随着架构图增加,多团队的协作进一步深入,云架构提供的“目录”功能可以便利地归类管理各团队所负责的架构图(图1)。但是关于权限管理的新问题摆到眼前:
如何进一步完善架构图的访问权限,只给各个子账号提供必要的授权?
如何让单个子账号用户可以安全操作自己负责的架构图,同时不会误操作其他团队的架构图?
如何在云架构中进一步厘清“业务单元-架构治理-责任团队”的关系?
这些依赖管理访问权限的场景需求,目前都可以通过三个步骤建立CAM权限策略来实现:
包含3个策略文件,其中策略1和2授予必要的读写接口权限,策略3通过指定资源的方式来实现限定单个账号可访问的架构图范围。主账号用户可以在CAM策略管理中新增3个自定义策略,并复用这3个策略文件的内容。
针对策略3进行指定架构图资源修改(图2)可以写入1到多张架构图的资源信息。
这里以单个子账号(用户)为例,用户不具备云顾问访问权限,将策略1、2、3关联到该用户,则该用户会被限定为在架构图目录中仅可见策略3所指定的架构图。(图3、图4)
后续云顾问将支持在架构目录中实现子账号访问权限的精细化管控设置功能,敬请期待!(点击查看云顾问产品动态)
图1:云架构目录视图
图2:修改指定架构图(1到多个)图中资源信息仅示例,非真实资源。
图3:将自定义的策略1、2、3关联到单个用户
图4:子账号仅可见指定架构图
以下策略和接口信息引用自 CAM 策略生成器可见接口信息,代码符合 CAM 策略语法。
CAM 策略语法说明: https://cloud.tencent.com/document/product/598/10604
接口信息引用来源: https://cloud.tencent.com/document/product/598/69848
策略1:
{
"statement": [
{
"action": [
"advisor:CountSharingArch",
"advisor:DescribeAllProduct",
"advisor:DescribeArchAPMServiceView",
"advisor:DescribeArchAsync",
"advisor:DescribeArchConfirmGuardSheet",
"advisor:DescribeArchEventResources",
"advisor:DescribeArchForPlugin",
"advisor:DescribeArchGenerationTaskProgress",
"advisor:DescribeArchGuardInstance",
"advisor:DescribeArchGuardNodeInstances",
"advisor:DescribeArchGuardNodeMetricInfos",
"advisor:DescribeArchGuardProductInstances",
"advisor:DescribeArchGuardProductMetricConfig",
"advisor:DescribeArchLogUserList",
"advisor:DescribeArchNodeBroadcastStatusShow",
"advisor:DescribeArchNodeConfigInfo",
"advisor:DescribeArchNodeGuardInfo",
"advisor:DescribeArchNodeSingleBroadcastRecordDetail",
"advisor:DescribeArchNodeStatusBroadCastList",
"advisor:DescribeArchNodeStatusBroadCastLst",
"advisor:DescribeArchNodeStrategyScoreInfo",
"advisor:DescribeArchProductAlgorithmType",
"advisor:DescribeArchProductInstanceByTaskRegion",
"advisor:DescribeArchProductPeriodType",
"advisor:DescribeArchProductPredictionInfo",
"advisor:DescribeArchProductPredictionInfoV2New",
"advisor:DescribeArchProductPredictionResultInfoV2New",
"advisor:DescribeArchProductRiskByGroup",
"advisor:DescribeArchProductTagsRiskByGroup",
"advisor:DescribeArchProductThresholdInfo",
"advisor:DescribeArchProductThresholdInfoV2",
"advisor:DescribeArchProductThresholdInfoV2New",
"advisor:DescribeArchReportAccountStatus",
"advisor:DescribeArchResourceStatusTask",
"advisor:DescribeArchResourceStatusTaskResult",
"advisor:DescribeArchRiskLists",
"advisor:DescribeArchRiskOverview",
"advisor:DescribeArchRiskTrendInfo",
"advisor:DescribeArchScanIgnoreInstanceList",
"advisor:DescribeArchScanInfoByTime",
"advisor:DescribeArchScanIsFinish",
"advisor:DescribeArchScanNodeReportResult",
"advisor:DescribeArchScanOverviewInfo",
"advisor:DescribeArchScanReportArchiveInfo",
"advisor:DescribeArchScanReportTaskStatus",
"advisor:DescribeArchScanRiskInfo",
"advisor:DescribeArchScanRiskInstanceList",
"advisor:DescribeArchScanRiskItems",
"advisor:DescribeArchScanTaskRiskInfo",
"advisor:DescribeArchStrategyList",
"advisor:DescribeArchSvgData",
"advisor:DescribeArchSyncTaskProgress",
"advisor:DescribeArchTagsGenerationTaskProgress",
"advisor:DescribeArchTaskProgress",
"advisor:DescribeArchTaskResult",
"advisor:DescribeArchTaskStrategyIgnores",
"advisor:DescribeArchTaskStrategyRisks",
"advisor:DescribeArchThresholdConfigStatus",
"advisor:DescribeArchThresholdConfigStatusV2",
"advisor:DescribeArchiveArchInfo",
"advisor:DescribeAsyncNodeListInfo",
"advisor:DescribeBindTaskIsSuccess",
"advisor:DescribeBroadcastResults",
"advisor:DescribeBroadcastSheet",
"advisor:DescribeBroadcastStrategys",
"advisor:DescribeCapacityMetricInfo",
"advisor:DescribeCapacityMetricInfoV2",
"advisor:DescribeCapacityMetricInfoV2New",
"advisor:DescribeCapacityProductList",
"advisor:DescribeCapacityProductListV2",
"advisor:DescribeCapacityReportTask",
"advisor:DescribeClaimedInstancesInNode",
"advisor:DescribeCloudArchOperateLog",
"advisor:DescribeCombinedBroadcastConfigs",
"advisor:DescribeConfig",
"advisor:DescribeCustomThresholdCondition",
"advisor:DescribeDownloadTask",
"advisor:DescribeEventResources",
"advisor:DescribeFocusProduct",
"advisor:DescribeFuzzyIgnoreConfig",
"advisor:DescribeFuzzyIgnoreInfo",
"advisor:DescribeGlobalIgnoreTags",
"advisor:DescribeGroupAndProductInfos",
"advisor:DescribeGuardAddedInstance",
"advisor:DescribeGuardApplyAuth",
"advisor:DescribeGuardMapInstance",
"advisor:DescribeGuardProductInstance",
"advisor:DescribeGuardProjects",
"advisor:DescribeGuardServiceDetails",
"advisor:DescribeGuardSheet",
"advisor:DescribeHighAvailabilityDescriptionUrl",
"advisor:DescribeHighAvailabilityServiceDetail",
"advisor:DescribeHighAvailabilityServiceOrderList",
"advisor:DescribeHighAvailabilityServicePermission",
"advisor:DescribeIgnoreRiskInstances",
"advisor:DescribeIgnoredInstances",
"advisor:DescribeIgnoredInstancesInNode",
"advisor:DescribeIgnoredStrategy",
"advisor:DescribeInsCapacityMetricData",
"advisor:DescribeInsCapacityMetricDataV2"
],
"effect": "allow",
"resource": [
"*"
]
}
],
"version": "2.0"
}
策略2:
{
"statement": [
{
"action": [
"advisor:DescribeInsCapacityMetricDataV2New",
"advisor:DescribeInsResourceRealTimeInfo",
"advisor:DescribeInsResourceRealTimeInfoV2",
"advisor:DescribeInstanceMetricData",
"advisor:DescribeIsSubscribedEmail",
"advisor:DescribeIsSubscriptionEmail",
"advisor:DescribeLastTask",
"advisor:DescribeMagicResourcesLink",
"advisor:DescribeMyResourceCount",
"advisor:DescribeMyResources",
"advisor:DescribeMyResourcesLink",
"advisor:DescribeMyResourcesV2",
"advisor:DescribeNodeBaseInfo",
"advisor:DescribeNodeLoadInfo",
"advisor:DescribeNodeLoadInfoV2",
"advisor:DescribeNodeLoadInfoV2New",
"advisor:DescribeNodeResourceLoadInfo",
"advisor:DescribeNodeResourceLoadInfoV2",
"advisor:DescribeNodeResourceLoadInfoV2New",
"advisor:DescribeNodeResources",
"advisor:DescribeNodeRiskCountForPolicyScan",
"advisor:DescribeNodeStrategyRiskInfo",
"advisor:DescribeNoticeInfo",
"advisor:DescribeOperationalChangeTrend",
"advisor:DescribeOrganization",
"advisor:DescribeOtherPlatformGuardSheet",
"advisor:DescribeOverview",
"advisor:DescribeOverviewTabInfo",
"advisor:DescribeParamList",
"advisor:DescribeProductAndRegion",
"advisor:DescribeProductConfig",
"advisor:DescribeProductConfigList",
"advisor:DescribeProductConfigListForGuard",
"advisor:DescribeProductDetailInfo",
"advisor:DescribeProductDetailTabInfo",
"advisor:DescribeProductDiagramList",
"advisor:DescribeProductDistributeInfo",
"advisor:DescribeProductEvents",
"advisor:DescribeProductInstance",
"advisor:DescribeProductList",
"advisor:DescribeProductOverviewInfo",
"advisor:DescribeProductQuotaInfo",
"advisor:DescribeProductRegionAndZone",
"advisor:DescribeProductResourceInfoDetails",
"advisor:DescribeProductTrendInfo",
"advisor:DescribeQuotaManagement",
"advisor:DescribeRegions",
"advisor:DescribeReportArchList",
"advisor:DescribeReportArchiveInfo",
"advisor:DescribeReportPushEmailList",
"advisor:DescribeReportStatus",
"advisor:DescribeResourceBelong",
"advisor:DescribeResourceFields",
"advisor:DescribeResourceGroupResult",
"advisor:DescribeResourceProducts",
"advisor:DescribeResourceRelatedArchList",
"advisor:DescribeResourceStatus",
"advisor:DescribeResourceTrend",
"advisor:DescribeResources",
"advisor:DescribeRiskCount",
"advisor:DescribeRiskDisplay",
"advisor:DescribeRiskHistory",
"advisor:DescribeRiskInstances",
"advisor:DescribeRiskInstancesInNode",
"advisor:DescribeRiskItemsForInstance",
"advisor:DescribeRiskLists",
"advisor:DescribeRiskManageHandlerOption",
"advisor:DescribeRiskManageStrategyDetail",
"advisor:DescribeRiskManageStrategyTrend",
"advisor:DescribeRiskOverview",
"advisor:DescribeRiskResultInfo",
"advisor:DescribeRiskTrend",
"advisor:DescribeRoleStatus",
"advisor:DescribeSafeInstancesInNode",
"advisor:DescribeScanReportList",
"advisor:DescribeScanRiskList",
"advisor:DescribeStrategies",
"advisor:DescribeStrategyOverview",
"advisor:DescribeSubAccountsByMainAccount",
"advisor:DescribeSubscriptionEmailList",
"advisor:DescribeSubscriptionTemplateV2",
"advisor:DescribeSubscriptionTemplates",
"advisor:DescribeSubscriptions",
"advisor:DescribeSupportLanguage",
"advisor:DescribeTags",
"advisor:DescribeTagsByTagId",
"advisor:DescribeTagsForArchGuard",
"advisor:DescribeTagsScanRiskList",
"advisor:DescribeTaskProgress",
"advisor:DescribeTaskStrategyIgnores",
"advisor:DescribeTaskStrategyRisks",
"advisor:DescribeTaskSummary",
"advisor:DescribeTaskSummaryV2",
"advisor:DescribeTkeGraph",
"advisor:DescribeTssResource",
"advisor:DescribeWellArchTaskCapacity",
"advisor:DescribeWellArchTaskInspect",
"advisor:DescribeWellArchTaskReportSubscription",
"advisor:DescribeZones",
"advisor:DownloadReportFile",
"advisor:DownloadReportFileAsync",
"advisor:ExportArchScanNodeReportResult",
"advisor:ExportCapacityReportTask",
"advisor:GetAccountInfoByFields",
"advisor:GetAccountInfoByFieldsForGuard",
"advisor:ListAllIgnoreInstances",
"advisor:ListIgnoreInstances",
"advisor:ListIgnoreStrategies",
"advisor:ListPluginConfig",
"advisor:ListRegionCodes",
"advisor:ListDirectory",
"advisor:DescribeLastVisit",
"advisor:DescribeArchResources",
"advisor:DescribeWellIndexTrend",
"advisor:ReportPluginUsing",
"advisor:CreateArchInfoSyncTask",
"advisor:DescribeLatestEvaluationTask",
"advisor:DescribeArchNodeDetail",
"advisor:DescribeApplicationList",
"advisor:DescribeArchChatSchemaList",
"advisor:GetDashboardData",
"advisor:AddGraphToDashboard",
"advisor:DeleteDashboard",
"advisor:UpdateDashBoardData",
"advisor:CreateMessageFeedBack",
"advisor:CreateDashboard",
"advisor:DeleteDashboardGraph",
"advisor:DescribeDashboardList",
"advisor:RedrawChart",
"advisor:ReportPluginExecStatus",
"advisor:DescribeDiagramListForPlugin",
"advisor:DescribeTsaYearReportData",
"advisor:DescribePluginGrayInfos",
"advisor:CreateWellArchTaskIde",
"advisor:DescribeArchPluginMetricDateScanInfo",
"advisor:UpdateNodeResourceCapacityMetricV2",
"advisor:UpdateSubscription",
"advisor:CreateArchScanReportFile",
"tag:GetTagKeys",
"tag:DescribeTagValues",
"advisor:QueryArchShareAuthorization"
],
"effect": "allow",
"resource": [
"*"
]
}
],
"version": "2.0"
}
策略3:
{
"statement": [
{
"action": [
"advisor:*"
],
"effect": "allow",
"resource": [
"qcs::advisor::uin/1033358484:arch/arch-ad8e0gkt"
]
}
],
"version": "2.0"
}