This document describes the permissions that can be granted to sub-users of Stream Compute Service. Sub-users can access the service only after authorization by the root account. For authorization steps, see Configuring Basic Permissions and Space Role Permissions. Permission management in Stream Compute Service involves three aspects:
1. CAM policy
2. Access to other services
3. Space role permissions
CAM policy involves the basic access to Tencent Cloud resources. Space role permissions involve the fine-grained management of permissions on jobs and resources in Stream Compute Service. Access to other services involves the access to your other Tencent Cloud resources by Stream Compute Service.
CAM policy
After Signup, the generated Tencent Cloud account is the root account, which has the permission to manage all Tencent Cloud resources under it. If you need other users to help you manage the Tencent Cloud resources under your account, you can create, manage, and terminate users (groups) in CAM and use identity and policy management features to control their access to your resources. Access to other services
The underlying system services of Stream Compute Service must be authorized to access various cloud service resources such as CKafka, COS, and CLS via your VPC. This is the most basic authorization required for the proper running of the Stream Compute Service system. When this authorization is required during the use of Stream Compute Service, the authorization page will automatically appear.
Space role permissions
Within the framework of the unified Tencent Cloud CAM, Stream Compute Service has its own predefined system for space role permissions to help coordinate between different business departments of your organization. These permissions help you isolate compute resources of different businesses and control at a finer granularity the permissions of different members to view and operate jobs and files. A space isolates the jobs, metadata, dependencies, and other resources in it from the outside world. In the space, each sub-account is assigned a predefined role with the required permissions.