Permissions and Policies

Last updated:2025-04-30 16:33:26

Permissions and Policies

Last updated: 2025-04-30 16:33:26

CAM Policy Description
Basic Syntax
{     
        "version":"2.0", 
        "statement": 
        [ 
           { 
              "effect":"effect", 
              "action":["action"], 
              "resource":["resource"], 
               "condition": {"key":{"value"}} 
           } 
       ] 
}
version: A required field in which currently only "2.0" is allowed.
statement: It describes the detailed information of one or more permissions. This element includes effect, action, resource, condition, and other related elements representing a single permission or a set of permissions. A policy should contain exactly one statement element.
effect: A required field that specifies whether the statement results in allow or explicit deny. The possible values are allow (grants permission) and deny (explicitly denies permission).
action: Required. It describes the allowed or denied actions. Actions can be APIs (described with the konisgraph: prefix) or feature sets (a specific group of APIs described with the permid prefix).
resource: A required field that specifies the authorized data. Resources are described using a six-segment format, with definitions varying by product.
condition: Required. It describes the constraints for policy enforcement. A condition consists of an operator, key, and value. Condition values can include time, IP address, and other parameters, depending on the service’s supported conditions.
TencentDB for CTSDB 3.0 Action
In the operation action of CAM policy statements, you can specify any API operation from services that support CAM. For CTSDB, use APIs prefixed with ctsdb:, such as ctsdb:CreateCluster, ctsdb:CreateDatabase, ctsdb:DestroyCluster, ctsdb:DestroyDatabase. For a list of specific authorizable APIs, see Authorizable Resources and Operation APIs.
If you need to specify multiple operations in a single statement, separate them with commas, as shown below:
"action":["ctsdb:action1","ctsdb:action2"]
You can also use wildcard characters to specify multiple actions. For example, you can specify all actions whose names begin with the word " Describe " as follows:
"action":["ctsdb:Describe*"]
To specify all operations in CTSDB, use the wildcard * as follows:
"action": ["ctsdb:*"]
CTSDB 3.0 Resource
Each CAM policy statement applies to its resource. The general format of a resource path is as follows:
qcs:project_id:service_type:region:account:resource
project_id: Not required. It is only for compatibility with early CAM logic format
service_type: The product abbreviation, such as CTSDB.
region: It indicates regional information, such as bj.
account: The root account information of the resource owner, such as uin/12xxx8.
resource: Specific resource details of each product, such as instance/instance_id or instance/*.
For example, you can specify it in the statement by using a specific instance (ctsdbi-8bfdai6s), as shown below:
"resource":[ "qcs::ctsdb:bj:uin/12xxx8:instance/ctsdbi-8bfdai6s"]
You can also use the * wildcard character to specify all instances belonging to a specific account, as shown below:
"resource":[ "qcs::ctsdb:bj:uin/12xxx8:instance/*"]
If you want to specify all resources, or if a specific API operation does not support resource-level permissions, use the * wildcard in the resource element, as shown below:
"resource": ["*"]
To specify multiple resources in one instruction, separate them with a comma. The following is an example of specifying two resources:
"resource":["resource1","resource2"]
The following table describes the resources that can be used by CTSDB 3.0 and the corresponding resource description methods. Among them, words prefixed with $ are aliases, region refers to the region, and account refers to the account ID.
Resources
Resource Description Method in Authorization Policies
Instance
qcs::ctsdb:$region:$account:instance/$instanceId
VPC
qcs::vpc:$region:$account:vpc/$vpcId
Security Group
qcs::cvm:$region:$account:sg/$sgId
Default Permission Policy of CTSDB 3.0
CTSDB 3.0 supports the system permission policies in the following table. You can search for the default permission policy and its syntax for CTSDB 3.0 in the Preset Policy on the Policies page via the CAM Console.
Policy name
Policy Permission Description
Policy Syntax Logic
﻿
QcloudCTSDBFullAccess
Full read and write access permissions to CTSDB. The sub-account authorized with this permission has the same permission as the Tencent Cloud account, that is, the sub-account has all operation permissions of the console and API.
{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "ctsdb:*"
            ],
            "resource": "*",
            "effect": "allow"
        },
        {
            "action": [
                "monitor:DescribeBaseMetrics",
                "monitor:GetMonitorData"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}
QcloudCTSDBReadOnlyAccess
Read-only permission: The sub-account authorized with this permission only has read-only permission for all resources of the Tencent Cloud account and does not have operation permissions of the console and API.
{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "ctsdb:Describe*"
            ],
            "resource": "*",
            "effect": "allow"
        },
        {
            "action": [
                "monitor:DescribeBaseMetrics",
                "monitor:GetMonitorData"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}
Custom Permission Policies and Authorization
1. Custom permission policy supports rapidly creating through a policy generator, creating through tag authorization, creating by writing policy syntax, or creating based on product features or project permissions. For detailed operations, see Policy Guide. For a description of policy syntax, see CAM Policy Description.
2. When creating a user/user groups, there are no permissions by default. You can associate a policy for them to obtain corresponding operation permissions. For detailed operations, see Authorization Management.

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

Feedback

Resources	Resource Description Method in Authorization Policies
Instance	`qcs::ctsdb:$region:$account:instance/$instanceId`
VPC	`qcs::vpc:$region:$account:vpc/$vpcId`
Security Group	`qcs::cvm:$region:$account:sg/$sgId`

Policy name	Policy Permission Description	Policy Syntax Logic
QcloudCTSDBFullAccess	Full read and write access permissions to CTSDB. The sub-account authorized with this permission has the same permission as the Tencent Cloud account, that is, the sub-account has all operation permissions of the console and API.	{ "version": "2.0", "statement": [ { "action": [ "ctsdb:" ], "resource": "", "effect": "allow" }, { "action": [ "monitor:DescribeBaseMetrics", "monitor:GetMonitorData" ], "resource": "*", "effect": "allow" } ] }
QcloudCTSDBReadOnlyAccess	Read-only permission: The sub-account authorized with this permission only has read-only permission for all resources of the Tencent Cloud account and does not have operation permissions of the console and API.	{ "version": "2.0", "statement": [ { "action": [ "ctsdb:Describe" ], "resource": "", "effect": "allow" }, { "action": [ "monitor:DescribeBaseMetrics", "monitor:GetMonitorData" ], "resource": "*", "effect": "allow" } ] }

tencent cloud

CAM Policy Description

Basic Syntax

TencentDB for CTSDB 3.0 Action

CTSDB 3.0 Resource

Default Permission Policy of CTSDB 3.0

Custom Permission Policies and Authorization