Product Introduction

CAM Overview

Features

Scenarios

Basic Concepts

Use Limits

User Types

Purchase Guide

Getting Started

Creating Admin User

Creating and Authorizing Sub-account

Logging In to Console with Sub-account

User Guide

Overview

Users

Access Key

User Groups

Role

Identity Provider

Policies

Permissions Boundary

Troubleshooting

Downloading Security Analysis Report

CAM-Enabled Role

Overview

Compute

Container

Microservice

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Database SaaS Service

Networking

CDN and Acceleration

Network Security

Data Security

Application Security

Domains & Websites

Big Data

Middleware

Interactive Video Services

Real-Time Interaction

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

CAM-Enabled API

Overview

Compute

Edge Computing

Container

Distributed cloud

Microservice

Serverless

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Networking

CDN and Acceleration

Network Security

Endpoint Security

Data Security

Business Security

Application Security

Domains & Websites

Office Collaboration

Big Data

Voice Technology

Image Creation

Tencent Big Model

AI Platform Service

Natural Language Processing

Optical Character Recognition

Middleware

Communication

Interactive Video Services

Real-Time Interaction

Stream Services

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Education Sevices

Medical Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

Use Cases

Security Practical Tutorial

Multi-Identity Personnel Permission Management

Authorizing Certain Operations by Tag

Supporting Isolated Resource Access for Employees

Enterprise Multi-Account Permissions Management

Reviewing Employee Operation Records on Tencent Cloud

Implementing Attribute-Based Access Control for Employee Resource Permissions Management

During tag-based authentication, only tag key matching is supported

Business Use Cases

TencentDB for MySQL

CLB

CMQ

COS

CVM

VPC

VOD

Others

API Documentation

History

Introduction

API Category

Making API Requests

User APIs

Policy APIs

Role APIs

Identity Provider APIs

Data Types

Error Codes

FAQs

Role

Key

Others

CAM Users and Permissions

Glossary

Overview of Effective Conditions

PDF

포커스 모드

폰트 크기

마지막 업데이트 시간: 2024-01-23 17:54:33

When configuring access management policies, you can specify the conditions under which the policy takes effect. These conditions are optional. After the conditions are configured, when a user sends a request to Tencent Cloud, the system will match the condition keys and values in the request context with those specified in the policy. Only when the conditions are matched will the corresponding permission policy take effect.
Composition of Effective Conditions
Effective conditions are composed of one or more condition clauses. A condition clause consists of a condition key, an operator, and a condition value. A single condition key can have one or more condition values.
"condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}
####Example of a Condition Clause
The request IP is 192.168.1.1, and the request date is before 2022-05-31 00:00:00. The Condition is as follows:
"condition":{
               "ip_equal": {
                   "qcs:ip": "192.168.1.1"
               },
﻿
               "date_less_than": {
                   "qcs:current_time": "2022-05-31 00:00:00"
               }
           }
Matching Logic for Effective Conditions
The evaluation logic for effective conditions is as follows:
Evaluation Logic
Note
Condition Fulfillment
A single condition key can have one or more condition values. During condition checking, if the value of the condition key matches any of the specified values, the condition is fulfilled.
Condition Clause Fulfillment
Under a condition clause with the same condition operation type, if there are multiple condition keys, all condition keys must be satisfied for the condition clause to be deemed fulfilled.
Condition Block Fulfillment
The condition block is considered fulfilled only if all condition clauses within it are fulfilled simultaneously.
Condition operators (except null_equal) suffixed with if_exist
indicates that the context information remains effective even if it does not contain the corresponding key-value pair.
for_all_value
Qualifiers are used in conjunction with condition operators, indicating that the policy will only take effect when each condition value in the context information meets the requirements.
for_any_value
Qualifiers are used in conjunction with condition operators, indicating that the policy will take effect if any of the condition values in the context information meets the requirements.
Note
Authorization by tag only supports 'for_any_value'.
Effective Condition Example
"condition":{
               "ip_equal": {
                   "qcs:ip": "192.168.1.1"
               }
           }
The condition value in the request is represented by the condition key, which in this example is qcs:ip. The context key value is compared with the value you specified as a text value, for example, 192.168.1.1. The type of comparison to be performed is specified by the condition operator (ip_equal in this example).
In certain scenarios, it is necessary to match multiple access situations to meet practical needs. In such cases, you can specify multiple condition values when setting the Condition. For instance, the user must be within the 10.217.182.3/24 or 111.21.33.72/24 network segments to upload objects (cos:PutObject). The content of the permission policy is as follows:
{
   "version": "2.0",
   "statement": [
       {
           "effect": "allow",
           "action": [
               "cos:PutObject"
           ],
           "resource": [
               "*"
           ],
           "condition":{
               "ip_equal": {
                   "qcs:ip": [
                       "10.217.182.3/24",
                       "111.21.33.72/24"
                   ]
               }
           }
       }
   ]
}
﻿

도움말 및 지원

문제 해결에 도움이 되었나요?

더 자세한 내용은 문의하기 또는 티겟 제출 을 통해 문의할 수 있습니다.

피드백

tencent cloud

Cloud Access Management

Overview of Effective Conditions

Composition of Effective Conditions

####Example of a Condition Clause

Matching Logic for Effective Conditions

Effective Condition Example

도움말 및 지원

Evaluation Logic	Note
Condition Fulfillment	A single condition key can have one or more condition values. During condition checking, if the value of the condition key matches any of the specified values, the condition is fulfilled.
Condition Clause Fulfillment	Under a condition clause with the same condition operation type, if there are multiple condition keys, all condition keys must be satisfied for the condition clause to be deemed fulfilled.
Condition Block Fulfillment	The condition block is considered fulfilled only if all condition clauses within it are fulfilled simultaneously.
Condition operators (except null_equal) suffixed with if_exist	indicates that the context information remains effective even if it does not contain the corresponding key-value pair.
for_all_value	Qualifiers are used in conjunction with condition operators, indicating that the policy will only take effect when each condition value in the context information meets the requirements.
for_any_value	Qualifiers are used in conjunction with condition operators, indicating that the policy will take effect if any of the condition values in the context information meets the requirements.