- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- CAM-Enabled API
- Best Practice
- Business Use Cases
- TencentDB for MySQL
- CLB
- CMQ
- COS
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD
- Others
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Identity Provider APIs
- Policy APIs
- UpdatePolicy
- ListPolicies
- ListEntitiesForPolicy
- ListAttachedUserPolicies
- ListAttachedGroupPolicies
- GetPolicy
- DetachUserPolicy
- DetachGroupPolicy
- DeletePolicy
- CreatePolicy
- AttachUserPolicy
- AttachGroupPolicy
- SetDefaultPolicyVersion
- ListPolicyVersions
- GetPolicyVersion
- DeletePolicyVersion
- CreatePolicyVersion
- ListAttachedUserAllPolicies
- User APIs
- CreateGroup
- UpdateUser
- UpdateGroup
- RemoveUserFromGroup
- ListUsersForGroup
- ListUsers
- ListGroupsForUser
- ListGroups
- GetUser
- GetGroup
- DeleteUser
- DeleteGroup
- AddUserToGroup
- AddUser
- SetMfaFlag
- GetCustomMFATokenInfo
- ConsumeCustomMFAToken
- ListCollaborators
- ListAccessKeys
- PutUserPermissionsBoundary
- DeleteUserPermissionsBoundary
- DescribeSafeAuthFlagColl
- DescribeSubAccounts
- GetSecurityLastUsed
- GetAccountSummary
- GetUserAppId
- UpdateAccessKey
- DeleteAccessKey
- CreateAccessKey
- Role APIs
- UpdateRoleDescription
- UpdateAssumeRolePolicy
- ListAttachedRolePolicies
- GetRole
- DetachRolePolicy
- DescribeRoleList
- DeleteRole
- CreateRole
- AttachRolePolicy
- UpdateRoleConsoleLogin
- GetServiceLinkedRoleDeletionStatus
- DeleteServiceLinkedRole
- CreateServiceLinkedRole
- PutRolePermissionsBoundary
- DeleteRolePermissionsBoundary
- DescribeSafeAuthFlag
- DescribeSafeAuthFlagIntl
- UntagRole
- TagRole
- Data Types
- Error Codes
- FAQs
- Glossary
- Product Introduction
- Purchase Guide
- Getting Started
- User Guide
- CAM-Enabled API
- Best Practice
- Business Use Cases
- TencentDB for MySQL
- CLB
- CMQ
- COS
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD
- Others
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Identity Provider APIs
- Policy APIs
- UpdatePolicy
- ListPolicies
- ListEntitiesForPolicy
- ListAttachedUserPolicies
- ListAttachedGroupPolicies
- GetPolicy
- DetachUserPolicy
- DetachGroupPolicy
- DeletePolicy
- CreatePolicy
- AttachUserPolicy
- AttachGroupPolicy
- SetDefaultPolicyVersion
- ListPolicyVersions
- GetPolicyVersion
- DeletePolicyVersion
- CreatePolicyVersion
- ListAttachedUserAllPolicies
- User APIs
- CreateGroup
- UpdateUser
- UpdateGroup
- RemoveUserFromGroup
- ListUsersForGroup
- ListUsers
- ListGroupsForUser
- ListGroups
- GetUser
- GetGroup
- DeleteUser
- DeleteGroup
- AddUserToGroup
- AddUser
- SetMfaFlag
- GetCustomMFATokenInfo
- ConsumeCustomMFAToken
- ListCollaborators
- ListAccessKeys
- PutUserPermissionsBoundary
- DeleteUserPermissionsBoundary
- DescribeSafeAuthFlagColl
- DescribeSubAccounts
- GetSecurityLastUsed
- GetAccountSummary
- GetUserAppId
- UpdateAccessKey
- DeleteAccessKey
- CreateAccessKey
- Role APIs
- UpdateRoleDescription
- UpdateAssumeRolePolicy
- ListAttachedRolePolicies
- GetRole
- DetachRolePolicy
- DescribeRoleList
- DeleteRole
- CreateRole
- AttachRolePolicy
- UpdateRoleConsoleLogin
- GetServiceLinkedRoleDeletionStatus
- DeleteServiceLinkedRole
- CreateServiceLinkedRole
- PutRolePermissionsBoundary
- DeleteRolePermissionsBoundary
- DescribeSafeAuthFlag
- DescribeSafeAuthFlagIntl
- UntagRole
- TagRole
- Data Types
- Error Codes
- FAQs
- Glossary
Overview
Last updated: 2023-04-24 15:00:03
Overview
Cloud Access Management (CAM) helps you securely manage permissions for most Tencent Cloud services. This document provides information on the products and services that support CAM in multiple dimensions, such as authorization granularity, console operation, authorization by tag, and reference documentation.
The table below lists Tencent Cloud services that support CAM.
Definitions:
- Service: Name of a CAM-enabled Tencent Cloud service. For more information on a specific service, click the link to the reference document.
- Authorization granularity: The finest authorization granularity currently supported by the service.
Note:Three authorization granularity levels are supported: service level, operation level, and resource level.
- Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service.
- Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
- Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.
- Console: Whether sub-accounts can access the service through the console. "✓" means yes, while "-" means no.
- Authorization by tag: Whether the service supports using tags for permission management. "✓" means yes, while "-" means no.
- Service role: Whether the service can access other services as a role entity. "✓" means yes, while "-" means no.
- Reference document: Link to the document on CAM-based access control for the service.
-means no documentation available yet.
Compute
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Cloud Virtual Machine (CVM) 1 | cvm | Resource level | ✓ | ✓ | ✓ | Access Management |
| Auto Scaling (AS) | as | Resource level | ✓ | ✓ | ✓ | - |
| BatchCompute | batch | Resource level | ✓ | ✓ | - | Cloud Access Management |
| Edge Computing Machine (ECM) | ecm | Resource level | ✓ | ✓ | - | - |
| Tencent Cloud Lighthouse (Lighthouse) | lighthouse | Resource level | ✓ | ✓ | - | - |
| Tencent Cloud Automation Tools (TAT) | tat | Resource level | ✓ | - | - | Cloud Access Management |
Note:1 In CVM, GPU Cloud Computing (GCC), CVM Dedicated Host (CDH), and Cloud Block Storage (CBS) support CAM.
Container
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Tencent Kubernetes Engine (TKE) | tke | Resource level | ✓ | ✓ | ✓ | Permission Management |
| Tencent Container Registry (TCR) | tcr | Resource level | ✓ | - | ✓ | Overview |
| Tencent Cloud Mesh (TCM) | tcm | Resource level | ✓ | - | ✓ | - |
Storage
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Cloud Object Storage (COS) 1 | cos | Resource level | ✓ | ✓ | ✓ | Access Control and Permission Management |
| Cloud File Storage (CFS) | cfs | Resource level | ✓ | ✓ | ✓ | Access Management |
| Cloud HDFS (CHDFS) | chdfs | Resource level | ✓ | ✓ | - | Authorizing Access with CAM |
| Cloud Log Service (CLS) | cls | Resource level | ✓ | ✓ | ✓ | Permission Management |
Note:1 In COS,
GetServiceandPutBucketdo not support authorization by tag for the time being; therefore, they need to be authorized with a separate custom policy.
Network
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Cloud Load Balancer (CLB) | clb | Resource level | ✓ | ✓ | ✓ | Cloud Access Management |
| Virtual Private Cloud (VPC) 1 | vpc | Resource level | ✓ | ✓ | - | Access Management |
| Direct Connect (DC) | dc | Resource level | ✓ | ✓ | - | Access Policy Types |
Note:1 In VPC, Elastic Network Interface (ENI), NAT Gateway, Peering Connection, VPN Connections, Flow Logs (FL), Anycast Internet Acceleration (AIA), Cloud Connect Network (CCN), and Bandwidth Package (BWP) support CAM.
CDN and Acceleration
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Global Application Acceleration Platform (GAAP) | gaap | Resource level | ✓ | ✓ | - | - |
| Enterprise Content Delivery Network (ECDN) | ecdn | Resource level | ✓ | ✓ | - | Console Permission Description |
| Content Delivery Network (CDN) 1 | cdn | Resource level | ✓ | ✓ | ✓ | Console Permissions |
Note:1 In CDN, Secure Content Delivery Network (SCDN) supports CAM.
Database
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| TencentDB for MySQL | cdb | Resource level | ✓ | ✓ | ✓ | Access Management |
| TDSQL-C | cynosdb | Resource level | ✓ | ✓ | - | Access Management |
| TencentDB for MariaDB | mariadb | Resource level | ✓ | ✓ | ✓ | CAM |
| TencentDB for SQL Server | sqlserver | Resource level | ✓ | ✓ | - | CAM |
| TencentDB for PostgreSQL | postgres | Resource level | ✓ | ✓ | - | Overview |
| TDSQL for MySQL | tdmysql | Resource level | ✓ | ✓ | - | Access Management |
| TencentDB for Redis | redis | Resource level | ✓ | ✓ | - | Access Management |
| TencentDB for MongoDB | mongodb | Resource level | ✓ | ✓ | ✓ | Access Management |
| TencentDB for CTSDB | ctsdb | Resource level | ✓ | ✓ | - | Overview |
| TcaplusDB | tcaplusdb | Resource level | ✓ | ✓ | - | Overview |
| TencentDB for DBbrain | dbbrain | Resource level | ✓ | - | - | - |
| Data Transmission Service (DTS) | dts | Resource level | ✓ | ✓ | ✓ | - |
Serverless
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Serverless Cloud Function (SCF) | scf | Resource level | ✓ | ✓ | ✓ | Permission Management |
| Serverless Application Center (SAC) | sls | Resource level | ✓ | - | ✓ | Access Management Configuration |
| EventBridge | eb | Resource level | ✓ | - | ✓ | - |
Middleware
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Cloud Message Queue (CMQ) - queue model | cmqqueue | Resource level | ✓ | ✓ | - | Users and Permissions |
| Cloud Message Queue (CMQ) - topic model | cmqtopic | Resource level | ✓ | ✓ | - | Users and Permissions |
| CKafka | ckafka | Resource level | ✓ | - | ✓ | Configuring ACL Policy |
| API Gateway | apigw | Resource level | ✓ | ✓ | ✓ | Permission Management |
| TDMQ for Pulsar | tdmq | Resource level | ✓ | ✓ | - | Access Management |
Microservice
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Tencent Cloud Elastic Microservice (TEM) | tem | Operation level | ✓ | - | ✓ | - |
Data Processing
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Cloud Infinite (CI) | ci | Resource level | ✓ | - | ✓ | Access Management |
Domain Name and Website
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| SSL Certificate Service | ssl | Resource level | ✓ | ✓ | ✓ | - |
| HTTPDNS | httpdns | Operation level | ✓ | - | - | Overview |
| Private DNS | privatedns | Resource level | ✓ | - | - | Access Control Overview |
Terminal Security
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Cloud Workload Protection Platform (CWPP) | cwpp | Operation level | ✓ | - | ✓ | - |
Data Security
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Data Security Center | dsgc | Operation level | ✓ | - | ✓ | - |
| Key Management Service (KMS) | kms | Resource level | ✓ | ✓ | - | Access Control |
| Secrets Manager (SSM) | ssm | Resource level | ✓ | ✓ | ✓ | Overview |
Security Management
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Security Operations Center (SOC) | ssa | Operation level | ✓ | - | ✓ | - |
Application Security
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Web Application Firewall (WAF) | waf | Operation level | ✓ | ✓ | - | - |
| Vulnerability Scan Service (VSS) | cws | Operation level | ✓ | - | ✓ | - |
Video Services
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Tencent Real-Time Communication (TRTC) | trtc | Resource level | ✓ | ✓ | - | Overview |
| Video on Demand (VOD) | consolevod | Resource level | ✓ | ✓ | ✓ | Overview |
| Media Processing Service (MPS) | mps | Service level | ✓ | - | ✓ | - |
Data Analysis
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Elastic MapReduce (EMR) | emr | Resource level | ✓ | ✓ | ✓ | Collaborator/Sub-account Permissions |
| Elasticsearch Service (ES) | es | Resource level | ✓ | ✓ | - | CAM-based Access Control Configuration |
| Cloud Data Warehouse for ClickHouse (CDWCH) | cdwch | Resource level | ✓ | ✓ | - | - |
OCR
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Optical Character Recognition (OCR) | ocr | Service level | ✓ | - | - | - |
Face Recognition
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Face Recognition | iai | Resource level | ✓ | - | ✓ | - |
| FaceID | faceid | Service level | ✓ | - | ✓ | - |
Speech Technology
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Automatic Speech Recognition (ASR) | asr | Resource level | ✓ | ✓ | - | Overview |
Gaming Services
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Game Multimedia Engine (GME) | gme | Resource level | ✓ | ✓ | - | - |
Mobile Services
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Tencent Push Notification Service (TPNS) | tpns | Resource level | ✓ | ✓ | - | Advanced Custom Configuration |
Cloud Communication
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Instant Messaging (IM) | im | Resource level | ✓ | ✓ | - | - |
| Short Message Service (SMS) | consolesms | Resource level | ✓ | ✓ | - | Cloud Access Management |
| Simple Email Service (SES) | ses | Service level | ✓ | - | - | - |
Internet of Things
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| IoT Hub | iotcloud | Resource level | ✓ | ✓ | ✓ | Sub-account Access to IoT Hub |
Cloud Resource Management
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Tag | tag | Operation level | ✓ | - | - | - |
| Tencent Infrastructure as Code (TIC) | tic | Service level | ✓ | - | ✓ | - |
| Tencent Smart Advisor (TSA) | advisor | Service level | ✓ | - | ✓ | - |
Management and Audit
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Cloud Access Management (CAM) | cam | Operation level | ✓ | - | - | User Guide |
| CloudAudit | cloudaudit | Operation level | ✓ | - | ✓ | - |
Monitoring and Ops
| Product | Abbreviation in CAM | Authorization Granularity | Console | Authorization by Tag | Service Role | Reference Document |
|---|---|---|---|---|---|---|
| Tencent Managed Service for Prometheus (TMP) | monitor | Resource level | ✓ | ✓ | ✓ | Overview |
| Migration Service Platform (MSP) | msp | Service level | ✓ | - | ✓ | - |
| Real User Monitoring (RUM) | rum | Resource level | ✓ | ✓ | - | Overview |
Yes
No
Was this page helpful?