Product Introduction

CAM Overview

Features

Scenarios

Basic Concepts

Use Limits

User Types

Purchase Guide

Getting Started

Creating Admin User

Creating and Authorizing Sub-account

Logging In to Console with Sub-account

User Guide

Overview

Users

Access Key

User Groups

Role

Identity Provider

Policies

Permissions Boundary

Troubleshooting

Downloading Security Analysis Report

CAM-Enabled Role

Overview

Compute

Container

Microservice

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Database SaaS Service

Networking

CDN and Acceleration

Network Security

Data Security

Application Security

Domains & Websites

Big Data

Middleware

Interactive Video Services

Real-Time Interaction

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

CAM-Enabled API

Overview

Compute

Edge Computing

Container

Distributed cloud

Microservice

Serverless

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Networking

CDN and Acceleration

Network Security

Endpoint Security

Data Security

Business Security

Application Security

Domains & Websites

Office Collaboration

Big Data

Voice Technology

Image Creation

Tencent Big Model

AI Platform Service

Natural Language Processing

Optical Character Recognition

Middleware

Communication

Interactive Video Services

Real-Time Interaction

Stream Services

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Education Sevices

Medical Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

Use Cases

Security Practical Tutorial

Multi-Identity Personnel Permission Management

Authorizing Certain Operations by Tag

Supporting Isolated Resource Access for Employees

Enterprise Multi-Account Permissions Management

Reviewing Employee Operation Records on Tencent Cloud

Implementing Attribute-Based Access Control for Employee Resource Permissions Management

During tag-based authentication, only tag key matching is supported

Business Use Cases

TencentDB for MySQL

CLB

CMQ

COS

CVM

VPC

VOD

Others

API Documentation

History

Introduction

API Category

Making API Requests

User APIs

Policy APIs

Role APIs

Identity Provider APIs

Data Types

Error Codes

FAQs

Role

Key

Others

CAM Users and Permissions

Glossary

During tag-based authentication, only tag key matching is supported

PDF

포커스 모드

폰트 크기

마지막 업데이트 시간: 2024-01-23 17:59:15

This document describes how to grant your sub-account permission to all resources under a tag and how to grant your sub-account permission to bind only a tag key.
Note:
The resource_tag grants permission to all resources under a tag, while request_tag grants a sub-account permission to only bind a tag key. However, this does not take effect on the console lists and related APIs.
Granting permission to all resources under a tag key (resource_tag)
Overview
If your organization has purchased multiple Tencent Cloud resources, and the resources are managed by tag groups, you may want to grant permission to all resources associated with a tag key (resource_tag). 
Suppose that:
There is a sub-account Operator under the enterprise account CompanyExample.
There is a tag key Operation under the enterprise account CompanyExample.
The enterprise account CompanyExample wants to grant the sub-account Operator permission to all resources under the tag key Operation.
Directions
1. Log in to the CAM console with the enterprise account CompanyExample.
2. On the Policies page, click Create Custom Policy and then Create by Policy Syntax.
3. Select Blank Template under the Select a template type, then click Next to proceed to the editing policy page.
﻿
﻿
﻿
4. On the editing policy page, fill in the following form:
Policy Name: It defaults to policygen-current date. It is recommended to define a unique and meaningful policy name, such as Operator-resource_tag.
Description: Optional, write it yourself.
Policy Content: Copy the following content and fill it out. Among them, operation is the tag key name which can be Chinese or English and false is a fixed tag value.
     {
     "version": "2.0",
      "statement": [
        {
            "effect": "allow",
            "action": "*",
            "resource": "*",
            "condition": {
                "null_equal": {
                    "qcs:resource_tag/operation": "false"
                }
            }
        }
      ]
     }
5. Click Complete to create the policy. The newly created policy will be displayed on the policy list page.
6. In the Policies List, search for the policy you just created, and then click Associate User/Group/Role in the operation column on the right.
﻿
﻿
﻿
7. In the pop-up Associate User/Group/Role window, search for and select the sub-account Operator, then click OK to complete the permission.
The Operator sub-account will possess all the permission under the Operation tag.
﻿
﻿
﻿
Granting a sub-account permission to bind a tag Key (request_tag)
Overview
If your organization has purchased multiple Tencent Cloud resources, and the resources are managed by tag groups, you may want to grant permission to all resources associated with a tag key (request_tag). 
Suppose that:
There is a sub-account Developer under the enterprise account CompanyExample.
There is a tag key Development under the enterprise account CompanyExample.
The enterprise account CompanyExample wants to grant the sub-account Developer permission to all resources under the tag key Development (request_tag).
Directions
1. Log in to the CAM console with the enterprise account CompanyExample.
2. On the Policies page, click Create Custom Policy and then Create by Policy Syntax.
3. Select Blank Template under the Select a template type, then click Next to proceed to the editing policy page.
﻿
﻿
4. On the editing policy page, fill in the following form:
Policy Name: It defaults to policygen-current date. It is recommended to define a unique and meaningful policy name, such as Developer-request_tag.
Description: Optional, write it yourself.
Policy Content: Copy the following content and fill it out. Among them, develop is the tag key name which can be Chinese or English and  false is the fixed tag value.
     {
     "version": "2.0",
      "statement": [
        {
            "effect": "allow",
            "action": "*",
            "resource": "*",
            "condition": {
                "null_equal": {
                    "qcs:request_tag/develop": "false"
                }
            }
        }
      ]
     }
﻿
5. Click Complete to create the policy. The newly created policy will be displayed on the policy list page.
6. In the Policies List, search for the policy you just created, and then click Associate User/Group/Role in the operation column on the right.
﻿
﻿
7. In the pop-up Associate User/Group/Role window, search for and select the sub-account Developer, and then click OK to complete the permission.
The Developer sub-account will possess all the permission to bind the develop tag key.
﻿
﻿
Associated documents
If you want to understand how to associate resources with tags, please refer to Querying Resources by Tag.