CAM policy:
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}
version: A required field in which currently only "2.0" is allowed.
statement: Describes the details of one or more permissions. This element includes effect, action, resource, condition, and other related elements representing a single permission or a set of permissions. A policy should contain exactly one statement element.
effect: A required field that specifies whether the statement results in allow or explicit deny. The possible values are allow (grants permission) and deny (explicitly denies permission).
action: A required field that specifies the operations to be allowed or denied. Actions can be APIs, prefixed with dmc:.
resource: A required field that specifies the authorized data. Resources are described using a six-segment format, with definitions varying by product.
condition: A required field that defines the constraints for policy enforcement. A condition consists of an operator, key, and value. Condition values can include time, IP address, and other parameters, depending on the service’s supported conditions.
In DMC policy statements, you can specify any API operation from services that support DMC. For DMC-specific operations, use APIs prefixed with dmc:. For example,
dmc:DescribeDataSources.
If you need to specify multiple operations in a single statement, separate them with commas, as shown below:
"action":["dmc:action1","dmc:action2"]
You can also use wildcards to specify multiple operations. For example, you can specify all operations that start with the word Describe, as shown below:
"action":["dmc:Describe*"]
If you want to specify all operations in DMC of TencentDB for DBbrain, use the * wildcard, as shown below:
Each CAM policy statement applies to specific resources. DMC can operate on cloud database resources.
The general format of cloud database resources is as follows:
qcs:project_id:service_type:region:account:resource
project_id: It describes the project information. It is only for compatibility with early CAM logic and does not need to be filled in.
service_type: The product abbreviation, such as dmc.
region: The region information, such as ap-guangzhou.
account: The root account information of the resource owner, such as uin/653xxx763.
resource: The specific resource details for each product, such as resource/dmc-1 or resource/*.
For example, you can specify a specific resource (dmc-q0edo5c0) in the statement, as shown below:
"resource":[ "qcs::dmc:ap-guangzhou:uin/653xxx763:resource/dmc-q0edo5c0"]
You can also use the * wildcard to specify all resources belonging to a specific account, as shown below:
"resource":[ "qcs::dmc:ap-guangzhou:uin/653xxx763:resource/*"]
If you want to specify all resources, or if a specific API operation does not support resource-level permissions, use the * wildcard in the resource element, as shown below:
To specify multiple resources in one instruction, separate them with a comma. The following is an example of specifying two resources:
"resource":["resource1","resource2"]
The table below describes the resources available for cloud databases and their corresponding resource description methods. Words prefixed with $ are placeholders, where region represents the region and uin represents the account ID.
|
Resources | qcs::dmc:$region:uin/$uin:resource/$ResourceId
|
QcloudDMCDeveloper: Grants full permissions for all operations on the SQL window and quick login pages.
QcloudDMCDba: Grants full operational permissions for all feature pages.