服务(相关)角色是由腾讯云服务预定义,经用户授权后相应服务即可通过扮演服务相关角色对用户资源进行访问操作。本文档介绍具体服务相关角色的使用场景及相关权限策略信息。
CAM中产品名 | 角色名称 | 角色类型 | 角色载体 |
---|---|---|---|
集团账号管理 | Orgnization_QCSLinkedRoleInCIC | 服务相关角色 | cic.organization.cloud.tencent.com |
集团账号管理 | Organization_QCSLinkedRoleInDefaultMng | 服务相关角色 | defaultmng.organization.cloud.tencent.com |
集团账号管理 | Orgnization_QCSLinkedRoleInServiceControl | 服务相关角色 | servicecontrol.orgnization.cloud.tencent.com |
Orgnization_QCSLinkedRoleInCIC
使用场景: 当前角色为集团账号(Organization)服务相关角色,该角色将在已关联策略的权限范围内访问您的其他云服务资源。
权限策略
- 策略名称: QcloudAccessForOrganizationLinkedRoleInCIC
- 策略内容:
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cam:AttachRolesPolicy", "cam:GetRole", "cam:CreateRole", "cam:DeleteRole", "cam:CreatePolicy", "cam:DeletePolicy", "cam:UpdatePolicy", "cam:GetPolicy", "cam:ListPolicies", "cam:CreateSAMLProvider", "cam:DeleteSAMLProvider", "cam:UpdateSAMLProvider", "cam:AddUser", "cam:DeleteUser", "cam:UpdateUser", "cam:CreateSubAccounts", "cam:DeleteUser", "organization:DescribeOrganization", "organization:CreateOrgMemberProductServiceRole", "cam:AttachRolePolicies", "cam:DetachRolePolicies", "cam:DescribeCICUserSAMLConfig", "cam:AddSubAccount", "cam:GetUser", "cam:UpdateSubAccountType", "cam:CheckSubAccountName", "cam:GetSAMLProvider", "cam:CreateCICUserSAMLConfig", "cam:ListAttachedRolePolicies", "organization:DescribeOrganizationMembers", "cam:DeleteApiKey" ], "resource": "*" } ] }
Organization_QCSLinkedRoleInDefaultMng
使用场景: 当前角色为集团账号管理(Organization)服务相关角色,该角色将在已关联策略的权限范围内访问您的其他云服务资源。
权限策略
- 策略名称: QcloudAccessForOrganizationLinkedRoleInDefaultMng
- 策略内容:
{ "version": "2.0", "statement": [ { "action": [ "finance:DescribeBillSummaryByProduct", "cam:GetAccountSummary", "intlpartnersmgt:DescribeBillSummaryByProduct" ], "resource": "*", "effect": "allow" } ] }
Orgnization_QCSLinkedRoleInServiceControl
使用场景: 当前角色为集团账号管理(Orgnization)服务相关角色,该角色将在已关联策略的权限范围内访问您的其他云服务资源。
权限策略
- 策略名称: QcloudAccessForOrganizationLinkedRoleInServiceControl
- 策略内容:
{ "version": "2.0", "statement": [ { "effect": "allow", "resource": [ "*" ], "action": [ "cam:CreateServiceLinkedRole", "cam:DeleteServiceLinkedRole", "cam:GetRole", "cam:CreateRole", "cam:AttachRolePolicy", "cam:DeleteRole" ] } ] }