Policy Syntax
Policy Syntax
CAM policy:
{"version":"2.0","statement":[{"effect":"effect","action":["action"],"resource":["resource"],"condition": {"key":{"value"}}}]}
Version version: Required field, currently only supports the value "2.0".
Statement statement: Used to describe the details of one or more permissions. This element includes permission or permission collections of other elements like effect, action, resource, condition. A policy has only one statement element.
Effect effect: Required field, describes whether the outcome of the declaration is "allow" or "explicitly deny". Includes two scenarios: allow (allow) and deny (explicitly deny).
Action action: Required field, describes the allowed or denied actions. Actions can be APIs (described with a sqlserver: prefix).
Resource resource: Required field, describes the specific data authorized. Resources are described in a six-part format, with details of the resource definition varying by product.
Condition condition: Required field, describes the conditions under which the policy becomes effective. Conditions include operators, operation keys, and operation values. Condition values can include information such as time, IP address, etc., some services allow specifying other values in the conditions.
Operations in TencentDB for SQL Server
Operations in TencentDB for SQL Server
In the TencentDB for SQL Server policy statement, you can specify any API operation from any service that supports TencentDB for SQL Server. For TencentDB for SQL Server, use the API with the prefix sqlserver:, such as sqlserver:DescribeDBInstances or sqlserver:CreateAccount.
To specify multiple operations in a single statement, separate them with commas as shown below:
"action":["sqlserver:action1","sqlserver:action2"]
You can also specify multiple actions using a wildcard. For example, you can specify all actions whose name begins with "Describe", as shown below:
"action":["sqlserver:Describe*"]
To specify all operations in TencentDB for SQL Server, use the wildcard (*), as shown below:
"action":["sqlserver:*"]
TencentDB for SQL Server Resources
TencentDB for SQL Server Resources
Each CAM policy statement has its own resources.
Resources are generally in the following format:
qcs:project_id:service_type:region:account:resource
Project_id: Describes project information, only for compatibility with early CAM logic, no need to fill in.
Service_type: Product acronym, like sqlserver.
Region: Region information, like ap-guangzhou.
Account: The main account information of the resource owner, like uin/65xxx763.
Resource: Specific resource details of each product, like instance/instance_id1 or instance/*.
For example, you can specify a specific instance (mssql-m8oh024t) in the statement as shown below:
"resource":[ "qcs::sqlserver:ap-guangzhou:uin/65xxx763:instance/mssql-m8oh024t"]
You can also use the wildcard (*) to specify all instances that belong to a specific account as shown in the following:
"resource":[ "qcs::sqlserver:ap-guangzhou:uin/65xxx763:instance/*"]
If you want to specify all resources or if a specific API operation does not support resource-level permission control, you can use the wildcard (*) in the resource element as shown below:
"resource": ["*"]
To specify multiple resources in one policy, separate them with a comma.
"resource":["resource1","resource2"]
The table below describes the resources that can be used by TencentDB for SQL Server and the corresponding resource description methods. Words prefixed with $ are placeholders, region refers to the region, and account refers to the account ID.
Resources | Resource Description Method in Access Policies |
Instance | qcs::sqlserver:$region:$account:instance/$instanceId |
VPC | qcs::vpc:$region:$account:vpc/$vpcId |
Security Group | qcs::cvm:$region:$account:sg/$sgId |