On the multi-account authorization page, you can configure Cloud Access Management (CAM) user synchronization and CAM role synchronization based on the directory structure of the organization account.
Difference Explanation
Identity Center users can access the account's cloud resources through CAM roles or CAM users. The differences between the two methods are shown in the table below.
|
Configuring CAM Role Synchronization | Enterprises manage users accessing Tencent Cloud in the Tencent Cloud Organization's Identity Center. Through permission configuration and CAM role synchronization, users can log in to member accounts using single sign-on (SSO) and access the CAM roles within those accounts, and then access the cloud resources of the member account. | When configuring CAM role synchronization, the Identity Center will initiate tasks for each triplet (user-account-permission configuration). After synchronization, the access permissions in CAM are finalized and cannot be modified in CAM. | |
Configuring CAM User Synchronization | Enterprises manage users accessing Tencent Cloud in the Tencent Cloud Organization's Identity Center. Through CAM user synchronization, users can log in to member accounts and access the CAM users within those accounts, and then access the cloud resources of the member account. | When configuring CAM user synchronization, the Identity Center will initiate tasks for each tuple (user-account). After synchronization, the access permissions in CAM are empty and need to be configured in CAM. | |
CAM Role Synchronization Explanation
If you need to perform a one-time batch authorization for multiple accounts, multiple identities, and multiple access configurations, you can go to TCO > Identity Center, enter the multi-account permission management page, view the account directory tree, and perform the following operations: 1. Select one or more accounts in the account tree as authorization targets.
2. Select one or more Identity Center identities.
3. Select one or more access configurations.
4. Click Configure CAM Role Synchronization, and the Identity Center service will complete the authorization for you in batches.
In batch authorization, if duplicate authorization is attempted for some existing authorizations, the operation will fail. However, newly added authorizations in the same batch will succeed.
Each time permissions are added, the Identity Center will initiate an asynchronous task for each triplet (identity-account-permission configuration).
CAM User Synchronization Explanation
If you need to perform a one-time batch authorization for multiple accounts and multiple identities, you can go to TCO > Identity Center, enter the multi-account permission management page, view the account directory tree, and perform the following operations: 1. Select one or more accounts in the account directory tree.
2. Select one or more Identity Center identities.
3. Click Configure CAM User Synchronization, and the Identity Center service will complete the synchronization for you in batches.
In batch synchronization, if a duplicate operation is attempted for some existing synchronizations, the operation will fail. However, newly added synchronizations in the same batch will succeed.
After successful configuration, a CAM user with the same name as the Identity Center user will be created in the target account.
Authorization: Access the target account to authorize the CAM user created in the previous step.
CAM users have no permissions by default. You need to grant them the appropriate permissions for the corresponding resources.
Identity Center users access the authorized resources in the target account through the CAM user identity.