Help & Documentation>实践教程>Cloud Access Management>Authorizing Certain Operations by Tag

Authorizing Certain Operations by Tag

Last updated: 2024-10-11 17:33:22

On this page:

Scenario

If your organization has purchased a variety of Tencent Cloud resources and manages them through tag-based grouping, you may wish to grant partial interface operation permissions to different team members based on tags. This document presents a typical case to help you understand how to enable sub-accounts to have partial operation permissions for resources under a tag.
Suppose that:
There is a sub-account, DevA, under the enterprise account CompanyExample.
The enterprise account CompanyExample has a tag key-value pair named test1&test1.
The enterprise account CompanyExample intends to grant the sub-account DevA the restart operation permission (cvm:RebootInstances) for CVM resources under the tag test1&test1.

Instructions

1. Log in to the Cloud Access Management Console as the enterprise account CompanyExample.
2. On the Policies page, click Create Custom Policy > Create by Policy Syntax.
3. Under the module type selection, choose the blank template and click Next to proceed to the policy editing page.



4. On the Edit Policy page, fill out the following form:
Policy name: By default, it is policygen-current date. It is recommended that you define a unique and meaningful policy name, such as cvm-RebootInstances.
Description: Optional, feel free to compose your own.
Policy content: Copy the following content and fill it in. Here, cvm:RebootInstances is the name of the interface that needs to be authorized, and test1&test1 is the tag key and tag value that need to be authorized for operation.
    {
"version": "2.0",
"statement": [
    {
        "effect": "allow",
        "action": [
            "cvm:RebootInstances"
        ],
        "resource": "*",
        "condition": {
            "for_any_value:string_equal": {
                "qcs:tag": [
                    "test1&test1"
]
}
}
}
]
}

5. Click Complete to finalize the creation of the policy. The new policy will be displayed on the Policy List page.
6. In the Policy List, search for and locate the policy you just created, then click Associate User/User Group/Role under the operation column on the right.

7. In the "Associate User/User Group/Role" window that pops up, search for and select the sub-account DevA, then click OK to complete the authorization process. The sub-account DevA will now have the permission to restart CVM resources under the tag test1&test1.




Associated Documents

If you intend to understand how to establish a relationship between resources and tags, see Manage Tags.
If you intend to understand how to grant all operation permission for resources under a tag, see Grant Different Sub-accounts Independent Cloud Resource Management Permission.
中国站 - English