashboard",
    "cls:DeleteChart",
    "cls:DeleteDashboard",
    "cls:ModifyChart",
    "cls:ModifyDashboard",
    "cls:DescribeDashboards",
    "cls:CreateFolder",
    "cls:DeleteFolder",
    "cls:DescribeFolders",
    "cls:ModifyFolder",
    "cls:ModifyResourceAndFolderRelation",
    "cls:SearchDashboardSubscribe",
    "cls:CreateDashboardSubscribe",
    "cls:ModifyDashboardSubscribe",
    "cls:DescribeDashboardSubscribes",
    "cls:DeleteDashboardSubscribe",
    "cls:ModifyDashboardSubscribeAck"
    ],
    "resource": "*",
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    },
    {
    "effect": "allow",
    "action": [
    "cls:SearchLog",
    "cls:DescribeTopics",
    "cls:DescribeLogFastAnalysis",
    "cls:DescribeIndex",
    "cls:DescribeLogsets",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": "*",
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    }
    ]
    }

    Management Permission: Operations on Specified Dashboards

    Users can manage specified dashboards. Related operations include creation, deletion, editing, viewing, and subscription. Dashboards can use data of specified topics.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:GetChart",
    "cls:GetDashboard",
    "cls:ListChart",
    "cls:CreateChart",
    "cls:CreateDashboard",
    "cls:DeleteChart",
    "cls:DeleteDashboard",
    "cls:ModifyChart",
    "cls:ModifyDashboard",
    "cls:DescribeDashboards",
    "cls:CreateFolder",
    "cls:DeleteFolder",
    "cls:DescribeFolders",
    "cls:ModifyFolder",
    "cls:ModifyResourceAndFolderRelation",
    "cls:SearchDashboardSubscribe",
    "cls:CreateDashboardSubscribe",
    "cls:ModifyDashboardSubscribe",
    "cls:DescribeDashboardSubscribes",
    "cls:DeleteDashboardSubscribe",
    "cls:ModifyDashboardSubscribeAck"
    ],
    "resource": [
    "qcs::cls::uin/100000*001:dashboard/dashboard-0769a3ba-2514-409d-**-f65b20b23736"
    ]
    },
    {
    "effect": "allow",
    "action": [
    "cls:SearchLog",
    "cls:DescribeTopics",
    "cls:DescribeLogFastAnalysis",
    "cls:DescribeIndex",
    "cls:DescribeLogsets",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": [
    "qcs::cls::uin/100000*001:topic/174ca473-50d0-4fdf-**-2ef681a1e02a"
    ]
    }
    ]
    }

    Read-Only Permission: Operations on All Dashboards

    Users can view all dashboards, and the dashboards can use data of all topics.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:GetChart",
    "cls:GetDashboard",
    "cls:ListChart",
    "cls:DescribeDashboards",
    "cls:DescribeFolders",
    "cls:SearchDashboardSubscribe",
    "cls:DescribeDashboardSubscribes"
    ],
    "resource": "*"
    },
    {
    "effect": "allow",
    "action": [
    "cls:SearchLog",
    "cls:DescribeTopics",
    "cls:DescribeLogFastAnalysis",
    "cls:DescribeIndex",
    "cls:DescribeLogsets",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": "*"
    }
    ]
    }

    Read-Only Permission: Operations on Dashboards with Specified Tags

    Users can view dashboards with specified tags, and the dashboards can use data of topics with specified tags.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:GetChart",
    "cls:GetDashboard",
    "cls:ListChart",
    "cls:DescribeDashboards",
    "cls:DescribeFolders",
    "cls:SearchDashboardSubscribe",
    "cls:DescribeDashboardSubscribes"
    ],
    "resource": "*",
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    },
    {
    "effect": "allow",
    "action": [
    "cls:SearchLog",
    "cls:DescribeTopics",
    "cls:DescribeLogFastAnalysis",
    "cls:DescribeIndex",
    "cls:DescribeLogsets",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": "*",
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    }
    ]
    }

    Read-Only Permission: Operations on Specified Dashboards

    Users can view specified dashboards, and the dashboards can use data of specified topics.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:GetChart",
    "cls:GetDashboard",
    "cls:ListChart",
    "cls:DescribeDashboards",
    "cls:DescribeFolders",
    "cls:SearchDashboardSubscribe",
    "cls:DescribeDashboardSubscribes"
    ],
    "resource": [
    "qcs::cls::uin/100000*001:dashboard/dashboard-0769a3ba-2514-409d-**-f65b20b23736"
    ]
    },
    {
    "effect": "allow",
    "action": [
    "cls:SearchLog",
    "cls:DescribeTopics",
    "cls:DescribeLogFastAnalysis",
    "cls:DescribeIndex",
    "cls:DescribeLogsets",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": [
    "qcs::cls::uin/100000*001:topic/174ca473-50d0-4fdf-**-2ef681a1e02a"
    ]
    }
    ]
    }

    Monitoring and Alarm

    Management Permission: Operations on All Alarm Policies

    Users can manage all alarm policies. Related operations include creating alarm policies, creating notification channel groups, and viewing alarm policies.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:SearchLog",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": [
    "*"
    ]
    },
    {
    "effect": "allow",
    "action": [
    "cls:DescribeAlarms",
    "cls:CreateAlarm",
    "cls:ModifyAlarm",
    "cls:DeleteAlarm",
    "cls:DescribeAlarmNotices",
    "cls:CreateAlarmNotice",
    "cls:ModifyAlarmNotice",
    "cls:DeleteAlarmNotice",
    "cam:ListGroups",
    "cam:DescribeSubAccountContacts",
    "cam:GetGroup",
    "cls:GetAlarmLog",
    "cls:DescribeAlertRecordHistory",
    "cls:CheckAlarmRule",
    "cls:CheckAlarmChannel"
    ],
    "resource": "*"
    }
    ]
    }

    Management Permission: Operations on Alarm Policies with Specified Tags

    Users can manage alarm policies with specified tags. Related operations include modifying alarm policies, modifying notification channel groups, and viewing alarm policies.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:SearchLog",
    "cam:ListGroups",
    "cam:DescribeSubAccountContacts",
    "cam:GetGroup",
    "cls:CheckAlarmRule",
    "cls:CheckAlarmChannel",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": [
    "*"
    ]
    },
    {
    "effect": "allow",
    "action": [
    "cls:DescribeAlarms",
    "cls:ModifyAlarm",
    "cls:DeleteAlarm",
    "cls:DescribeAlarmNotices",
    "cls:ModifyAlarmNotice",
    "cls:DeleteAlarmNotice",
    "cls:GetAlarmLog",
    "cls:DescribeAlertRecordHistory"
    ],
    "resource": [
    "*"
    ],
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    }
    ]
    }

    Management Permission: Operations on Specified Alarm Policies

    Users can manage specified alarm policies. Related operations include modifying alarm policies, modifying notification channel groups, and viewing alarm policies.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:SearchLog",
    "cam:ListGroups",
    "cam:DescribeSubAccountContacts",
    "cam:GetGroup",
    "cls:CheckAlarmRule",
    "cls:CheckAlarmChannel",
    "cls:GetMetricLabelValues",
    "cls:QueryMetric",
    "cls:QueryRangeMetric",
    "cls:GetMetricSeries"
    ],
    "resource": [
    "*"
    ]
    },
    {
    "effect": "allow",
    "action": [
    "cls:DescribeAlarms",
    "cls:ModifyAlarm",
    "cls:DeleteAlarm",
    "cls:DescribeAlarmNotices",
    "cls:ModifyAlarmNotice",
    "cls:DeleteAlarmNotice",
    "cls:GetAlarmLog",
    "cls:DescribeAlertRecordHistory"
    ],
    "resource": [
    "qcs::cls:ap-guangzhou:100007***827:alarm/alarm-xxx-9bbe-4625-ac29-b5e66bf643cf",
    "qcs::cls:ap-guangzhou:100007***827:alarmNotice/notice-xxx-ec2c-410f-924f-4ee8a7cd028e"
    ]
    }
    ]
    }

    Read-Only Permission: Operations on All Alarm Policies

    Users can view all alarm policies.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics"
    ],
    "resource": [
    "*"
    ]
    },
    {
    "effect": "allow",
    "action": [
    "cls:DescribeAlarms",
    "cls:DescribeAlarmNotices",
    "cls:GetAlarmLog",
    "cls:DescribeAlertRecordHistory",
    "cam:ListGroups",
    "cam:DescribeSubAccountContacts",
    "cam:GetGroup"
    ],
    "resource": "*"
    }
    ]
    }

    Read-Only Permission: Operations on Alarm Policies with Specified Tags

    Users can view alarm policies with specified tags.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cam:ListGroups",
    "cam:DescribeSubAccountContacts",
    "cam:GetGroup"
    ],
    "resource": [
    "*"
    ]
    },
    {
    "effect": "allow",
    "action": [
    "cls:DescribeAlarms",
    "cls:DescribeAlarmNotices",
    "cls:GetAlarmLog",
    "cls:DescribeAlertRecordHistory"
    ],
    "resource": [
    "*"
    ],
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    }
    ]
    }

    Read-Only Permission: Operations on Specified Alarm Policies

    Users can view specified alarm policies.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cam:ListGroups",
    "cam:DescribeSubAccountContacts",
    "cam:GetGroup"
    ],
    "resource": [
    "*"
    ]
    },
    {
    "effect": "allow",
    "action": [
    "cls:DescribeAlarms",
    "cls:DescribeAlarmNotices",
    "cls:GetAlarmLog",
    "cls:DescribeAlertRecordHistory"
    ],
    "resource": [
    "qcs::cls:ap-guangzhou:100007***827:alarm/alarm-xxx-9bbe-4625-ac29-b5e66bf643cf",
    "qcs::cls:ap-guangzhou:100007***827:alarmNotice/notice-xxx-ec2c-410f-924f-4ee8a7cd028e"
    ]
    }
    ]
    }

    Data Processing

    Data Processing

    Management Permission: Operations on All Data Processing Tasks

    Users can manage data processing tasks of all log topics.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeDataTransformPreviewDataInfo",
    "cls:DescribeTopics",
    "cls:DescribeIndex",
    "cls:CreateDataTransform"
    ],
    "resource": [
    "*"
    ]
    },
    {
    "effect": "allow",
    "action": [
    "cls:DescribeFunctions",
    "cls:CheckFunction",
    "cls:DescribeDataTransformFailLogInfo",
    "cls:DescribeDataTransformInfo",
    "cls:DescribeDataTransformPreviewInfo",
    "cls:DescribeDataTransformProcessInfo",
    "cls:DeleteDataTransform",
    "cls:ModifyDataTransform"
    ],
    "resource": [
    "*"
    ]
    }
    ]
    }

    Read-Only Permission: Operations on All Data Processing Tasks

    Users can view data processing tasks of all log topics. DSL function authorization is not required.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics"
    ],
    "resource": [
    "*"
    ]
    },
    {
    "effect": "allow",
    "action": [
    "cls:DescribeDataTransformFailLogInfo",
    "cls:DescribeDataTransformInfo",
    "cls:DescribeDataTransformPreviewDataInfo",
    "cls:DescribeDataTransformPreviewInfo",
    "cls:DescribeDataTransformProcessInfo"
    ],
    "resource": [
    "*"
    ]
    }
    ]
    }

    Perform scheduled SQL analysis:

    Management permission: Scheduled SQL Analysis on All Log Topics

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:CreateScheduledSql",
    "cls:SearchLog",
    "cls:DescribeScheduledSqlInfo",
    "cls:DescribeScheduledSqlProcessInfo",
    "cls:DeleteScheduledSql",
    "cls:ModifyScheduledSql",
    "cls:RetryScheduledSqlTask"
    ],
    "resource": [
    "*"
    ]
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cam:ListAttachedRolePolicies"
    ],
    "resource": [
    "*"
    ]
    }
    ]
    }

    Management Permission: Scheduled SQL Analysis on Log Topics with Specified Tags

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:SearchLog",
    "cls:DescribeScheduledSqlProcessInfo",
    "cls:CreateScheduledSql",
    "cls:DeleteScheduledSql",
    "cls:ModifyScheduledSql",
    "cls:RetryScheduledSqlTask"
    ],
    "resource": [
    "*"
    ],
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cam:ListAttachedRolePolicies",
    "cls:DescribeScheduledSqlInfo"
    ],
    "resource": [
    "*"
    ]
    }
    ]
    }

    Data Shipping and Consumption

    Ship to CKafka:

    Management Permission: Shipping All Log Topics to CKafka

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeTopics",
    "cls:DescribeLogsets",
    "cls:CreateConsumer",
    "cls:ModifyConsumer",
    "cls:DeleteConsumer",
    "cls:DescribeConsumer",
    "cls:DescribeConsumerPreview"
    ],
    "resource": "*"
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cam:ListAttachedRolePolicies",
    "cam:AttachRolePolicy",
    "cam:CreateRole",
    "cam:DescribeRoleList",
    "ckafka:DescribeInstances",
    "ckafka:DescribeTopic",
    "ckafka:DescribeInstanceAttributes",
    "ckafka:CreateToken",
    "ckafka:AuthorizeToken"
    ],
    "resource": "*"
    }
    ]
    }

    Management Permission: Shipping Log Topics with Specified Tags to CKafka

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeTopics",
    "cls:DescribeLogsets",
    "cls:CreateConsumer",
    "cls:ModifyConsumer",
    "cls:DeleteConsumer",
    "cls:DescribeConsumer",
    "cls:DescribeConsumerPreview"
    ],
    "resource": "*",
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "age&13",
    "name&vinson"
    ]
    }
    }
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cam:ListAttachedRolePolicies",
    "cam:AttachRolePolicy",
    "cam:CreateRole",
    "cam:DescribeRoleList",
    "ckafka:DescribeInstances",
    "ckafka:DescribeTopic",
    "ckafka:DescribeInstanceAttributes",
    "ckafka:CreateToken",
    "ckafka:AuthorizeToken"
    ],
    "resource": "*"
    }
    ]
    }

    Read-Only Permission: Shipping All Log Topics to CKafka

    Users can perform read-only operations for shipping all log topics to CKafka.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeTopics",
    "cls:DescribeLogsets",
    "cls:DescribeConsumer",
    "cls:DescribeConsumerPreview"
    ],
    "resource": "*"
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cam:ListAttachedRolePolicies",
    "ckafka:DescribeInstances",
    "ckafka:DescribeTopic",
    "ckafka:DescribeInstanceAttributes",
    "ckafka:CreateToken",
    "ckafka:AuthorizeToken"
    ],
    "resource": "*"
    }
    ]
    }

    Read-Only Permission: Shipping Log Topics with Specified Tags to CKafka

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeTopics",
    "cls:DescribeLogsets",
    "cls:DescribeConsumer",
    "cls:DescribeConsumerPreview"
    ],
    "resource": "*",
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cam:ListAttachedRolePolicies",
    "ckafka:DescribeInstances",
    "ckafka:DescribeTopic",
    "ckafka:DescribeInstanceAttributes",
    "ckafka:CreateToken",
    "ckafka:AuthorizeToken"
    ],
    "resource": "*"
    }
    ]
    }

    Ship to COS:

    Management Permission: Shipping All Log Topics to COS

    Users can perform all operations for shipping all log topics to COS.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeTopics",
    "cls:DescribeLogsets",
    "cls:DescribeIndex",
    "cls:CreateShipper"
    ],
    "resource": "*"
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cls:ModifyShipper",
    "cls:DescribeShippers",
    "cls:DeleteShipper",
    "cls:DescribeShipperTasks",
    "cls:RetryShipperTask",
    "cls:DescribeShipperPreview",
    "cos:GetService",
    "cam:ListAttachedRolePolicies",
    "cam:AttachRolePolicy",
    "cam:CreateRole",
    "cam:DescribeRoleList"
    ],
    "resource": "*"
    }
    ]
    }

    Management Permission: Shipping Log Topics with Specified Tags to COS

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeTopics",
    "cls:DescribeLogsets",
    "cls:DescribeIndex",
    "cls:CreateShipper"
    ],
    "resource": "*",
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cls:ModifyShipper",
    "cls:DescribeShippers",
    "cls:DeleteShipper",
    "cls:DescribeShipperTasks",
    "cls:RetryShipperTask",
    "cls:DescribeShipperPreview",
    "cos:GetService",
    "cam:ListAttachedRolePolicies",
    "cam:AttachRolePolicy",
    "cam:CreateRole",
    "cam:DescribeRoleList"
    ],
    "resource": "*"
    }
    ]
    }

    Read-Only Permission: Shipping All Log Topics to COS

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeTopics",
    "cls:DescribeLogsets" ],
    "resource": "*"
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cls:DescribeShippers",
    "cls:DescribeShipperTasks",
    "cls:RetryShipperTask",
    "cls:DescribeShipperPreview",
    "cam:ListAttachedRolePolicies"
    ],
    "resource": "*"
    }
    ]
    }

    Read-Only Permission: Shipping Log Topics with Specified Tags to COS

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeTopics",
    "cls:DescribeLogsets"],
    "resource": "*",
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cls:DescribeShippers",
    "cls:DescribeShipperTasks",
    "cls:RetryShipperTask",
    "cls:DescribeShipperPreview",
    "cam:ListAttachedRolePolicies"
    ],
    "resource": "*"
    }
    ]
    }

    Ship to SCF:

    Management Permission: Shipping All Log Topics to SCF

    Users can perform all operations for shipping all log topics to SCF.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeTopics",
    "cls:DescribeLogsets"
    ],
    "resource": "*"
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cam:ListAttachedRolePolicies",
    "cls:CreateDeliverFunction",
    "cls:DeleteDeliverFunction",
    "cls:ModifyDeliverFunction",
    "cls:GetDeliverFunction",
    "scf:ListFunctions",
    "scf:ListAliases",
    "scf:ListVersionByFunction"
    ],
    "resource": "*"
    }
    ]
    }

    Management Permission: Shipping Log Topics with Specified Tags to SCF

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeTopics",
    "cls:DescribeLogsets"
    ],
    "resource": "*",
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cam:ListAttachedRolePolicies",
    "cls:CreateDeliverFunction",
    "cls:DeleteDeliverFunction",
    "cls:ModifyDeliverFunction",
    "cls:GetDeliverFunction",
    "scf:ListFunctions",
    "scf:ListAliases",
    "scf:ListVersionByFunction"
    ],
    "resource": "*"
    }
    ]
    }

    Read-Only Permission: Shipping All Log Topics to SCF

    Users can perform read-only operations for shipping all log topics to SCF.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeTopics",
    "cls:DescribeLogsets"
    ],
    "resource": "*"
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cam:ListAttachedRolePolicies",
    "cls:GetDeliverFunction",
    "scf:ListFunctions",
    "scf:ListAliases",
    "scf:ListVersionByFunction"
    ],
    "resource": "*"
    }
    ]
    }

    Read-Only Permission: Shipping Log Topics with Specified Tags to SCF

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeTopics",
    "cls:DescribeLogsets"
    ],
    "resource": "*",
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cam:ListAttachedRolePolicies",
    "cls:GetDeliverFunction",
    "scf:ListFunctions",
    "scf:ListAliases",
    "scf:ListVersionByFunction"
    ],
    "resource": "*"
    }
    ]
    }

    Kafka Protocol Consumption

    Management Permission: Consuming All Log Topics over Kafka Protocol

    Users can consume all log topics over Kafka protocol.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:DescribeKafkaConsumer",
    "cls:CloseKafkaConsumer",
    "cls:ModifyKafkaConsumer",
    "cls:OpenKafkaConsumer"
    ],
    "resource": [
    "*"]
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cam:ListAttachedRolePolicies"
    ],
    "resource": [
    "*"
    ]
    }
    ]
    }

    Management Permission: Consuming Log Topics with Specific Tags over Kafka Protocol

    Users can consume log topics with specific tags over Kafka protocol.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:DescribeKafkaConsumer",
    "cls:CloseKafkaConsumer",
    "cls:ModifyKafkaConsumer",
    "cls:OpenKafkaConsumer"
    ],
    "resource": [
    "*"
    ],
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    },
    {
    "effect": "allow",
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cam:ListAttachedRolePolicies"
    ],
    "resource": [
    "*"
    ]
    }
    ]
    }

    Management Permission: Consuming Specific Resources over Kafka Protocol

    {
    "statement": [
    {
    "action": [
    "cls:DescribeLogsets",
    "cls:DescribeTopics",
    "cls:DescribeKafkaConsumer",
    "cls:CloseKafkaConsumer",
    "cls:ModifyKafkaConsumer",
    "cls:OpenKafkaConsumer"
    ],
    "effect": "allow",
    "resource": [
    "qcs::cls:ap-chengdu:100001127XXX:logset/axxxxxx-772e-4971-ad9a-ddcfcfff691b",
    "qcs::cls:ap-chengdu:100001127XXX:topic/590xxxxxxx-36c4-447b-a84f-172ee7340b22"
    ]
    },
    {
    "action": [
    "tag:DescribeResourceTagsByResourceIds",
    "tag:DescribeTagKeys",
    "tag:DescribeTagValues",
    "cam:ListAttachedRolePolicies"
    ],
    "effect": "allow",
    "resource": [
    "*"
    ]
    }
    ],
    "version": "2.0"
    }

    Minimum Permission for Consumption over Kafka Protocol (Not for Console but for API Calls)

    {
    "version": "2.0",
    "statement": [
    {
    "action": [
    "cls:OpenKafkaConsumer"
    ],
    "effect": "allow",
    "resource": [
    "*"
    ]
    }
    ]
    }

    Ship metric topics:

    Management Permission: Shipping All Metric Topics

    {
    "statement": [
    {
    "action": [
    "cls:DescribeRemoteWriteTask",
    "cls:DescribeTopics",
    "cls:CreateRemoteWriteTask",
    "cls:ModifyRemoteWriteTask",
    "cls:DescribeLogsets",
    "cls:DeleteRemoteWriteTask",
    "cls:CheckRemoteWriteTaskConnect"
    ],
    "effect": "allow",
    "resource": [
    "*"
    ]
    }
    ],
    "version": "2.0"
    }

    Management Permission: Shipping Metric Topics with Specific Tags

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:DescribeRemoteWriteTask",
    "cls:DescribeTopics",
    "cls:CreateRemoteWriteTask",
    "cls:ModifyRemoteWriteTask",
    "cls:DescribeLogsets",
    "cls:DeleteRemoteWriteTask",
    "cls:CheckRemoteWriteTaskConnect"
    ],
    "resource": [
    "*"
    ],
    "condition": {
    "string_equal": {
    "qcs:resource_tag": "key:value"
    }
    }
    }
    ]
    }

    Custom Consumption

    Management Permission: Custom Consumption of All Metric Topics

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:CreateConsumerGroup",
    "cls:ModifyConsumerGroup",
    "cls:DescribeConsumerGroups",
    "cls:DeleteConsumerGroup",
    "cls:DescribeConsumerOffsets",
    "cls:CommitConsumerOffsets",
    "cls:SendConsumerHeartbeat",
    "cls:pullLog"
    ],
    "resource": [
    "*"]
    }
    ]
    }

    DataSight Permissions

    Management Permission: Operations on All Independent DataSight Consoles

    Users can create, modify, view, and delete DataSight consoles in the Tencent Cloud console.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:CreateConsole",
    "cls:DeleteConsole",
    "cls:DescribeConsoles",
    "vpc:DescribeSubnetEx",
    "vpc:DescribeVpcEx",
    "cls:ModifyConsole"
    ],
    "resource": [
    "*"
    ]
    }
    ]
    }

    Management Permission: Operations on Specific Independent DataSight Consoles

    Users can create, modify, view, and delete specific DataSight consoles in the Tencent Cloud console.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:CreateConsole",
    "cls:DeleteConsole",
    "cls:DescribeConsoles",
    "vpc:DescribeSubnetEx",
    "vpc:DescribeVpcEx",
    "cls:ModifyConsole"
    ],
    "resource": [
    "qcs::cls::uin/100******123:datasight/clsconsole-1234abcd"
    ]
    }
    ]
    }

    Management Permission: Operations on Independent DataSight Consoles with Specific Tags

    Users can create, modify, view, and delete DataSight consoles with specific tags in the Tencent Cloud console.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:CreateConsole",
    "cls:DeleteConsole",
    "cls:DescribeConsoles",
    "vpc:DescribeSubnetEx",
    "vpc:DescribeVpcEx",
    "cls:ModifyConsole"
    ],
    "resource": [
    "*"
    ],
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    }
    ]
    }

    Read-Only Permission: Operations on All Independent DataSight Consoles

    Users can view relevant information on DataSight consoles in the Tencent Cloud console.
    {
    "statement": [
    {
    "action": [
    "cls:DescribeConsoles"
    ],
    "effect": "allow",
    "resource": [
    "*"
    ]
    }
    ],
    "version": "2.0"
    }

    Read-Only Permission: Operations on Specific Independent DataSight Consoles

    Users can view relevant information on specific DataSight consoles in the Tencent Cloud console.
    {
    "statement": [
    {
    "action": [
    "cls:DescribeConsoles"
    ],
    "effect": "allow",
    "resource": [
    "qcs::cls::uin/100******123:datasight/clsconsole-1234abcd"
    ]
    }
    ],
    "version": "2.0"
    }

    Read-Only Permission: Operations on Independent DataSight Consoles with Specific Tags

    Users can view relevant information on DataSight consoles with specific tags in the Tencent Cloud console.
    {
    "statement": [
    {
    "action": [
    "cls:DescribeConsoles"
    ],
    "effect": "allow",
    "resource": [
    "*"
    ],
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    }
    ],
    "version": "2.0"
    }

    Developer

    Use CLS through Grafana:

    Displaying Data of All Topics Through Grafana

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:SearchLog",
    "cls:MetricsSeries",
    "cls:MetricsQueryExemplars",
    "cls:MetricsLabelValues",
    "cls:MetricsQueryRange",
    "cls:MetricsLabels",
    "cls:MetricsQuery"
    ],
    "resource": [
    "*"
    ]
    }
    ]
    }

    Displaying Data of Topics with Specified Tags Through Grafana

    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cls:SearchLog",
    "cls:MetricsSeries",
    "cls:MetricsQueryExemplars",
    "cls:MetricsLabelValues",
    "cls:MetricsQueryRange",
    "cls:MetricsLabels",
    "cls:MetricsQuery"
    ],
    "resource": [
    "*"
    ],
    "condition": {
    "for_any_value:string_equal": {
    "qcs:resource_tag": [
    "key&value"
    ]
    }
    }
    }
    ]
    }
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support