tencent cloud

Feedback

Cloud Access Management

Last updated: 2024-07-13 09:12:17

    Fundamental information

    Product Abbreviation in CAM Console Authorization by Tag Authorization Granularity IP Restriction
    Cloud Access Management cam Supported not supported Operation level Partially supported

    Note:

    The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.

    • Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
    • Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
    • Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.

    API authorization granularity

    Two authorization granularity levels of API are supported: resource level, and operation level.

    • Resource level: It supports the authorization of a specific resource.
    • Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.

    Write operations

    API API Description Authorization Granularity Six-segment Resource Description IP Restriction
    AddSubAccount Console Create Message Recipient Operation level * Supported
    AddSubAccountCheckingMFA Console Create Sub-user and Collaborator Operation level * Supported
    AddSubAccountsToGroup Add user to group Operation level * Supported
    AddUser Add Sub-user Operation level * Supported
    AddUserToGroup Operation level * Supported
    AttachGroupPolicies Bind multiple policies to user groups Operation level * Supported
    AttachGroupPolicy Operation level * Supported
    AttachGroupsPolicy Bind a policy to multiple user groups Operation level * Supported
    AttachRolePolicy Operation level * Supported
    AttachUserPolicies Attach some policies to sub-user Operation level * Supported
    AttachUserPolicy Operation level * Supported
    AttachUsersPolicy Bind the policy to multiple users Operation level * Supported
    BatchOperateCamStrategy The binding strategy is for user details page Operation level * Supported
    BindToken Operation level * Supported
    CreateAssistApprover CreateAssistApprover Operation level * Supported
    CreateCICUserSAMLConfig Create CIC User SAML Identity Provider Operation level * Supported
    CreateCollApiKey Create sub-account key Operation level * Supported
    CreateGroup Operation level * Supported
    CreateMessageReceiver Create message receiver Operation level * Supported
    CreateOIDCConfig CreateOIDCConfig Operation level * Supported
    CreatePolicy Operation level * Supported
    CreatePolicyVersion Operation level * Supported
    CreateRole Create Role Operation level * Supported
    CreateRoleByConsole Console creation role Operation level * Supported
    CreateSAMLProvider Operation level * Supported
    CreateServiceLinkedRole Create service linked role Operation level * Supported
    CreateSimulationPolicy Create Simulation Policy Data Operation level * Supported
    CreateSubAccountBindPolicy Operation level * Supported
    CreateSubAccountLoginIpPolicy Operation level * Supported
    CreateSubAccounts Create WeComUser Operation level * Supported
    CreateUserOIDCConfig CreateUserOIDCConfig Operation level * Supported
    CreateUserSAMLConfig Create user SAML configuration Operation level * Supported
    DeleteAccessKey delete access key Resource level qcs::cam::uin/${uin}:uin/${uin} Supported
    DeleteApiKey Operation level * Supported
    DeleteCollApiKey Delete sub-account key Operation level * Supported
    DeleteEntitiesPermissionsBoundary DeleteEntitiesPermissionsBoundary Operation level * Supported
    DeleteGroup Operation level * Supported
    DeleteMessageReceiver Delete message recipient Operation level * not supported
    DeleteOIDCConfig DeleteOIDCConfig Operation level * Supported
    DeletePolicy Operation level * Supported
    DeletePolicyVersion Operation level * Supported
    DeleteRole Delete role. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
    qcs::cam::uin/${uin}:role/{$RoleId}
    Supported
    DeleteRolePermissionsBoundary DeleteRolePermissionsBoundary Operation level * Supported
    DeleteSAMLProvider Operation level * Supported
    DeleteServiceLinkedRole Delete service linked role Resource level qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRole/{$RoleId}
    Supported
    DeleteUser delete sub user Operation level * Supported
    DeleteUserPermissionsBoundary DeleteUserPermissionsBoundary Operation level * Supported
    DetachGroupPolicy Operation level * Supported
    DetachRolePolicy Operation level * Supported
    DetachUserPolicies Unbinding strategy for details page Operation level * Supported
    DetachUserPolicy Operation level * Supported
    DisableApiKey Operation level * Supported
    DisableCollApiKey Disable sub-account key Operation level * Supported
    DisableUserSSO DisableUserSSO Operation level * Supported
    EnableApiKey Operation level * Supported
    EnableCollApiKey Enable sub-account key Operation level * Supported
    GenerateSafetyAnalysisReport - Operation level * Supported
    LogoutRoleSessions Log out of role Operation level * Supported
    ModifySubContactEmailWithVerifyCode sub-account modification contact email Operation level * Supported
    ModifySubContactPhoneWithVerifyCode sub-user modify contact phone Operation level * Supported
    ModifyUserContactInfo ModifyUserContactInfo Operation level * Supported
    PassRole Pass role for assume role. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
    qcs::cam::uin/${uin}:role/${RoleId}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}
    Supported
    PutEntitiesPermissionsBoundary PutEntitiesPermissionsBoundary Operation level * Supported
    PutRolePermissionsBoundary PutRolePermissionsBoundary Operation level * Supported
    PutUserPermissionsBoundary PutUserPermissionsBoundary Operation level * Supported
    RemoveUserFromGroup Operation level * Supported
    SetDefaultPolicyVersion Operation level * Supported
    SetLoginSessionDuration - Operation level * Supported
    SetMfaFlag set the user\\\\\\\'s login protection and sensitive operation verification method Operation level * Supported
    SetSafeAuthFlag Operation level * Supported
    SetSubAccountSessionLifetime - Operation level * Supported
    SyncAuthInfo - Operation level * Supported
    TagRole Tag role. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
    qcs::cam::uin/${uin}:role/${RoleId}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}
    Supported
    UnbindContactInfo Unbind contact information Resource level qcs::cam::uin/${uin}:uin/${uin}
    qcs::cam::uin/${uin}:userName/${userName}
    Supported
    UnbindSubAccount Unbind sub-user login method Operation level * Supported
    UnbindSubAccountStoken - Operation level * Supported
    UnbindSubAccountToken - Operation level * Supported
    UnbindSubAccountU2FToken unbind subaccount U2F Token Operation level * Supported
    UnbindToken Operation level * Supported
    UnbindU2FToken unbind account U2F Token Operation level * Supported
    UntagRole Untag role. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}role/${RoleId}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
    qcs::cam::uin/${uin}:role/${RoleId}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}
    Supported
    UpdateAccessKey update access key Resource level qcs::cam::uin/${uin}:uin/${uin} Supported
    UpdateAccessKeyAttribute UpdateAccessKeyAttribute Resource level qcs::cam::uin/${uin}:uin/${uin} Supported
    UpdateAssumeRolePolicy Update assume role policy. Resource level qcs::cam::uin/${uin}:roleName/${roleName}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${roleId}
    qcs::cam::uin/${uin}:role/${roleId}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${roleName}
    Supported
    UpdateCollPassword - Operation level * Supported
    UpdateGroup Operation level * Supported
    UpdateOIDCConfig UpdateOIDCConfig Operation level * Supported
    UpdatePasswordRules Operation level * Supported
    UpdatePolicy Operation level * Supported
    UpdateRoleConsoleLogin Update role console login Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
    qcs::cam::uin/${uin}:role/${RoleId}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}
    Supported
    UpdateRoleDescription Update role description. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
    qcs::cam::uin/${uin}:role/${RoleId}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}
    Supported
    UpdateSAMLProvider Operation level * Supported
    UpdateSubAccountAttr - Operation level * Supported
    UpdateUser update user Operation level * Supported
    UpdateUserOIDCConfig UpdateUserOIDCConfig Operation level * Supported
    UpdateUserSAMLConfig Modify user SAML configuration Operation level * Supported

    Other Operations

    API API Description Authorization Granularity Six-segment Resource Description IP Restriction
    BuildDataFlowAuthToken BuildDataFlowAuthToken Resource level qcs::cam:${ResourceRegion}:uin/:resourceUser/${ResourceId}/${ResourceAccount} Supported

    Read operations

    API API Description Authorization Granularity Six-segment Resource Description IP Restriction
    CheckGroupNameIsValid check whether the user group name is legal Operation level * Supported
    CheckSubAccountName Operation level * Supported
    CheckUserPolicyAttachment Operation level * Supported
    ConsumeCustomMFAToken Operation level * Supported
    CreateApiKey CreateApiKey Resource level qcs::cam::uin/${uin}:uin/${ApiUin} Supported
    DeleteSubAccount delete sub account Operation level * Supported
    DescribeAssistApprover Operation level * Supported
    DescribeContactInfoModifyStatus - Operation level * Supported
    DescribeMFADeviceColl 查询mfa设备 Operation level * Supported
    DescribeMessageReceiverList Message recipient list Operation level * not supported
    DescribeMfaStatus query mfa status Operation level * Supported
    DescribeOIDCConfig DescribeOIDCConfig Operation level * Supported
    DescribePermProject - Operation level * Supported
    DescribeRoleList Describe role list. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
    qcs::cam::uin/${uin}:role/${RoleId}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}
    Supported
    DescribeSafeAuthFlagColl DescribeSafeAuthFlagColl Operation level * Supported
    DescribeSafeAuthInfo DescribeSafeAuthInfo Operation level * Supported
    DescribeSecretProjectId - Operation level * Supported
    DescribeSensitiveInfoHashValue - Operation level * Supported
    DescribeServiceLinkedRole Describe service linked role Operation level * Supported
    DescribeSubAccountBindPolicy Operation level * Supported
    DescribeSubAccountContacts DescribeSubAccountContacts Operation level * Supported
    DescribeSubAccountLoginIpPolicy Operation level * Supported
    DescribeSubAccountSessionSettings - Operation level * Supported
    DescribeSubAccounts Describe SubAccounts Operation level * Supported
    DescribeSubLoginUinList - Operation level * Supported
    DescribeSubUsers Sub account details Operation level * not supported
    DescribeUserAnalysisReport DescribeUserAnalysisReport Operation level * Supported
    DescribeUserAnalysisReportCheck - Operation level * Supported
    DescribeUserOIDCConfig DescribeUserOIDCConfig Operation level * Supported
    DescribeUserSAMLConfig Query user SAML configuration Operation level * Supported
    DescribeUserWeChatInfo - Operation level * Supported
    DescribeWechatUnionId - Operation level * Supported
    GetAccountSummary Operation level * Supported
    GetAllSubUser Operation level * Supported
    GetCustomMFATokenInfo Operation level * Supported
    GetCustomMfaCallback - Operation level * Supported
    GetGroup Operation level * Supported
    GetMFADevice Operation level * Supported
    GetMFADeviceColl - Operation level * Supported
    GetMfaStatusBySubUins Query the MFA status through the UIN of sub accounts Operation level * not supported
    GetPasswordRules Operation level * Supported
    GetPolicy Operation level * Supported
    GetPolicyVersion Operation level * Supported
    GetReceiverInfo Operation level * Supported
    GetRole Get role detail. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
    qcs::cam::uin/${uin}:role/${RoleId}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}
    Supported
    GetRolePermissionBoundary GetRolePermissionBoundary Operation level * Supported
    GetSAMLProvider Operation level * Supported
    GetSafeAuthFlag Operation level * Supported
    GetSafeAuthFlagColl - Operation level * Supported
    GetSecurityLastUsed GetSecurityLastUsed Operation level * Supported
    GetServiceLinkedRoleDeletionStatus Get service linked role deletion status Operation level * Supported
    GetStrategyNoticeFrequency Frequency of getting policy change notifications Operation level * Supported
    GetSubAccountBindInfo Operation level * Supported
    GetUidByUin Operation level * Supported
    GetUser Operation level * Supported
    GetUserAppId Get User AppId Operation level * not supported
    GetUserPermissionBoundary GetUserPermissionBoundary Operation level * Supported
    ListAccessKeys list access keys Resource level qcs::cam::uin/${uin}:userName/${userName} Supported
    ListAllGroupsPolicies Operation level * Supported
    ListAttachedGroupPolicies Operation level * Supported
    ListAttachedRolePolicies Operation level * Supported
    ListAttachedUserAllPolicies Operation level * Supported
    ListAttachedUserPolicies Operation level * Supported
    ListCollaborators List Collaborators Operation level * Supported
    ListEntitiesForPolicy Operation level * Supported
    ListGroups Operation level * Supported
    ListGroupsForConsole List Groups For Console Operation level * Supported
    ListGroupsForUser Operation level * Supported
    ListGroupsPolicies Operation level * Supported
    ListIdentityProvider Operation level * Supported
    ListLoginRoles Get subaccount user\'s role list for login. Operation level * Supported
    ListMaskedSubAccounts - Operation level * Supported
    ListPolicies Operation level * Supported
    ListPolicyVersions Operation level * Supported
    ListRoleTags List role tags. Resource level qcs::cam::uin/${uin}:roleName/${RoleName}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRole/${RoleId}
    qcs::cam::uin/${uin}:role/${RoleId}
    qcs::cam::uin/${uin}:role/tencentcloudServiceRoleName/${RoleName}
    Supported
    ListSAMLProviders Operation level * Supported
    ListSimulationAuth ListSimulationAuth Operation level * Supported
    ListSubAccounts Operation level * Supported
    ListUserTags List user tags Resource level qcs::cam::uin/${uin}:userName/${userName} Supported
    ListUsers Operation level * Supported
    ListUsersForGroup List Users For Group Operation level * Supported
    ListUsersForPolicy Operation level * Supported
    ListWeChatWorkSubAccounts - Operation level * Supported
    LookupRecentlyLogin Operation level * Supported
    QueryApiKey Operation level * Supported
    QueryApiKeyRecord Query key access records Operation level * Supported
    QueryCollApiKey Query for sub-account key list Operation level * Supported
    QueryKeyBySecretId - Operation level * Supported
    UpdateSubAccount update sub account Operation level * Supported

    List Operations

    API API Description Authorization Granularity Six-segment Resource Description IP Restriction
    DescribeOrganizationSubAccountPolicies Describe Organization SubAccount Policies List Operation level * Supported
    GetAllMaskedSubUser - Operation level * Supported
    ListEntitiesForPermissionsBoundary ListEntitiesForPermissionsBoundary Operation level * Supported
    ListPoliciesForPermissionsBoundary ListPoliciesForPermissionsBoundary Operation level * Supported
    ListPoliciesGrantingServiceAccess List policies granting service access. Operation level * Supported
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support