If you use the Tencent Push Notification Service service in Tencent Cloud, and the service is managed by different users sharing your Tencent Cloud account key, the following problems may occur:
You can allow different users to manage different services through sub-accounts to avoid the above problems. By default, a sub-account does not have permission to use a Tencent Push Notification Service service or related resources. Therefore, you need to create a policy to grant the required permission to the sub-account.
Tencent Cloud’s Cloud Access Management (CAM) is a web service that helps you manage the access permissions for resources under your Tencent Cloud accounts. With CAM, you can create, manage, or terminate users (groups), and manage identities and policies to allow specific users to access and use specific Tencent Cloud resources.
You can use CAM to associate a user/user group with a policy, which allows/denies the user to use specified resources to perform specified tasks. For CAM policy basics, please see Syntax Logic. For the use of CAM policies, please see Policy.
Note:If you do not need to manage access permissions to Tencent Push Notification Service resources for sub-accounts, you can skip this part. This will not affect your understanding and use of other parts of the documentation.
A CAM policy must authorize or deny the use of one or more Tencent Push Notification Service operations. At the same time, it must specify the resources that can be used for the operations (which can be all resources or partial resources for certain operations). For Tencent Push Notification Service operations that do not support resource-level authorization, you need to specify the authorized object as all resources.
CAM policy syntax description:
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}
Parameter description:
Parameter | Required | Description |
---|---|---|
version | Yes | Version number. Currently, only "2.0" is supported. |
statement | Yes | This element describes the details of one or more permissions. It contains a permission or permission set of other elements such as effect , action , resource , and condition . One policy has only one statement. An action (operation) describes an allowed or denied operation, which can be an API or a feature set (a set of specific APIs prefixed with permid ). |
resource | Yes | The specific resource. A resource is described in a six-segment format. Detailed resource definitions vary with the products. For more information about how to specify a resource, please see the documentation of the corresponding product. |
condition | No | The condition for the policy to take effect. A condition consists of the operator, action key, and action value. A condition value may be the time, IP address, etc. Some services allow you to specify additional values in a condition. |
effect | Yes | Describes whether the statement result is "allowed" (allow ) or "explicitly denied" (deny ). |
Two types of system-level policies are preset for you to quickly grant permissions. You can go to the console > Cloud Access Management > Policies, click Create Custom Policy, and select Create by Policy Syntax, as shown below:
On the Create by Policy Syntax page, you can search and find two preset policy templates, which grants full access and read-only access, respectively (you can view the list of specific permissions during policy creation). You can select a template and edit it or create a blank template.
After creating a policy, you can find it on the Policies page in the CAM console and associate it with a sub-user to complete the permission configuration.
This document describes how to perform CAM authorization in Tencent Push Notification Service.
Resource-level permission can be used to specify which resources a user can manipulate. The type of resources that can be authorized in Tencent Push Notification Service is "app", that is, you can grant resource-level permissions in CAM at the app granularity. The resource description method is as follows:
qcs::tpns::uin/1000000000:app/*
Here, *
indicates all resources at the app granularity, which can be replaced with the Access ID
. You can find the app's Access ID
in the Product Management module in the Tencent Push Notification Service Console. For the uin
, get the account ID on the Account Info page in the console and replace the uin
with it (such as 1000000000
, which is a sample Tencent Cloud ID of a root account).
When authorizing multiple resources, separate them with commas.
In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed withname/tpns:
should be used for Tencent Push Notification Service, such as name/tpns:CreateProduct
.
To specify multiple operations in a single statement, separate them with commas as shown below:
"action":["tpns:action1","tpns:action2"]
You can also specify multiple operations using a wildcard. For example, you can specify all operations whose names begin with "Describe" as shown below:
"action":["tpns:Describe*"]
To specify all Tencent Push Notification Service operations, use an asterisk (*) as follows:
"action":["tpns:*"]
The following table describes the list of authorizable operations:
Note:Only operations that support resource-level permissions can be authorized at the app level.
Operation | Description | Resource-Level Permission Supported |
---|---|---|
AddChannelInfo | Adds vendor-specific channel | Yes |
CancelPush | Cancels scheduled push task | Yes |
CreateApp | Creates app | No |
CreateAppTrialRequest | Applies for product trial | Yes |
CreateProduct | Creates product | No |
DeleteAppInfo | Deletes app | Yes |
DeleteProductInfo | Deletes product | No |
DescribeApnsCertInfo | Queries APNS certificate information | Yes |
DescribeAppAllTags | Queries all tag information | Yes |
DescribeAppInfo | Queries app information | Yes |
DescribeAppVipInfo | Queries VIP information | Yes |
DescribeChannelInfo | Queries vendor-specific channel information | Yes |
DescribeProductInfo | Queries product information | No |
DescribeTagTokenNums | Queries the number of devices under the tag | Yes |
DownloadPushPackage | Downloads push number package | Yes |
DescribeAccountByToken | Queries account bound to device | Yes |
DescribeAccountPushStatInfo | Queries the total number of push messages under account | No |
DescribeAccountPushStatInfoAllZone | Queries the total number of messages supposed to be sent by all apps in cluster | No |
DescribeAppSecretInfo | Queries AppSecret information |
Yes |
DescribeDeviceStatOverview | Queries the number of accumulated and daily active devices of app | Yes |
DescribeProductDeviceStatWithRatioOverview | Queries app statistics | Yes |
DescribePushPackaDescribeoken | Uploads number package to get temporary COS token | Yes |
DescribePushTaskGroupStatAllChannel | Queries the aggregated data of pushes in all channels | Yes |
DescribePushTaskStatAllChannel | Queries the data of each push channel | Yes |
DescribeTagsByToken | Queries tags bound to device | Yes |
DescribeTokenInfos | Queries tokenInfo information |
No |
DescribePushInfos | Queries push list | Yes |
ModifyAppInfo | Updates app information | Yes |
ModifyProductInfo | Updates product information | No |
CreatePush | Creates push | Yes |
UpdateAppStatus | Updates app status | Yes |
UploadCert | Uploads iOS certificate | Yes |
UploadPushPackage | Uploads push number package | Yes |
DescribePlanPushInfos | Queries the task list under the push plan | Yes |
DescribePushPlans | Queries the list information about the push plan | Yes |
UpdatePushPlan | Modifies a push plan | Yes |
DeletePushPlan | Deletes a push plan | Yes |
CreatePushPlan | Creates a push plan | Yes |
Suppose that the main responsibilities of the operations personnel are to view push records and create pushes. Then, the operation permissions can be queried according to the list of authorizable operations above:
Assume that the root account ID is 1000000000
, and the Access_id
values of the authorized applications are 1500000000
and 1500000001
, respectively.
The corresponding policy syntax should be as follows:
//
{
"version": "2.0",
"statement": [
{
"action": [
"tpns:Describe*",
"tpns:CancelPush",
"tpns:DownloadPushPackage",
"tpns:CreatePush",
"tpns:UploadPushPackage"
],
"resource": [
"qcs::tpns::uin/1000000000:app/1500000000","qcs::tpns::uin/1000000000:app/1500000001"
],
"effect": "allow"
},
{
"action": [
"tpns:Describe*"
],
"resource": [
"qcs::tpns::uin/1000000000:other/*"
],
"effect": "allow"
}
]
}
The created policy can be found at Policies in the CAM console. You can associate it with the sub-user to complete the permission configuration. Note that the policy can also be associated with other sub-users.
Suppose that the main responsibilities of developers are to access and test. Then, all operation permissions should be granted.
Assume that the root account ID is 1000000000
, and the Access_id
values of the authorized applications are 1500000000
and 1500000001
, respectively.
The corresponding policy syntax should be as follows:
//
{
"version": "2.0",
"statement": [
{
"action": "*",
"resource": [
"qcs::tpns::uin/1000000000:app/1500000000","qcs::tpns::uin/1000000000:app/1500000001"
],
"effect": "allow"
},
{
"action": [
"tpns:Describe*"
],
"resource": [
"qcs::tpns::uin/1000000000:other/*"
],
"effect": "allow"
}
]
}
The created policy can be found at Policies in the CAM console. You can associate it with the sub-user to complete the permission configuration. Note that the policy can also be associated with other sub-users.
Was this page helpful?