Product |
Abbreviation in CAM |
Console |
Authorization by Tag |
Authorization Granularity |
IP Restriction |
Serverless Cloud Function |
scf |
Supported |
Supported |
Resource level |
Partially supported |
Note:
The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.
- Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
- Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
- Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.
API authorization granularity
Two authorization granularity levels of API are supported: resource level, and operation level.
- Resource level: It supports the authorization of a specific resource.
- Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.
Write operations
API |
API Description |
Authorization Granularity |
Six-segment Resource Description |
IP Restriction |
BatchResumeService |
resume service |
Operation level |
* |
Supported |
BatchSuspendService |
suspend service |
Operation level |
* |
Supported |
BindTrigger |
scf bind trigger |
Operation level |
* |
Supported |
BuildDebugConnection |
Build the connection of debug |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
CopyFunction |
CopyFunction |
Operation level |
* |
Supported |
CreateAlias |
|
Operation level |
* |
Supported |
CreateNamespace |
|
Operation level |
* |
Supported |
DeleteAlias |
|
Operation level |
* |
Supported |
DeleteFunction |
|
Operation level |
* |
Supported |
DeleteLayerVersion |
- |
Operation level |
* |
Supported |
DeleteNamespace |
|
Operation level |
* |
Supported |
DeleteProvisionedConcurrencyConfig |
Delete provisioned concurrency config of specified function or function version |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
DeleteReservedConcurrencyConfig |
Delete reserved concurrency memory config of specified function. |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
DeleteTrigger |
|
Operation level |
* |
Supported |
InvokeFunction |
|
Operation level |
* |
not supported |
InvokeFunctionUrl |
Function URL Invoke Interface |
Resource level |
qcs::scf:${region}:uin/${uin}:namespace/${Namespace}/function/${FunctionName} |
Supported |
PublishLayerVersion |
- |
Operation level |
* |
Supported |
PublishVersion |
Publish version |
Operation level |
* |
Supported |
PutProvisionedConcurrencyConfig |
Set provisioned concurrency config of specified functonvresion |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
PutReservedConcurrencyConfig |
Set reserved concurrency memory config of specified function. |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
PutTotalConcurrencyConfig |
Set user concurrency memory limit. |
Operation level |
* |
not supported |
SetTrigger |
|
Operation level |
* |
not supported |
StartDebugMode |
Open debug mode |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
StartDebugging |
Open debugging |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
StopDebugMode |
Stop debug mode |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
StopDebugging |
Stop debugging |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
TerminateAsyncEvent |
terminate async event |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
UnbindTrigger |
scf unbind trigger |
Operation level |
* |
not supported |
UpdateAlias |
|
Operation level |
* |
Supported |
UpdateFunction |
|
Operation level |
* |
not supported |
UpdateFunctionCode |
update function code |
Operation level |
* |
Supported |
UpdateFunctionEventInvokeConfig |
UpdateFunctionEventInvokeConfig |
Operation level |
* |
Supported |
UpdateFunctionIncrementalCode |
|
Operation level |
* |
Supported |
UpdateNamespace |
|
Operation level |
* |
Supported |
UpdateTrigger |
|
Operation level |
* |
Supported |
Read operations
API |
API Description |
Authorization Granularity |
Six-segment Resource Description |
IP Restriction |
CreateFunction |
create function |
Operation level |
* |
Supported |
GetAccount |
|
Operation level |
* |
Supported |
GetAccountSettings |
|
Operation level |
* |
not supported |
GetAlias |
|
Operation level |
* |
Supported |
GetAsyncEventOverview |
get async event overview |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
GetAsyncEventStatus |
get async event status |
Operation level |
* |
not supported |
GetBatchUserInfo |
get user global info |
Operation level |
* |
Supported |
GetBeianResource |
get beian resource |
Operation level |
* |
not supported |
GetCloudStudioAccessInfo |
get coud studio access info |
Operation level |
* |
Supported |
GetDebuggingInfo |
Get info of debugging |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
GetDemoAddress |
|
Operation level |
* |
not supported |
GetDemoDetail |
|
Operation level |
* |
not supported |
GetFunction |
get function detail |
Operation level |
* |
Supported |
GetFunctionAddress |
|
Operation level |
* |
Supported |
GetFunctionEventInvokeConfig |
GetFunctionEventInvokeConfig |
Operation level |
* |
Supported |
GetFunctionLogs |
|
Operation level |
* |
not supported |
GetFunctionSAM |
|
Operation level |
* |
Supported |
GetFunctionUsageTriggerCount |
|
Operation level |
* |
not supported |
GetLayerVersion |
- |
Operation level |
* |
Supported |
GetProvisionedConcurrencyConfig |
Get provisioned concurrency config of specified function or functionversion |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
GetRequestStatus |
get request status |
Operation level |
* |
not supported |
GetReservedConcurrencyConfig |
Get reserved concurrency memory config of specified function. |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
GetUserEipQuota |
get user eip quota |
Operation level |
* |
Supported |
ListAliases |
|
Operation level |
* |
Supported |
ListAsyncEvents |
list async events |
Resource level |
qcs::scf:$region:uin/$uin:namespace/$ns/function/$func |
Supported |
ListFunctionTestModels |
|
Operation level |
* |
Supported |
ListFunctions |
|
Operation level |
* |
not supported |
ListIntranetAddress |
list intranet address |
Operation level |
* |
not supported |
ListNamespaces |
|
Operation level |
* |
Supported |
ListTriggers |
list triggers |
Resource level |
qcs::scf:${region}:uin/${uin}:namespace/$ns/function/$func |
not supported |
ListVersion |
|
Operation level |
* |
not supported |
ListVersionByFunction |
|
Operation level |
* |
Supported |
UpdateFunctionConfiguration |
update function configuration |
Operation level |
* |
Supported |
List Operations
API |
API Description |
Authorization Granularity |
Six-segment Resource Description |
IP Restriction |
ListLayerVersions |
- |
Operation level |
* |
Supported |
ListLayers |
- |
Operation level |
* |
not supported |
Was this page helpful?