Note:
This document describes the access management feature of SMS. For more information on access management for other Tencent Cloud services, please see CAM-Enabled Products. It is convenient to use a default policy in SMS access control to implement authorization, but its granularity of permission control is coarse and cannot be refined to the SMS application and the TencentCloud API levels. If you need fine-grained permissions control, you need to create custom policies. Custom Policy Creation Methods
There are multiple ways to create a custom policy. The table below shows a comparison of various methods. For detailed directions, please see further below.
Note:
SMS does not support creating custom policies by product feature or project.
Manual selection means that you can select an object from the candidate list displayed in the console.
Authorization Policy Syntax
Resource syntax description
As mentioned above, the resource granularity of permission management in SMS is the application. The application description in the policy syntax follows the CAM resource description method. In the example below, the developer's root account ID is 12345678, and the developer has created three applications with an App
of 1400000000, 1400000001, and 1400000002, respectively. Policy syntax description for all SMS applications
"resource": ["qcs::sms::uin/12345678:app/*"]
Policy syntax description for a single SMS application
"resource": [ "qcs::sms::uin/12345678:app/1400000001"]
Policy syntax description for multiple SMS applications
"resource": [ "qcs::sms::uin/12345678:app/1400000000","qcs::sms::uin/12345678:app/1400000001"]
Action syntax description
As mentioned above, the action granularity of permission management in SMS is the TencentCloud API. For more information, please see Authorizable Resources and Actions. TencentCloud APIs such as DescribeAppList
(getting application list) and DescribeAppInfo
(getting application information) are used as examples below. Policy syntax description for all SMS TencentCloud APIs
Policy syntax description for a single TencentCloud API
"action": [
"name/sms:DescribeAppList"
]
Policy syntax description for multiple TencentCloud APIs
"action": [
"name/sms:DescribeAppList",
"name/sms:DescribeAppInfo"
]
Custom Policy Use Cases
Using the policy generator
In the example below, we will create a custom policy, which allows all actions except the console API DeleteAppInfo
to be performed on the SMS application 1400000001.
1. Access the Policy page in the CAM console using a Tencent Cloud root account and click Create Custom Policy. 2. Select Create by Policy Generator to access the policy creation page.
3. Select the service and action.
Select Allow for Effect.
Select Short Message Service (sms) for Service.
Check all items for Action.
The Condition configuration item does not need to be configured.
Click Add Statement and a statement saying that "Any action is allowed on the SMS application 1400000001" will appear at the bottom of the page.
4. Continue adding another statement on the same page.
Select Deny for Effect.
Select Short Message Service (sms) for Service.
Check DeleteAppInfo
(which can be quickly found using the search engine) for Action.
The Condition configuration item does not need to be configured.
Click Add Statement and a statement saying that "The DeleteAppInfo
action is denied on the SMS application 1400000001" will appear at the bottom of the page.
5. Click Next and rename the policy as needed (or leave it unchanged).
Using the policy syntax
In the example below, we will create a custom policy, which allows all actions to be performed on SMS applications 1400000001 and 1400000002 but denies DeleteAppInfo
for application 1400000001.
1. Access the Policy page in the CAM console using a Tencent Cloud root account and click Create Custom Policy. 2. Select Create by Policy Syntax to access the policy creation page.
3. In the Select a template type box, select Blank Template.
Note:
A policy template is used to create a policy by copying an existing policy (preset or custom) and then making adjustments to the copy. During actual use, you can choose an appropriate policy template based on the actual conditions to reduce the difficulty and workload of writing the policy content.
4. Click Next and rename the policy as needed (or leave it unchanged).
5. Enter the following policy content in the Policy Content box:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"name/SMS:*"
],
"resource": [
"qcs::sms::uin/12345678:app/1400000001",
"qcs::sms::uin/12345678:app/1400000002"
]
},
{
"effect": "deny",
"action": [
"name/SMS: DeleteAppInfo "
],
"resource": [
"qcs::SMS::uin/12345678:app/1400000001"
]
}
]
}
6. Click Complete to create the custom policy.
この記事はお役に立ちましたか?