tencent cloud


CAM-Based Access Control

Last updated: 2023-10-07 14:53:42
    CSS supports permission control via CAM, allowing you to manage access to your CSS domains, settings, and other data. You can create, manage, or terminate users or user groups and grant API access permissions to them to achieve identity management and policy control. You can use CAM to bind a user or user group to a policy which allows or denies them access to specified resources to complete specified tasks.


    Root account: A Tencent Cloud account
    Sub-user: A user created and fully owned by a root account.
    Collaborator: You can add another root account as a collaborator to your account. The added account becomes a sub-account of your account.
    User group: Users that perform the same functions and can be bound with a permission policy for centralized access management.
    For more information on the concepts and permissions, see User Types.


    Step 1. Create a sub-user or user group

    One or more sub-users can be created under each root account and can be associated with specific roles and policies. A sub-user has a unique ID and identity credential that can be used to log in to the Tencent Cloud console. It also has API access. You can log in to the CAM console to create a sub-user.
    For detailed directions, see Creating Sub-user and Creating User Group.

    Step 2. Add a policy to the sub-user or user group

    You can associate policies on the user/user group management page or policy management page. For detailed directions, see Authorization Management.
    Method 1. Add a policy to a sub-user or user group
    Method 2. Associate a policy with a user/user group
    Go to the user/user group page and select the user/user group to which you want to add a policy.
    Select Users > User List or User Groups on the left sidebar of the CAM console. Find the user/user group to which you want to add a policy, click Authorize on the right, select a CSS policy, and click OK.
    Select Users > User List or User Groups on the left sidebar and click the name of the user/user group to which you want to add a policy. Click Associate Policy, select a CSS policy, and click OK.
    Select Policies on the left sidebar of the CAM console, find the policy you want to associate, and click Associate User/User Group/Role in the Operation column. Select the user/user group you want to associate the policy with, and click OK.

    Addable policies

    Preset policies: You can view all preset policies on the Policies page.
    CSS preset policies include QcloudLIVEFullAccess (read and write policy) and QcloudLIVEReadOnlyAccess (read-only policy).
    For a user to use tags, you need to associate QcloudTAGFullAccess (full read and write access by tag).
    For a user to use real-time logs, associate QcloudCamFullAccess (full read/write access to CAM).
    To use the screenshot & porn detection feature, associate QcloudAccessFoLVBRoleInSaveLiveScreenshottoCOS with your CSS service role to grant it access to COS.
    Custom policy: Go to the Policies page, click Create Custom Policy, and select Create by Policy Generator. For more information, see Custom Policy.
    Currently, some APIs of CSS support resource-level authorization.
    Example: If you want to allow a sub-user to use the DescribeLiveDomains API, follow the steps below to grant the permission.
    1.1 Create a domain-level policy that allows access to the API: Go to the Create by Policy Generator page and complete the following settings:
    Select Allow
    Select Cloud Streaming Services
    Select DescribeLiveDomains
    Select all resources or specific resources.
    Tencent Cloud services for which the authorization granularity is operation or service don't support six-segment resource descriptions; for them, select “All resources”.
    For Tencent Cloud services that support resource-level authorization, you can select specific resources. For the resource description method and authorization granularity of Tencent Cloud services, see CAM-Enabled Products.
    Set the condition for the authorization to take effect. If you enter IP addresses, the API will be accessible only if a request is from the specified IP range. You can also add other conditions. For more information, see Conditions.
    If you want to authorize multiple services, click Add Permissions.
    2. Click Next to generate the policy. Then, associate it using either of the two methods above.

    Step 3. Use a sub-account

    You can now use the sub-user’s account (the account ID and password) to call the API authorized (such as DescribeLiveDomains) and get the corresponding CSS data (such as all the domains under the current account).
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support