CSS supports permission control via CAM, where you can manage the CSS domain names, configurations, and data of your account. You can create, manage, or terminate users or user groups and grant API access permissions to them for the purpose of identity management and policy control.
You can use CAM to bind a user or user group to a policy which allows or denies them access to specified resources to complete specified tasks.
For more information on the definitions and permissions, see CAM User Types.
One or more sub-users with specific roles and policies can be created under one root account. A sub-user has a unique ID and identity credential that can be used to log in to the Tencent Cloud console for configuration. It also has API access permissions. You can log in to the CAM console to create a sub-user, as shown below:
For more information, see Creating Sub-user and Creating User Group.
You can add policies and authorize users or user groups on the user or user group management and policy management pages. For more information, see Authorization Management.
Enter the user/user group page and select the user/user group to which to add a policy.
Click Users > User List on the left sidebar, select the user/user group to which to add a policy, click Authorize on the right, select the corresponding CSS policy, and click Confirm.
Click Users > User List or User Groups on the left sidebar, click the name of the user/user group to which to add a policy to enter the details page, click Associate Policy, select the corresponding CSS policy, and click Confirm.
Click Policies on the left sidebar, select the policy to be added, click Associate Users/Groups in the Operation column, select the user/user group to be authorized, and click Confirm.
Currently, some APIs of CSS support resource-level authorization.
Operation example: if you need to authorize the DescribeLiveDomains API to a sub-user for a specified domain name, follow the steps below to configure:
|Service||Yes||Select Cloud Streaming Services|
|Resource||Yes||Select all resources or specific resources that you want to authorize.
|Condition||No||Set the effective condition of the above authorization and enter the source IP to be authorized, so as to allow access to specified operations only when requests come from the specified IP range. You can also add other conditions to further restrict the policy. For more information, see Condition.|
If you want to authorize multiple services, you can click Add Permissions to configure authorization policies for these services.
You can use a sub-account identity (sub-account ID and password created by the root account) to call the authorized APIs (such as
DescribeLiveDomains) to get the CSS information (such as all domains under the account).