tencent cloud

Cloud Log Service

Release Notes and Announcements
Release Notes
Announcements
User Guide
Product Introduction
Overview
Features
Available Regions
Limits
Concepts
Service Regions and Service Providers
Purchase Guide
Billing Overview
Product Pricing
Pay-as-You-Go
Billing
Cleaning up CLS resources
Cost Optimization
FAQs
Getting Started
Getting Started in 1 Minute
Getting Started Guide
Quickly Trying out CLS with Demo
Operation Guide
Resource Management
Permission Management
Log Collection
Metric Collection
Log Storage
Metric Storage
Search and Analysis (Log Topic)
Search and Analysis (Metric Topic)
Dashboard
Data Processing documents
Shipping and Consumption
Monitoring Alarm
Cloud Insight
Independent DataSight console
Historical Documentation
Practical Tutorial
Log Collection
Search and Analysis
Dashboard
Monitoring Alarm
Shipping and Consumption
Cost Optimization
Developer Guide
Embedding CLS Console
CLS Connection to Grafana
API Documentation
History
Introduction
API Category
Making API Requests
Topic Management APIs
Log Set Management APIs
Index APIs
Topic Partition APIs
Machine Group APIs
Collection Configuration APIs
Log APIs
Metric APIs
Alarm Policy APIs
Data Processing APIs
Kafka Protocol Consumption APIs
CKafka Shipping Task APIs
Kafka Data Subscription APIs
COS Shipping Task APIs
SCF Delivery Task APIs
Scheduled SQL Analysis APIs
COS Data Import Task APIs
Data Types
Error Codes
FAQs
Health Check
Collection
Log Search
Others
CLS Service Level Agreement
CLS Policy
Privacy Policy
Data Processing And Security Agreement
Contact Us
Glossary
DocumentationCloud Log ServiceOperation GuidePermission ManagementSub-Account Authorization

Sub-Account Authorization

PDF
Focus Mode
Font Size
Last updated: 2024-01-20 16:56:41

Overview

CAM is a web-based Tencent Cloud service that helps you securely manage and control access to your Tencent Cloud resources. Using CAM, you can create, manage, and terminate users (user groups), and control who can access and use your Tencent Cloud resources through identity and policy management. For more information on CAM policies and how to use them, see Concepts.
A root account can grant a sub-account or collaborator access to specified CLS resources.

Preset access policies

CLS offers two preset access policies to meet your basic access management demand.
QcloudCLSFullAccess: access to all CLS resources and actions, including creating log topics, modifying index configuration, deleting log topics, searching for logs, uploading logs, etc.
QcloudCLSReadOnlyAccess: only read access to CLS data; no CRUD access
For how to use the policies, see Authorization Management.

Custom access policies

You can use a custom access policy to grant access at a finer granularity, for example, to allow a specific user to view the data of a specific log topic.
A custom access policy consists of two parts:
Action: The action a user is allowed to perform, such as searching for logs, modifying index configuration, uploading logs, and creating alarm policies.
Resource: The resources a user is allowed to operate on, such as a specific log topic, dashboard, and data processing task.
For more information on authorizable resource types and APIs of CLS, see Authorizable Resource Types. For more information on configuration methods, see Creating Custom Policy.
Configuring custom access policies can be a demanding process. The examples we offer in Access Policy Templates should meet most access management needs. You can also modify the examples based on your requirements. Detailed directions are as follows:
1. Log in to the console with the root account (or an account with CAM access). On the Policies page, click Create Custom Policy.
2. In the pop-up window, click Create by Policy Syntax.
3. On the Select Policy Template page, select Blank Template and click Next.
4. On the Edit Policy page, enter a policy name and policy content. For the latter, you can copy the content from Access Policy Templates. For example, to grant the sub-account permission to use LogListener, copy the policy as shown below:
5. Click Complete to save the policy. Then, you can associate it with a user/user group to grant the user/user group the corresponding operation permissions as instructed in Authorization Management.
Previous Topic: Machine Group ManagementNext Topic: Authorizable Resource Types

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback