Within the framework of the unified Tencent Cloud CAM, Stream Compute Service has its own predefined system for space role permissions to help coordinate between different business departments of your organization. These permissions help you isolate compute resources of different businesses and control at a finer granularity the permissions of different members to view and operate jobs and files.
Predefined role permissions
Stream Compute Service provides four predefined space roles:
1. Super admin: Specified by the root account, a super admin has the highest level of access other than operating the root account and can be shared between different regions.
2. Space admin: Specified by the root account or a super admin account, a space admin has the permission to add or remove the members in a space.
3. Developer: Added to a space by a space admin/super admin/root account in the Members module, a developer can operate jobs in the space.
4. Guest: Added to a space by a space admin/super admin/root account in the Members module, a guest can only view resources in the space.
The detailed permissions of all predefined roles are as follows:
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
Associate/Disassociate cluster with/from space | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
Create/Delete metadatabase | | | | |
Create/Delete metadata table | | | | |
| | | | |
| | | | |
Granting predefined role permissions
Before granting space role permissions, you must have granted the target sub-account the access to Stream Compute Service and associated it with the required CAM policy. For details, see Granting Basic Permissions. 1. Add a super admin.
Log in to the console with the root account or a super admin account, select Role permissions on the left sidebar, and click Edit on the page to add one or more sub-accounts as super admin. A super admin has the highest level of access other than operating the root account and can be shared between different regions.
Note
A super admin account can assist the root account in cases where it is inconvenient to use the root account. You can set super admins as needed.
If you log in with an account other than the root account or a super admin account, the Edit button will not appear.
2. Create a space with the root account or a super admin account.
Log in the console with the root account or a super admin account, select Workspaces on the left sidebar, and click Create workspace on the page.
Note
You can create up to 30 workspaces in a region with the same APPID.
3. Associate a space with compute resources.
Log in the console with the root account or a super admin account, select Workspaces on the left sidebar, and click Associate now next to the compute resources field of the workspace created to go to the Compute resources module.
Select the cluster to be associated with the space. Till now, the compute resources and the space are associated with each other, and the compute resources will be available when you create a job in the space. To disassociate the space from compute resources, go to the Compute resources module, and click Disassociate space.
Note
Space and cluster association limits: A cluster can be used by up to 10 spaces, but there is no limit on the number of clusters a space can use.
4. Add a sub-account and grant a role in a space.
Log in the console with the root account or a super admin account, select Workspaces on the left sidebar, go to the space created, select Members, and click Add member.
Adding custom role permissions
1. On the Role permissions page, click Custom role.
2. Enter the required information and click Save.
3. Grant the permissions based on rules.