How do I grant permissions to the root account?
The root account has all permissions by default and doesn't need to be authorized.
How do I grant a sub-account specific operation permissions of specific products?
After a sub-account is authorized, which account owns the resources purchased by the sub-account?
Resources purchased by the sub-account are owned by the root account.
How do I reset a sub-account's password?
How will the fees incurred by resource purchases made by a sub-account be paid?
Fees incurred by the sub-account will be deducted from the balance of the root account.
Why do I get a prompt saying that "The account is not on the allowlist" when creating a policy?
Some of Tencent Cloud products are still in beta test, and a few products do not support CAM yet. Please see CAM-Enabled Products to check whether and at what granularity you can manage permissions of a product in CAM. If you want to use CAM to manage permissions of a product in beta test, please submit a ticket. How do I implement granular permission management for project resources?
You can implement granular permission management by using tags. Why can't a sub-account access certain Tencent Cloud products after it has been authorized with the read-only policy (ReadOnlyAccess)?
The read-only policy (ReadOnlyAccess) only covers read APIs of Tencent Cloud products where the authorization granularity is operation level or resource level. If you access service-level products or the write APIs of operation-level/resource-level products, the prompt for no access will be displayed. For the authorization granularity of Tencent Cloud products, please see CAM-Enabled Products. How do I grant permissions to allow a sub-account to view only part of my resources?
The following example describes how to allow a sub-account to view only part of the resources:
The enterprise account CompanyExample (ownerUin: 12345678) has a sub-account Developer. CompanyExample wants to allow the sub-account to view only part of its resources in the console.
For example, to allow the sub-account to view in the console two CVM instances ins-xxx1 and ins-xxx2 in the gz region:
1. Create the following policy by using policy syntax:
{
"version": "2.0",
"statement": [
{
"action": [
"cvm:DescribeInstances"
],
"resource": ["qcs::cvm:gz::instance/ins-xxx1",
"qcs::cvm:gz::instance/ins-xxx2"
],
"effect": "allow"
}
]
}
You can also grant the sub-account a wider permission, such as full access. To grant the sub-account full access to CVM instances in the Guangzhou region, create the following policy:
{
"version": "2.0",
"statement": [
{
"action": [
"cvm:*"
],
"resource": "qcs::cvm:gz::*",
"effect": "allow"
}
]
}
2. Associate the policy with the sub-account. For more information on authorization, please see Authorization Management. The products that support read-only permission at the resource level include CVM, TencentDB for MySQL, and TKE.
Other products do not support granting read-only permission of specific resources. A sub-account either has the permission to view all the resources or has no permission to view any resources.
Which Tencent Cloud services support limiting access via IPs?
|
| |
| |
| |
| |
| |
Dayu Anti-DDoS - Anti-DDoS Advanced | |