tencent cloud


Authorization Policy Syntax

Last updated: 2022-07-06 09:48:56

    Policy Syntax

    CAM policy:

                  "condition": {"key":{"value"}} 
    • version is required. Currently, only the value "2.0" is allowed.
    • statement describes the details of one or more permissions. It contains a permission or permission set of multiple other elements such as effect, action, resource, and condition. One policy has only one statement.
    • action is required. It describes the allowed or denied action (operation). An operation can be an API (prefixed with "name") or a feature set (a set of specific APIs prefixed with "permid").
    • resource is required. It describes the details of authorization. A resource is described in a six-segment format. Detailed resource definitions vary by product. For more information on how to specify resources, see the product documentation corresponding to the resource statement you are writing.
    • condition is optional. It describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value can be a client IP.
    • effect is required. It describes the result of a statement. The result can be an "allow" or an explicit "deny".

    ASR Operations

    In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed with name/asr: should be used for ASR, such as name/asr:CreateModel or name/asr:CreateAsrVocab.

    • To specify multiple operations in a single statement, separate them with commas as shown below:

    You can also specify multiple operations by using a wildcard. For example, you can specify all operations beginning with "Describe" in the name as shown below:

    • To specify all operations in ASR, use the * wildcard as shown below:

    ASR Resource Path

    Each CAM policy statement is resource-specific with a resource path as shown below:

    • project_id describes the project information, which is only used to enable compatibility with legacy CAM logic and can be left empty.
    • service_type describes the product abbreviation such as asr.
    • region describes the region information, which is not required for ASR.
    • account describes the root account of the resource owner, such as uin/164256472.
    • resource describes the detailed resource information of each product, such as model/model_id1 or model/*.

    For example, you can use a specific self adaptive learning model (15b96676edb211ea9301b49691037310) by specifying it in the statement as shown below:

    "resource":[ "qcs::asr::uin/164256472:model/15b96676edb211ea9301b49691037310"]

    You can also use the * wildcard to specify all self adaptive learning models that belong to a specific account as shown below:

    "resource":[ "qcs::asr::uin/164256472:model/*"]

    If you want to specify all resources or a specific API operation supports only API-level permission control, you can use the * wildcard in the resource element as shown below:

    "resource": ["*"]

    To specify multiple resources in one policy, separate them with commas. In the following example, two resources are specified:

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support