tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Tencent Push Notification Service
    Documentation
    Download PDF

    Advanced Custom Configuration

    Last updated: 2022-11-21 16:24:06
    Download PDF

      Overview

      If you use the Tencent Push Notification Service service in Tencent Cloud, and the service is managed by different users sharing your Tencent Cloud account key, the following problems may occur:

      • The risk of your key being compromised is high since multiple users are sharing it.
      • Your users might introduce security risks from misoperations due to the lack of user access control.

      You can allow different users to manage different services through sub-accounts to avoid the above problems. By default, a sub-account does not have permission to use a Tencent Push Notification Service service or related resources. Therefore, you need to create a policy to grant the required permission to the sub-account.
      Tencent Cloud’s Cloud Access Management (CAM) is a web service that helps you manage the access permissions for resources under your Tencent Cloud accounts. With CAM, you can create, manage, or terminate users (groups), and manage identities and policies to allow specific users to access and use specific Tencent Cloud resources.
      You can use CAM to associate a user/user group with a policy, which allows/denies the user to use specified resources to perform specified tasks. For CAM policy basics, please see Syntax Logic. For the use of CAM policies, please see Policy.

      Note:

      If you do not need to manage access permissions to Tencent Push Notification Service resources for sub-accounts, you can skip this part. This will not affect your understanding and use of other parts of the documentation.

      Policy Syntax Description

      A CAM policy must authorize or deny the use of one or more Tencent Push Notification Service operations. At the same time, it must specify the resources that can be used for the operations (which can be all resources or partial resources for certain operations). For Tencent Push Notification Service operations that do not support resource-level authorization, you need to specify the authorized object as all resources.
      CAM policy syntax description:

      {     
       "version":"2.0", 
       "statement": 
       [ 
          { 
             "effect":"effect", 
             "action":["action"], 
             "resource":["resource"], 
              "condition": {"key":{"value"}} 
          } 
      ] 
}

      Parameter description:

      Parameter Required Description
      version  Yes Version number. Currently, only "2.0" is supported.
      statement Yes This element describes the details of one or more permissions. It contains a permission or permission set of other elements such as effect, action, resource, and condition. One policy has only one statement. An action (operation) describes an allowed or denied operation, which can be an API or a feature set (a set of specific APIs prefixed with permid).
      resource Yes The specific resource. A resource is described in a six-segment format. Detailed resource definitions vary with the products. For more information about how to specify a resource, please see the documentation of the corresponding product.
      condition No The condition for the policy to take effect. A condition consists of the operator, action key, and action value. A condition value may be the time, IP address, etc. Some services allow you to specify additional values in a condition.
      effect Yes Describes whether the statement result is "allowed" (allow) or "explicitly denied" (deny).

      Creating Policy and Granting Permissions

      Two types of system-level policies are preset for you to quickly grant permissions. You can go to the console > Cloud Access Management > Policies, click Create Custom Policy, and select Create by Policy Syntax, as shown below:

      On the Create by Policy Syntax page, you can search and find two preset policy templates, which grants full access and read-only access, respectively (you can view the list of specific permissions during policy creation). You can select a template and edit it or create a blank template.

      After creating a policy, you can find it on the Policies page in the CAM console and associate it with a sub-user to complete the permission configuration.
      This document describes how to perform CAM authorization in Tencent Push Notification Service.

      Authorizable Tencent Push Notification Service Resources

      Resource-level permission can be used to specify which resources a user can manipulate. The type of resources that can be authorized in Tencent Push Notification Service is "app", that is, you can grant resource-level permissions in CAM at the app granularity. The resource description method is as follows:

      qcs::tpns::uin/1000000000:app/*

      Here, * indicates all resources at the app granularity, which can be replaced with the Access ID. You can find the app's Access ID in the Product Management module in the Tencent Push Notification Service Console. For the uin, get the account ID on the Account Info page in the console and replace the uin with it (such as 1000000000, which is a sample Tencent Cloud ID of a root account).

      When authorizing multiple resources, separate them with commas.

      Tencent Push Notification Service Operations That Can Be Authorized

      In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed withname/tpns: should be used for Tencent Push Notification Service, such as name/tpns:CreateProduct.
      To specify multiple operations in a single statement, separate them with commas as shown below:

      "action":["tpns:action1","tpns:action2"]

      You can also specify multiple operations using a wildcard. For example, you can specify all operations whose names begin with "Describe" as shown below:

      "action":["tpns:Describe*"]

      To specify all Tencent Push Notification Service operations, use an asterisk (*) as follows:

      "action":["tpns:*"]

      The following table describes the list of authorizable operations:

      Note:

      Only operations that support resource-level permissions can be authorized at the app level.

      Operation Description Resource-Level Permission Supported
      AddChannelInfo Adds vendor-specific channel Yes
      CancelPush Cancels scheduled push task Yes
      CreateApp Creates app No
      CreateAppTrialRequest Applies for product trial Yes
      CreateProduct Creates product No
      DeleteAppInfo Deletes app Yes
      DeleteProductInfo Deletes product No
      DescribeApnsCertInfo Queries APNS certificate information Yes
      DescribeAppAllTags Queries all tag information Yes
      DescribeAppInfo Queries app information Yes
      DescribeAppVipInfo Queries VIP information Yes
      DescribeChannelInfo Queries vendor-specific channel information Yes
      DescribeProductInfo Queries product information No
      DescribeTagTokenNums Queries the number of devices under the tag Yes
      DownloadPushPackage Downloads push number package Yes
      DescribeAccountByToken Queries account bound to device Yes
      DescribeAccountPushStatInfo Queries the total number of push messages under account No
      DescribeAccountPushStatInfoAllZone Queries the total number of messages supposed to be sent by all apps in cluster No
      DescribeAppSecretInfo Queries AppSecret information Yes
      DescribeDeviceStatOverview Queries the number of accumulated and daily active devices of app Yes
      DescribeProductDeviceStatWithRatioOverview Queries app statistics Yes
      DescribePushPackaDescribeoken Uploads number package to get temporary COS token Yes
      DescribePushTaskGroupStatAllChannel Queries the aggregated data of pushes in all channels Yes
      DescribePushTaskStatAllChannel Queries the data of each push channel Yes
      DescribeTagsByToken Queries tags bound to device Yes
      DescribeTokenInfos Queries tokenInfo information No
      DescribePushInfos Queries push list Yes
      ModifyAppInfo Updates app information Yes
      ModifyProductInfo Updates product information No
      CreatePush Creates push Yes
      UpdateAppStatus Updates app status Yes
      UploadCert Uploads iOS certificate Yes
      UploadPushPackage Uploads push number package Yes
      DescribePlanPushInfos Queries the task list under the push plan Yes
      DescribePushPlans Queries the list information about the push plan Yes
      UpdatePushPlan Modifies a push plan Yes
      DeletePushPlan Deletes a push plan Yes
      CreatePushPlan Creates a push plan Yes

      Sample Policy for Operations Personnel

      Suppose that the main responsibilities of the operations personnel are to view push records and create pushes. Then, the operation permissions can be queried according to the list of authorizable operations above:

      • All query operations
      • Canceling scheduled push tasks
      • Creating pushes
      • Uploading push number packages
      • Downloading push number packages

      Assume that the root account ID is 1000000000, and the Access_id values of the authorized applications are 1500000000 and 1500000001, respectively.
      The corresponding policy syntax should be as follows:

      //
{
   "version": "2.0",
   "statement": [
       { 
           "action": [
               "tpns:Describe*",
               "tpns:CancelPush",
               "tpns:DownloadPushPackage",
               "tpns:CreatePush",
               "tpns:UploadPushPackage"
           ],
           "resource": [
               "qcs::tpns::uin/1000000000:app/1500000000","qcs::tpns::uin/1000000000:app/1500000001"
           ],
           "effect": "allow"
       },
       {
           "action": [
               "tpns:Describe*"
           ],
           "resource": [
               "qcs::tpns::uin/1000000000:other/*"
           ],
           "effect": "allow"
       }
     ]
}

      The created policy can be found at Policies in the CAM console. You can associate it with the sub-user to complete the permission configuration. Note that the policy can also be associated with other sub-users.

      Sample Policy for Developers

      Suppose that the main responsibilities of developers are to access and test. Then, all operation permissions should be granted.
      Assume that the root account ID is 1000000000, and the Access_id values of the authorized applications are 1500000000 and 1500000001, respectively.
      The corresponding policy syntax should be as follows:

      //
{
   "version": "2.0",
   "statement": [
       { 
           "action": "*",
           "resource": [
               "qcs::tpns::uin/1000000000:app/1500000000","qcs::tpns::uin/1000000000:app/1500000001"
           ],
           "effect": "allow"
       },
       {
           "action": [
               "tpns:Describe*"
           ],
           "resource": [
               "qcs::tpns::uin/1000000000:other/*"
           ],
           "effect": "allow"
       }
     ]
}

      The created policy can be found at Policies in the CAM console. You can associate it with the sub-user to complete the permission configuration. Note that the policy can also be associated with other sub-users.

      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2023 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy