Resource-level permissions refer to the capability to specify which resources a user can perform operations on. TencentDB for SQL Server partially supports resource-level permissions, meaning that for TencentDB for SQL Server operations that support resource-level permissions, you can control when to allow a user to perform operations or allow the use of specific resources. The types of resources that can be authorized in CAM CAM are as follows:
Resource Type | Resource Description Method in Access Policies |
TencentDB instance-related | qcs::sqlserver:$region:$account:instance/*qcs::sqlserver:$region:$account:instance/$instanceId |
TencentDB for SQL Server supports resource-level authorization. You can specify sub-accounts to have API permissions for specific resources. The table below introduces cloud database API operations that currently support resource-level permissions, and the resources and conditional keys each operation supports. When specifying resource paths, you can use the * wildcard in the path.
Note
Cloud database API operations not listed here do not support resource-level permissions. For cloud database API operations that do not support resource-level permissions, you can still grant users permission to use the operations, but the resource element of the policy statement must be specified as *. The following table only shows partial resource types; to view all resource types, please refer to TencentDB for SQL Server Authorizable Resource Types.
API Name | API Description | Six-Segment Example of Resource |
CreateAccount | Creating account | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
CreateBackup | Creating backup | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
CreateDB | Create a database | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
DeleteAccount | Deleting account | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
DeleteDB | Dropping a Database | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
DescribeAccounts | Query account list | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
DescribeBackups | Querying backup list | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
DescribeDatabaseNames | Query database name | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
DescribeDBInstances | Querying the list of instances | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
DescribeDBs | Querying database list | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
DescribeInstanceTasks | Querying instance task | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
DescribeRollbackTime | Querying the time range available for rollback | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
DescribeSlowlogs | Querying slow log list | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
InquiryPriceRenewDBInstance | Querying the renewal price of instance | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
InquiryPriceUpgradeDBInstance | Querying the upgrade price of instance | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
ModifyAccountPrivilege | Modifying account permission | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
ModifyAccountRemark | Modifying account remarks | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
ModifyBackupStrategy | Modifying the time for cold backup | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
ModifyDatabasePrivilege | Modifying database permission | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
ModifyDBInstanceName | Modify instance name | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
ModifyDBInstanceProject | Modifying instance project | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
ModifyDBName | Renaming database | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
ModifyDBRemark | Modifying database remarks | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
RenewDBInstance | Renewing instance | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
ResetAccountPassword | Resetting account password | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
RestartDBInstance | Restarts an instance | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
RestoreInstance | Restoring cold backup instance | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
RollbackInstance | Restoring instance | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
TerminateDBInstance | Terminating instance | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |
UpgradeDBInstance | Upgrading Instances | qcs::sqlserver:$region:$account:instance/$instanceIdqcs::sqlserver:$region:$account:instance/* |