tencent cloud

Tencent Cloud Observability Platform

Release Notes and Announcements
Release Notes
Product Introduction
Overview
Strengths
Basic Features
Basic Concepts
Use Cases
Use Limits
Purchase Guide
Tencent Cloud Product Monitoring
Application Performance Management
Mobile App Performance Monitoring
Real User Monitoring
Cloud Automated Testing
Prometheus Monitoring
Grafana
EventBridge
PTS
Quick Start
Monitoring Overview
Instance Group
Tencent Cloud Product Monitoring
Application Performance Management
Real User Monitoring
Cloud Automated Testing
Performance Testing Service
Prometheus Getting Started
Grafana
Dashboard Creation
EventBridge
Alarm Service
Cloud Product Monitoring
Tencent Cloud Service Metrics
Operation Guide
CVM Agents
Cloud Product Monitoring Integration with Grafana
Troubleshooting
Practical Tutorial
Application Performance Management
Product Introduction
Access Guide
Operation Guide
Practical Tutorial
Parameter Information
FAQs
Mobile App Performance Monitoring
Overview
Operation Guide
Access Guide
Practical Tutorial
Tencent Cloud Real User Monitoring
Product Introduction
Operation Guide
Connection Guide
FAQs
Cloud Automated Testing
Product Introduction
Operation Guide
FAQs
Performance Testing Service
Overview
Operation Guide
Practice Tutorial
JavaScript API List
FAQs
Prometheus Monitoring
Product Introduction
Access Guide
Operation Guide
Practical Tutorial
Terraform
FAQs
Grafana
Product Introduction
Operation Guide
Guide on Grafana Common Features
FAQs
Dashboard
Overview
Operation Guide
Alarm Management
Console Operation Guide
Troubleshooting
FAQs
EventBridge
Product Introduction
Operation Guide
Practical Tutorial
FAQs
Report Management
FAQs
General
Alarm Service
Concepts
Monitoring Charts
CVM Agents
Dynamic Alarm Threshold
CM Connection to Grafana
Documentation Guide
Related Agreements
Application Performance Management Service Level Agreement
APM Privacy Policy
APM Data Processing And Security Agreement
RUM Service Level Agreement
Mobile Performance Monitoring Service Level Agreement
Cloud Automated Testing Service Level Agreement
Prometheus Service Level Agreement
TCMG Service Level Agreements
PTS Service Level Agreement
PTS Use Limits
Cloud Monitor Service Level Agreement
API Documentation
History
Introduction
API Category
Making API Requests
Monitoring Data Query APIs
Alarm APIs
Legacy Alert APIs
Notification Template APIs
TMP APIs
Grafana Service APIs
Event Center APIs
TencentCloud Managed Service for Prometheus APIs
Monitoring APIs
Data Types
Error Codes
Glossary
DokumentasiTencent Cloud Observability PlatformApplication Performance ManagementOperation GuideAccess ManagementPolicy Syntax

Policy Syntax

PDF
Mode fokus
Ukuran font
Terakhir diperbarui: 2024-11-01 17:48:39

Overview

An access policy that employs the JSON-based access policy language is used to grant access to APM resources. You can authorize a specified principal to perform actions on a specified CM resource through the access policy language.
The access policy syntax describes the basic elements and usage of the policy. For the description of the policy syntax, see Concepts.

Policy Syntax

CAM policy:
{	 
        "version":"2.0", 
        "statement": 
        [ 
           { 
              "effect":"effect", 
              "action":["action"], 
              "resource":["resource"], 
               "condition": {"key":{"value"}} 
           } 
       ] 
} 


Element usage

version is required. Currently, only the value "2.0" is allowed.
statement describes the details of one or more permissions. This element contains a permission or permission set of other elements such as effect, action, resource, and condition. One policy has only one statement.
effect is required. It describes whether the declaration result is allow or explicit deny.
action is required. It specifies whether to allow or deny the operation. The operation can be an API (prefixed with name) or a feature set (a group of APIs, prefixed with permid).
resource is required. It describes the details of authorization. A resource is described in a six-segment format. Detailed resource definitions vary by product. For more information on how to specify resources, see the product documentation corresponding to the resource statement you are writing.
condition is optional. It describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address. Some services allow you to specify additional values in a condition.

Specifying an effect

If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource to ensure that a user cannot access it, even if another policy has granted access to it. The following example specifies an allow effect.
"effect" : "allow"

Specifying an action

APM defines console operations that can be specified in a policy. The specified operations are divided into reading part of APIs (apm:Describe\\*) and all APIs (apm:\\*) based on the operation nature.
Below is an example of specifying the allowed operations:
"action": [
  "name/apm:Describe*"
]

Specifying a resource

The resource element describes one or multiple operation objects, such as APM resources. All the resources can be described in the following 6-segment format.
qcs:project_id:service_type:region:account:resource
The parameters are as described below:
Parameter
Description
Required
qcs
Abbreviation for "qcloud service", which indicates a Tencent Cloud service
Yes
project_id
Project information, which is only used to enable compatibility with legacy CAM logic and generally can be left empty
No
service_type
Product name abbreviation, which is apm here
Yes
region
Region information
Yes
account
Root account information of the resource owner, which is the root account ID in the format of uin/${OwnerUin}, such as uin/100000000001
Yes
resource
Resource details prefixed with instance
Yes
Below is a sample six-segment description of an APM resource:
"resource":["qcs::apm:ap-guangzhou:uin/1250000000:apm/apm-btzsrI123"]

Samples

Grant the read and write permissions of specified resources based on resource ID. The root account ID is 1250000000:
Sample: Granting the sub-user the permission to modify the business system (ID: apm-btzsrI123)
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "apm:ModifyApmInstance"
            ],
            "resource": [
                "qcs::apm:ap-guangzhou:uin/1250000000:apm-instance/apm-btzsrI123"
            ]
        }
    ]
}

List of APIs supporting resource-level authorization

API
Description
DescribeApmAgent
Gets the APM agent
DescribeApmInstances
Queries APM business systems
DescribeApmRegions
Gets APM regions
DescribeGeneralSpanList
Queries spans
DescribeInstanceBriefs
Queries the business system overview
DescribeMetricLineData
Pulls metric curve data
DescribeMetricRecords
Queries the list of metrics
DescribePAASGeneralSpanList
Queries spans
DescribePAASMetricLineData
Queries the metric curve data
DescribePAASMetricPointData
Queries the metric point data
DescribePAASTagValues
Queries the dimension information
DescribePAASTopology
Queries the topology data
DescribeServiceNodes
Gets the list of services
DescribeServiceOverview
Gets the APM system overview
CreateApmInstance
Creates an APM business system
CreatePAASInstance
Creates a PaaS APM business system
DeletePAASInstance
Deletes an APM business system
ModifyApmInstance
Modifies an APM business system
TerminateApmInstance
Terminates an APM business system

Topik sebelumnya: OverviewTopik selanjutnya: Granting Policy

Bantuan dan Dukungan

Apakah halaman ini membantu?

masukan