If you use the Tencent Push Notification Service service in Tencent Cloud, and the service is managed by different users sharing your Tencent Cloud account key, the following problems may occur:
The risk of your key being compromised is high since multiple users are sharing it.
Your users might introduce security risks from misoperations due to the lack of user access control.
You can allow different users to manage different services through sub-accounts to avoid the above problems. By default, a sub-account does not have permission to use a Tencent Push Notification Service service or related resources. Therefore, you need to create a policy to grant the required permission to the sub-account.
Tencent Cloud’s Cloud Access Management (CAM) is a web service that helps you manage the access permissions for resources under your Tencent Cloud accounts. With CAM, you can create, manage, or terminate users (groups), and manage identities and policies to allow specific users to access and use specific Tencent Cloud resources.
You can use CAM to associate a user/user group with a policy, which allows/denies the user to use specified resources to perform specified tasks. For CAM policy basics, please see Syntax Logic. For the use of CAM policies, please see Policy.
Note:
If you do not need to manage access permissions to Tencent Push Notification Service resources for sub-accounts, you can skip this part. This will not affect your understanding and use of other parts of the documentation.
Policy Syntax Description
A CAM policy must authorize or deny the use of one or more Tencent Push Notification Service operations. At the same time, it must specify the resources that can be used for the operations (which can be all resources or partial resources for certain operations). For Tencent Push Notification Service operations that do not support resource-level authorization, you need to specify the authorized object as all resources.
CAM policy syntax description:
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition":{"key":{"value"}}
}
]
}
Parameter description:
Parameter
Required
Description
version
Yes
Version number. Currently, only "2.0" is supported.
statement
Yes
This element describes the details of one or more permissions. It contains a permission or permission set of other elements such as effect, action, resource, and condition. One policy has only one statement. An action (operation) describes an allowed or denied operation, which can be an API or a feature set (a set of specific APIs prefixed with permid).
resource
Yes
The specific resource. A resource is described in a six-segment format. Detailed resource definitions vary with the products. For more information about how to specify a resource, please see the documentation of the corresponding product.
condition
No
The condition for the policy to take effect. A condition consists of the operator, action key, and action value. A condition value may be the time, IP address, etc. Some services allow you to specify additional values in a condition.
effect
Yes
Describes whether the statement result is "allowed" (allow) or "explicitly denied" (deny).
Creating Policy and Granting Permissions
Two types of system-level policies are preset for you to quickly grant permissions. You can go to the console > Cloud Access Management > Policies, click Create Custom Policy, and select Create by Policy Syntax, as shown below:
On the Create by Policy Syntax page, you can search and find two preset policy templates, which grants full access and read-only access, respectively (you can view the list of specific permissions during policy creation). You can select a template and edit it or create a blank template.
After creating a policy, you can find it on the Policies page in the CAM console and associate it with a sub-user to complete the permission configuration.
This document describes how to perform CAM authorization in Tencent Push Notification Service.
Authorizable Tencent Push Notification Service Resources
Resource-level permission can be used to specify which resources a user can manipulate. The type of resources that can be authorized in Tencent Push Notification Service is "app", that is, you can grant resource-level permissions in CAM at the app granularity. The resource description method is as follows:
qcs::tpns::uin/1000000000:app/*
Here, * indicates all resources at the app granularity, which can be replaced with the Access ID. You can find the app's Access ID in the Product Management module in the Tencent Push Notification Service Console. For the uin, get the account ID on the Account Info page in the console and replace the uin with it (such as 1000000000, which is a sample Tencent Cloud ID of a root account).
When authorizing multiple resources, separate them with commas.
Tencent Push Notification Service Operations That Can Be Authorized
In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed withname/tpns: should be used for Tencent Push Notification Service, such as name/tpns:CreateProduct.
To specify multiple operations in a single statement, separate them with commas as shown below:
"action":["tpns:action1","tpns:action2"]
You can also specify multiple operations using a wildcard. For example, you can specify all operations whose names begin with "Describe" as shown below:
"action":["tpns:Describe*"]
To specify all Tencent Push Notification Service operations, use an asterisk (*) as follows:
"action":["tpns:*"]
The following table describes the list of authorizable operations:
Note:
Only operations that support resource-level permissions can be authorized at the app level.
Operation
Description
Resource-Level Permission Supported
AddChannelInfo
Adds vendor-specific channel
Yes
CancelPush
Cancels scheduled push task
Yes
CreateApp
Creates app
No
CreateAppTrialRequest
Applies for product trial
Yes
CreateProduct
Creates product
No
DeleteAppInfo
Deletes app
Yes
DeleteProductInfo
Deletes product
No
DescribeApnsCertInfo
Queries APNS certificate information
Yes
DescribeAppAllTags
Queries all tag information
Yes
DescribeAppInfo
Queries app information
Yes
DescribeAppVipInfo
Queries VIP information
Yes
DescribeChannelInfo
Queries vendor-specific channel information
Yes
DescribeProductInfo
Queries product information
No
DescribeTagTokenNums
Queries the number of devices under the tag
Yes
DownloadPushPackage
Downloads push number package
Yes
DescribeAccountByToken
Queries account bound to device
Yes
DescribeAccountPushStatInfo
Queries the total number of push messages under account
No
DescribeAccountPushStatInfoAllZone
Queries the total number of messages supposed to be sent by all apps in cluster
No
DescribeAppSecretInfo
Queries AppSecret information
Yes
DescribeDeviceStatOverview
Queries the number of accumulated and daily active devices of app
Yes
DescribeProductDeviceStatWithRatioOverview
Queries app statistics
Yes
DescribePushPackaDescribeoken
Uploads number package to get temporary COS token
Yes
DescribePushTaskGroupStatAllChannel
Queries the aggregated data of pushes in all channels
Yes
DescribePushTaskStatAllChannel
Queries the data of each push channel
Yes
DescribeTagsByToken
Queries tags bound to device
Yes
DescribeTokenInfos
Queries tokenInfo information
No
DescribePushInfos
Queries push list
Yes
ModifyAppInfo
Updates app information
Yes
ModifyProductInfo
Updates product information
No
CreatePush
Creates push
Yes
UpdateAppStatus
Updates app status
Yes
UploadCert
Uploads iOS certificate
Yes
UploadPushPackage
Uploads push number package
Yes
DescribePlanPushInfos
Queries the task list under the push plan
Yes
DescribePushPlans
Queries the list information about the push plan
Yes
UpdatePushPlan
Modifies a push plan
Yes
DeletePushPlan
Deletes a push plan
Yes
CreatePushPlan
Creates a push plan
Yes
Sample Policy for Operations Personnel
Suppose that the main responsibilities of the operations personnel are to view push records and create pushes. Then, the operation permissions can be queried according to the list of authorizable operations above:
All query operations
Canceling scheduled push tasks
Creating pushes
Uploading push number packages
Downloading push number packages
Assume that the root account ID is 1000000000, and the Access_id values of the authorized applications are 1500000000 and 1500000001, respectively.
The corresponding policy syntax should be as follows:
The created policy can be found at Policies in the CAM console. You can associate it with the sub-user to complete the permission configuration. Note that the policy can also be associated with other sub-users.
Sample Policy for Developers
Suppose that the main responsibilities of developers are to access and test. Then, all operation permissions should be granted.
Assume that the root account ID is 1000000000, and the Access_id values of the authorized applications are 1500000000 and 1500000001, respectively.
The corresponding policy syntax should be as follows:
The created policy can be found at Policies in the CAM console. You can associate it with the sub-user to complete the permission configuration. Note that the policy can also be associated with other sub-users.
