首页
学习
活动
专区
圈层
工具
发布
首页
学习
活动
专区
圈层
工具
MCP广场
社区首页 >专栏 >「云架构」权限管理:助力厘清 “业务单元—架构治理—责任团队”关系

「云架构」权限管理:助力厘清 “业务单元—架构治理—责任团队”关系

作者头像
用户9139003
发布2025-06-09 11:01:33
发布2025-06-09 11:01:33
8900
代码可运行
举报
文章被收录于专栏:开发者开发者
运行总次数:0
代码可运行

随着架构图增加,多团队的协作进一步深入,云架构提供的“目录”功能可以便利地归类管理各团队所负责的架构图(图1)。但是关于权限管理的新问题摆到眼前:

如何进一步完善架构图的访问权限,只给各个子账号提供必要的授权?

如何让单个子账号用户可以安全操作自己负责的架构图,同时不会误操作其他团队的架构图?

如何在云架构中进一步厘清“业务单元-架构治理-责任团队”的关系?

这些依赖管理访问权限的场景需求,目前都可以通过三个步骤建立CAM权限策略来实现:

Step1:新增自定义策略(见文末代码块)

包含3个策略文件,其中策略1和2授予必要的读写接口权限,策略3通过指定资源的方式来实现限定单个账号可访问的架构图范围。主账号用户可以在CAM策略管理中新增3个自定义策略,并复用这3个策略文件的内容。

Step2:在自定义策略中指定可访问架构图

针对策略3进行指定架构图资源修改(图2)可以写入1到多张架构图的资源信息。

Step3:将自定义策略关联到子账号(用户/用户组/角色)

这里以单个子账号(用户)为例,用户不具备云顾问访问权限,将策略1、2、3关联到该用户,则该用户会被限定为在架构图目录中仅可见策略3所指定的架构图。(图3、图4)

功能预告

后续云顾问将支持在架构目录中实现子账号访问权限的精细化管控设置功能,敬请期待!(点击查看云顾问产品动态

图1:云架构目录视图

1916492504083529728
1916492504083529728

图2:修改指定架构图(1到多个)图中资源信息仅示例,非真实资源。

1916492504083529729
1916492504083529729

图3:将自定义的策略1、2、3关联到单个用户

1916492504083529730
1916492504083529730

图4:子账号仅可见指定架构图

1916492504083529731
1916492504083529731

参考代码

以下策略和接口信息引用自 CAM 策略生成器可见接口信息,代码符合 CAM 策略语法。

CAM 策略语法说明: https://cloud.tencent.com/document/product/598/10604

接口信息引用来源: https://cloud.tencent.com/document/product/598/69848

策略1:

代码语言:javascript
代码运行次数:0
运行
复制
{
    "statement": [
        {
            "action": [
                "advisor:CountSharingArch",
                "advisor:DescribeAllProduct",
                "advisor:DescribeArchAPMServiceView",
                "advisor:DescribeArchAsync",
                "advisor:DescribeArchConfirmGuardSheet",
                "advisor:DescribeArchEventResources",
                "advisor:DescribeArchForPlugin",
                "advisor:DescribeArchGenerationTaskProgress",
                "advisor:DescribeArchGuardInstance",
                "advisor:DescribeArchGuardNodeInstances",
                "advisor:DescribeArchGuardNodeMetricInfos",
                "advisor:DescribeArchGuardProductInstances",
                "advisor:DescribeArchGuardProductMetricConfig",
                "advisor:DescribeArchLogUserList",
                "advisor:DescribeArchNodeBroadcastStatusShow",
                "advisor:DescribeArchNodeConfigInfo",
                "advisor:DescribeArchNodeGuardInfo",
                "advisor:DescribeArchNodeSingleBroadcastRecordDetail",
                "advisor:DescribeArchNodeStatusBroadCastList",
                "advisor:DescribeArchNodeStatusBroadCastLst",
                "advisor:DescribeArchNodeStrategyScoreInfo",
                "advisor:DescribeArchProductAlgorithmType",
                "advisor:DescribeArchProductInstanceByTaskRegion",
                "advisor:DescribeArchProductPeriodType",
                "advisor:DescribeArchProductPredictionInfo",
                "advisor:DescribeArchProductPredictionInfoV2New",
                "advisor:DescribeArchProductPredictionResultInfoV2New",
                "advisor:DescribeArchProductRiskByGroup",
                "advisor:DescribeArchProductTagsRiskByGroup",
                "advisor:DescribeArchProductThresholdInfo",
                "advisor:DescribeArchProductThresholdInfoV2",
                "advisor:DescribeArchProductThresholdInfoV2New",
                "advisor:DescribeArchReportAccountStatus",
                "advisor:DescribeArchResourceStatusTask",
                "advisor:DescribeArchResourceStatusTaskResult",
                "advisor:DescribeArchRiskLists",
                "advisor:DescribeArchRiskOverview",
                "advisor:DescribeArchRiskTrendInfo",
                "advisor:DescribeArchScanIgnoreInstanceList",
                "advisor:DescribeArchScanInfoByTime",
                "advisor:DescribeArchScanIsFinish",
                "advisor:DescribeArchScanNodeReportResult",
                "advisor:DescribeArchScanOverviewInfo",
                "advisor:DescribeArchScanReportArchiveInfo",
                "advisor:DescribeArchScanReportTaskStatus",
                "advisor:DescribeArchScanRiskInfo",
                "advisor:DescribeArchScanRiskInstanceList",
                "advisor:DescribeArchScanRiskItems",
                "advisor:DescribeArchScanTaskRiskInfo",
                "advisor:DescribeArchStrategyList",
                "advisor:DescribeArchSvgData",
                "advisor:DescribeArchSyncTaskProgress",
                "advisor:DescribeArchTagsGenerationTaskProgress",
                "advisor:DescribeArchTaskProgress",
                "advisor:DescribeArchTaskResult",
                "advisor:DescribeArchTaskStrategyIgnores",
                "advisor:DescribeArchTaskStrategyRisks",
                "advisor:DescribeArchThresholdConfigStatus",
                "advisor:DescribeArchThresholdConfigStatusV2",
                "advisor:DescribeArchiveArchInfo",
                "advisor:DescribeAsyncNodeListInfo",
                "advisor:DescribeBindTaskIsSuccess",
                "advisor:DescribeBroadcastResults",
                "advisor:DescribeBroadcastSheet",
                "advisor:DescribeBroadcastStrategys",
                "advisor:DescribeCapacityMetricInfo",
                "advisor:DescribeCapacityMetricInfoV2",
                "advisor:DescribeCapacityMetricInfoV2New",
                "advisor:DescribeCapacityProductList",
                "advisor:DescribeCapacityProductListV2",
                "advisor:DescribeCapacityReportTask",
                "advisor:DescribeClaimedInstancesInNode",
                "advisor:DescribeCloudArchOperateLog",
                "advisor:DescribeCombinedBroadcastConfigs",
                "advisor:DescribeConfig",
                "advisor:DescribeCustomThresholdCondition",
                "advisor:DescribeDownloadTask",
                "advisor:DescribeEventResources",
                "advisor:DescribeFocusProduct",
                "advisor:DescribeFuzzyIgnoreConfig",
                "advisor:DescribeFuzzyIgnoreInfo",
                "advisor:DescribeGlobalIgnoreTags",
                "advisor:DescribeGroupAndProductInfos",
                "advisor:DescribeGuardAddedInstance",
                "advisor:DescribeGuardApplyAuth",
                "advisor:DescribeGuardMapInstance",
                "advisor:DescribeGuardProductInstance",
                "advisor:DescribeGuardProjects",
                "advisor:DescribeGuardServiceDetails",
                "advisor:DescribeGuardSheet",
                "advisor:DescribeHighAvailabilityDescriptionUrl",
                "advisor:DescribeHighAvailabilityServiceDetail",
                "advisor:DescribeHighAvailabilityServiceOrderList",
                "advisor:DescribeHighAvailabilityServicePermission",
                "advisor:DescribeIgnoreRiskInstances",
                "advisor:DescribeIgnoredInstances",
                "advisor:DescribeIgnoredInstancesInNode",
                "advisor:DescribeIgnoredStrategy",
                "advisor:DescribeInsCapacityMetricData",
                "advisor:DescribeInsCapacityMetricDataV2"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        }
    ],
    "version": "2.0"
}

策略2:

代码语言:javascript
代码运行次数:0
运行
复制
{
    "statement": [
        {
            "action": [
                "advisor:DescribeInsCapacityMetricDataV2New",
                "advisor:DescribeInsResourceRealTimeInfo",
                "advisor:DescribeInsResourceRealTimeInfoV2",
                "advisor:DescribeInstanceMetricData",
                "advisor:DescribeIsSubscribedEmail",
                "advisor:DescribeIsSubscriptionEmail",
                "advisor:DescribeLastTask",
                "advisor:DescribeMagicResourcesLink",
                "advisor:DescribeMyResourceCount",
                "advisor:DescribeMyResources",
                "advisor:DescribeMyResourcesLink",
                "advisor:DescribeMyResourcesV2",
                "advisor:DescribeNodeBaseInfo",
                "advisor:DescribeNodeLoadInfo",
                "advisor:DescribeNodeLoadInfoV2",
                "advisor:DescribeNodeLoadInfoV2New",
                "advisor:DescribeNodeResourceLoadInfo",
                "advisor:DescribeNodeResourceLoadInfoV2",
                "advisor:DescribeNodeResourceLoadInfoV2New",
                "advisor:DescribeNodeResources",
                "advisor:DescribeNodeRiskCountForPolicyScan",
                "advisor:DescribeNodeStrategyRiskInfo",
                "advisor:DescribeNoticeInfo",
                "advisor:DescribeOperationalChangeTrend",
                "advisor:DescribeOrganization",
                "advisor:DescribeOtherPlatformGuardSheet",
                "advisor:DescribeOverview",
                "advisor:DescribeOverviewTabInfo",
                "advisor:DescribeParamList",
                "advisor:DescribeProductAndRegion",
                "advisor:DescribeProductConfig",
                "advisor:DescribeProductConfigList",
                "advisor:DescribeProductConfigListForGuard",
                "advisor:DescribeProductDetailInfo",
                "advisor:DescribeProductDetailTabInfo",
                "advisor:DescribeProductDiagramList",
                "advisor:DescribeProductDistributeInfo",
                "advisor:DescribeProductEvents",
                "advisor:DescribeProductInstance",
                "advisor:DescribeProductList",
                "advisor:DescribeProductOverviewInfo",
                "advisor:DescribeProductQuotaInfo",
                "advisor:DescribeProductRegionAndZone",
                "advisor:DescribeProductResourceInfoDetails",
                "advisor:DescribeProductTrendInfo",
                "advisor:DescribeQuotaManagement",
                "advisor:DescribeRegions",
                "advisor:DescribeReportArchList",
                "advisor:DescribeReportArchiveInfo",
                "advisor:DescribeReportPushEmailList",
                "advisor:DescribeReportStatus",
                "advisor:DescribeResourceBelong",
                "advisor:DescribeResourceFields",
                "advisor:DescribeResourceGroupResult",
                "advisor:DescribeResourceProducts",
                "advisor:DescribeResourceRelatedArchList",
                "advisor:DescribeResourceStatus",
                "advisor:DescribeResourceTrend",
                "advisor:DescribeResources",
                "advisor:DescribeRiskCount",
                "advisor:DescribeRiskDisplay",
                "advisor:DescribeRiskHistory",
                "advisor:DescribeRiskInstances",
                "advisor:DescribeRiskInstancesInNode",
                "advisor:DescribeRiskItemsForInstance",
                "advisor:DescribeRiskLists",
                "advisor:DescribeRiskManageHandlerOption",
                "advisor:DescribeRiskManageStrategyDetail",
                "advisor:DescribeRiskManageStrategyTrend",
                "advisor:DescribeRiskOverview",
                "advisor:DescribeRiskResultInfo",
                "advisor:DescribeRiskTrend",
                "advisor:DescribeRoleStatus",
                "advisor:DescribeSafeInstancesInNode",
                "advisor:DescribeScanReportList",
                "advisor:DescribeScanRiskList",
                "advisor:DescribeStrategies",
                "advisor:DescribeStrategyOverview",
                "advisor:DescribeSubAccountsByMainAccount",
                "advisor:DescribeSubscriptionEmailList",
                "advisor:DescribeSubscriptionTemplateV2",
                "advisor:DescribeSubscriptionTemplates",
                "advisor:DescribeSubscriptions",
                "advisor:DescribeSupportLanguage",
                "advisor:DescribeTags",
                "advisor:DescribeTagsByTagId",
                "advisor:DescribeTagsForArchGuard",
                "advisor:DescribeTagsScanRiskList",
                "advisor:DescribeTaskProgress",
                "advisor:DescribeTaskStrategyIgnores",
                "advisor:DescribeTaskStrategyRisks",
                "advisor:DescribeTaskSummary",
                "advisor:DescribeTaskSummaryV2",
                "advisor:DescribeTkeGraph",
                "advisor:DescribeTssResource",
                "advisor:DescribeWellArchTaskCapacity",
                "advisor:DescribeWellArchTaskInspect",
                "advisor:DescribeWellArchTaskReportSubscription",
                "advisor:DescribeZones",
                "advisor:DownloadReportFile",
                "advisor:DownloadReportFileAsync",
                "advisor:ExportArchScanNodeReportResult",
                "advisor:ExportCapacityReportTask",
                "advisor:GetAccountInfoByFields",
                "advisor:GetAccountInfoByFieldsForGuard",
                "advisor:ListAllIgnoreInstances",
                "advisor:ListIgnoreInstances",
                "advisor:ListIgnoreStrategies",
                "advisor:ListPluginConfig",
                "advisor:ListRegionCodes",
                "advisor:ListDirectory",
                "advisor:DescribeLastVisit",
                "advisor:DescribeArchResources",
                "advisor:DescribeWellIndexTrend",
                "advisor:ReportPluginUsing",
                "advisor:CreateArchInfoSyncTask",
                "advisor:DescribeLatestEvaluationTask",
                "advisor:DescribeArchNodeDetail",
                "advisor:DescribeApplicationList",
                "advisor:DescribeArchChatSchemaList",
                "advisor:GetDashboardData",
                "advisor:AddGraphToDashboard",
                "advisor:DeleteDashboard",
                "advisor:UpdateDashBoardData",
                "advisor:CreateMessageFeedBack",
                "advisor:CreateDashboard",
                "advisor:DeleteDashboardGraph",
                "advisor:DescribeDashboardList",
                "advisor:RedrawChart",
                "advisor:ReportPluginExecStatus",
                "advisor:DescribeDiagramListForPlugin",
                "advisor:DescribeTsaYearReportData",
                "advisor:DescribePluginGrayInfos",
                "advisor:CreateWellArchTaskIde",
                "advisor:DescribeArchPluginMetricDateScanInfo",
                "advisor:UpdateNodeResourceCapacityMetricV2",
                "advisor:UpdateSubscription",
                "advisor:CreateArchScanReportFile",
                "tag:GetTagKeys",
                "tag:DescribeTagValues",
                "advisor:QueryArchShareAuthorization"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        }
    ],
    "version": "2.0"
}

策略3:

代码语言:javascript
代码运行次数:0
运行
复制
{
    "statement": [
        {
            "action": [
                "advisor:*"
            ],
            "effect": "allow",
            "resource": [
                "qcs::advisor::uin/1033358484:arch/arch-ad8e0gkt"
            ]
        }
    ],
    "version": "2.0"
}
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2025/04/27 ,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • Step1:新增自定义策略(见文末代码块)
  • Step2:在自定义策略中指定可访问架构图
  • Step3:将自定义策略关联到子账号(用户/用户组/角色)
  • 功能预告
  • 参考代码
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档