- 产品简介
- 购买指南
- 快速入门
- 用户指南
- 支持角色的业务
- 支持CAM的业务接口
- 实践教程
- 商用案例
- API 文档
- History
- Introduction
- API Category
- User APIs
- DescribeSafeAuthFlagColl
- CreateGroup
- UpdateUser
- UpdateGroup
- RemoveUserFromGroup
- ListUsersForGroup
- ListUsers
- ListGroupsForUser
- ListGroups
- GetUser
- GetGroup
- DeleteUser
- DeleteGroup
- AddUserToGroup
- AddUser
- SetMfaFlag
- GetCustomMFATokenInfo
- ConsumeCustomMFAToken
- ListCollaborators
- ListAccessKeys
- PutUserPermissionsBoundary
- DeleteUserPermissionsBoundary
- DescribeSubAccounts
- GetSecurityLastUsed
- GetAccountSummary
- GetUserAppId
- UpdateAccessKey
- DeleteAccessKey
- CreateAccessKey
- Making API Requests
- Identity Provider APIs
- Policy APIs
- UpdatePolicy
- ListPolicies
- ListEntitiesForPolicy
- ListAttachedUserPolicies
- ListAttachedGroupPolicies
- GetPolicy
- DetachUserPolicy
- DetachGroupPolicy
- DeletePolicy
- CreatePolicy
- AttachUserPolicy
- AttachGroupPolicy
- SetDefaultPolicyVersion
- ListPolicyVersions
- GetPolicyVersion
- DeletePolicyVersion
- CreatePolicyVersion
- ListAttachedUserAllPolicies
- Role APIs
- UpdateRoleDescription
- UpdateAssumeRolePolicy
- ListAttachedRolePolicies
- GetRole
- DetachRolePolicy
- DescribeRoleList
- DeleteRole
- CreateRole
- AttachRolePolicy
- UpdateRoleConsoleLogin
- GetServiceLinkedRoleDeletionStatus
- DeleteServiceLinkedRole
- CreateServiceLinkedRole
- PutRolePermissionsBoundary
- DeleteRolePermissionsBoundary
- DescribeSafeAuthFlag
- DescribeSafeAuthFlagIntl
- UntagRole
- TagRole
- Data Types
- Error Codes
- 常见问题
- 词汇表
- 产品简介
- 购买指南
- 快速入门
- 用户指南
- 支持角色的业务
- 支持CAM的业务接口
- 实践教程
- 商用案例
- API 文档
- History
- Introduction
- API Category
- User APIs
- DescribeSafeAuthFlagColl
- CreateGroup
- UpdateUser
- UpdateGroup
- RemoveUserFromGroup
- ListUsersForGroup
- ListUsers
- ListGroupsForUser
- ListGroups
- GetUser
- GetGroup
- DeleteUser
- DeleteGroup
- AddUserToGroup
- AddUser
- SetMfaFlag
- GetCustomMFATokenInfo
- ConsumeCustomMFAToken
- ListCollaborators
- ListAccessKeys
- PutUserPermissionsBoundary
- DeleteUserPermissionsBoundary
- DescribeSubAccounts
- GetSecurityLastUsed
- GetAccountSummary
- GetUserAppId
- UpdateAccessKey
- DeleteAccessKey
- CreateAccessKey
- Making API Requests
- Identity Provider APIs
- Policy APIs
- UpdatePolicy
- ListPolicies
- ListEntitiesForPolicy
- ListAttachedUserPolicies
- ListAttachedGroupPolicies
- GetPolicy
- DetachUserPolicy
- DetachGroupPolicy
- DeletePolicy
- CreatePolicy
- AttachUserPolicy
- AttachGroupPolicy
- SetDefaultPolicyVersion
- ListPolicyVersions
- GetPolicyVersion
- DeletePolicyVersion
- CreatePolicyVersion
- ListAttachedUserAllPolicies
- Role APIs
- UpdateRoleDescription
- UpdateAssumeRolePolicy
- ListAttachedRolePolicies
- GetRole
- DetachRolePolicy
- DescribeRoleList
- DeleteRole
- CreateRole
- AttachRolePolicy
- UpdateRoleConsoleLogin
- GetServiceLinkedRoleDeletionStatus
- DeleteServiceLinkedRole
- CreateServiceLinkedRole
- PutRolePermissionsBoundary
- DeleteRolePermissionsBoundary
- DescribeSafeAuthFlag
- DescribeSafeAuthFlagIntl
- UntagRole
- TagRole
- Data Types
- Error Codes
- 常见问题
- 词汇表
腾讯云用户访问云资源时, CAM 通过以下评估逻辑决定允许或拒绝。
1. 默认情况下,所有请求都将被拒绝。
2. CAM 会检查当前用户关联的所有策略。
2.1 判断是否匹配策略,是则进行下一步判断;否则最终判断为 deny ,不允许访问云资源。
2.2 判断是否有匹配 deny 策略,是则最终判定为 deny ,不允许访问云资源;否则进行下一步判断。
2.3 判断是否有匹配 allow 策略,是则最终判断为 allow ,允许访问云资源;否则最终判定为 deny,不允许访问云资源。
注意:
对于主账号,默认拥有其名下所有资源的访问权限;且目前仅 COS/CAS 产品支持跨账号的资源访问。
有些通用策略,会默认关联所有 CAM 用户。具体请见下文的 通用策略表。
其他策略都必须显式指定,包括 allow 和 deny 策略。
对于支持跨帐号资源访问的业务,存在权限传递的场景,即主账号 A 授权主账号 B 下的某个子账号对其资源的访问权限。这个时候 CAM 会同时校验 A 是否授权给 B 该权限以及 B 是否授权给子帐号该权限,两者同时满足的前提下, B 的子账号才有权访问 A 的资源。
目前支持的
通用策略表如下:策略说明 | 策略定义 |
查询密钥需要 MFA 验证 | { "principal":"", action":"account:QueryKeyBySecretId", "resource":"", "condition":{"string_equal":{"mfa":"0"}} } |
设置敏感操作需要 MFA 验证 | { "principal":"", "action":"account:SetSafeAuthFlag", "resource":"", "condition":{"string_equal":{"mfa":"0"}} } |
绑定 token 需要 MFA 验证 | { "principal":"", "action":"account:BindToken", "resource":"", "condition":{"string_equal":{"mfa":"0"}} } |
解绑 token 需要 MFA 验证 | { "principal":"", "action":"account:UnbindToken", resource":"", condition":{"string_equal":{"mfa":"0"}} } |
修改邮箱需要 MFA 验证 | { "principal":"", "action":"account:ModifyMail", "resource":"", "condition":{"string_equal":{"mfa":"0"}} } |
修改手机号需要 MFA 验证 | { "principal":"", "action":"account:ModifyPhoneNum", "resource":"", "condition":{"string_equal":{"mfa":"0"}} } |
是
否
本页内容是否解决了您的问题?