CAM Policy:
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}
Version: This field must be filled in; currently only the value 2.0 is acceptable.
Statement: Describes the detailed information of one or multiple permissions. It comprises permissions or collections of permissions for multiple other elements like effect, action, resource, and condition. Each policy contains just one statement element.
Effect: This field must be filled in. It describes whether the outcome of a statement is Allow or Explicitly Deny. The outcome only includes these two scenarios.
Action: This field must be filled in. It is used to describe the operation of Allow or Deny. An operation can be a API, which is prefixed with sqlserver:.
Resource: This field must be filled in. It describes the specific data of authorization. The resource is described in a six-segment format. Detailed resource outlines can vary with different products.
Condition: This field must be filled in. It describes the conditions under which the policy comes into effect. The conditions include an operator, an action key, and an action value. Condition values encompass time and IP addresses. Certain services also permit users to specify different values within these conditions.
In the SQL Server policy statement, you can specify any API operation from any service supporting SQL Server. APIs prefixed with sqlserver: should be used for SQL Server, such as sqlserver:DescribeDBInstances or sqlserver:CreateAccount.
To specify multiple operations within a single statement, please separate them with a comma as demonstrated below:
"action":["sqlserver:action1","sqlserver:action2"]
You may also use an asterisk wildcard to specify multiple operations. For instance, you can designate all the operations with the name beginning with Describe, as shown below:
"action":["sqlserver:Describe*"]
To specify all the operations in SQL Server, please use an asterisk wildcard (*), as indicated below:
Each CAM policy statement has its own resources.
The typical format of resources is as follows:
qcs:project_id:service_type:region:account:resource
project_id: Describes the project information, which is only used to enable compatibility with legacy CAM logic and can be left empty.
service_type: The product's abbreviation, such as sqlserver.
region: Describes the regional information, such as ap-guangzhou.
account: The root account information of the resource owner, such as uin/65xxx763.
resource: Indicates the detailed resource information of each product, such as instance/instance_id1 or instance/*.
For instance, you may use the specific instance (mssql-m8oh024t) to specify a resource in the statement as demonstrated below:
"resource":[ "qcs::sqlserver:ap-guangzhou:uin/65xxx763:instance/mssql-m8oh024t"]
You could also employ an asterisk wildcard (*) to designate all instances pertaining to a certain account, as shown below:
"resource":[ "qcs::sqlserver:ap-guangzhou:uin/65xxx763:instance/*"]
If you want to specify all the resources or if a specific API operation does not support resource-level permissions, you can utilize an asterisk wildcard (*) within the resource element as shown below:
To specify multiple resources concurrently within a single command, segregate them with commas. The example of designation of two resources are as follows:
"resource":["resource1","resource2"]
The table below describes the resources that can be utilized by SQL Server and their corresponding description methods. In this context, words prefixed with $ are considered placeholders. Region refers to a geographical area. Account signifies the account ID.
|
Instances | qcs::sqlserver:$region:$account:instance/$instanceId
|
VPC | qcs::vpc:$region:$account:vpc/$vpcId
|
DFW | qcs::cvm:$region:$account:sg/$sgId
|