Skip to main content

Permission Management

Version Note

Resource permission management and role management are supported since v5.0.0, policy management is supported since v5.5.5.

@cloudbase/manager-node provides PermissionService, accessible via app.permission, and supports three major features:

  1. Policy Management: query gateway authentication policy list, retrieve and set OPA Rego authentication policies (v5.5.5+)
  2. Role Management: create/query/modify/delete user roles (RBAC), and bind gateway access policies to roles
  3. Resource Permission Management: set and query access permissions for SCF, databases, storage, and other resources (deprecated, please use Policy Management)
OPA Authentication Policy Concepts

Policy management is based on the OPA Rego policy engine. For how OPA authentication policies work, the input context structure, the allow / deny decision matrix, and real-world cases, see OPA Authentication Policy Introduction. For the steps and policy translation reference to migrate from legacy gateway authentication to OPA Rego, see Migration Guide.


describeResourcePolicyList

1. Interface Description

Function: Query the list of gateway authentication policies

Declaration: app.permission.describeResourcePolicyList(options?): Promise<Object>

Version Note

This interface has been added since v5.5.5.

2. Input Parameters

FieldRequiredTypeDescription
resourceTypeNoStringFilter by resource type, available value: policy

3. Return Result

FieldTypeDescription
RequestIdStringRequest unique ID
Data.PolicyListResourcePolicyItem[]Policy list
Data.TotalStringTotal policy count

ResourcePolicyItem

FieldTypeDescription
PolicyIdStringPolicy ID
ResourceTypeStringResource type
ResourceIdStringResource ID
ResourceTitleStringResource title
ResourceNameStringResource name
EffectStringEffect: allow/deny
IsAccessBooleanIs accessible
RoleIdStringRole ID
RoleIdentityStringRole identity
RoleNameStringRole name
SafeRuleStringSafe rule

4. Example Code

import CloudBase from '@cloudbase/manager-node'

const app = CloudBase.init({
secretId: 'Your SecretId',
secretKey: 'Your SecretKey',
envId: 'Your envId'
})

async function test() {
// Query all policies
const result = await app.permission.describeResourcePolicyList()
console.log('Total policies:', result.Data.Total)

// Filter by resource type
const filtered = await app.permission.describeResourcePolicyList({
resourceType: 'policy'
})
console.log('Policy list:', filtered.Data.PolicyList)
}

test()

describeEnvAuthzConfig

1. Interface Description

Function: Retrieve authentication policy content

Declaration: app.permission.describeEnvAuthzConfig(options): Promise<Object>

Version Note

This interface has been added since v5.5.5.

2. Input Parameters

FieldRequiredTypeDescription
keyYesStringPolicy key name. authz.user.rego for user policy, authz.platform.extension.rego for platform extension policy

3. Return Result

FieldTypeDescription
RequestIdStringRequest unique ID
Item.KeyStringPolicy key name
Item.ValueStringPolicy content

4. Example Code

import CloudBase from '@cloudbase/manager-node'

const app = CloudBase.init({
secretId: 'Your SecretId',
secretKey: 'Your SecretKey',
envId: 'Your envId'
})

async function test() {
// Retrieve user policy
const userPolicy = await app.permission.describeEnvAuthzConfig({
key: 'authz.user.rego'
})
console.log('User policy:', userPolicy.Item.Value)

// Retrieve platform extension policy
const extPolicy = await app.permission.describeEnvAuthzConfig({
key: 'authz.platform.extension.rego'
})
console.log('Platform extension policy:', extPolicy.Item.Value)
}

test()

modifyEnvAuthzConfig

1. Interface Description

Function: Set authentication policy

Declaration: app.permission.modifyEnvAuthzConfig(options): Promise<Object>

Version Note

This interface has been added since v5.5.5.

Important

Once a Rego policy is set, the legacy gateway authentication will be invalidated. Please confirm the policy content is correct before executing.

2. Input Parameters

FieldRequiredTypeDescription
keyYesStringPolicy key name, fixed as authz.user.rego
valueYesStringRego policy content, must start with package authz.user

For details on input fields, please refer to OPA Authentication Policy Introduction.

3. Return Result

FieldTypeDescription
RequestIdStringRequest unique ID
AffectedRowsNumberAffected rows

4. Example Code

import CloudBase from '@cloudbase/manager-node'

const app = CloudBase.init({
secretId: 'Your SecretId',
secretKey: 'Your SecretKey',
envId: 'Your envId'
})

async function test() {
const regoContent = `package authz.user

default allow := false

# Allow anonymous users to access cloud functions
allow if {
input.cloudbase.resource_type == "functions"
input.subject.auth_type == "anonymous"
}`

const result = await app.permission.modifyEnvAuthzConfig({
key: 'authz.user.rego',
value: regoContent
})
console.log('Affected rows:', result.AffectedRows)
}

test()

Role management is applicable to scenarios such as multi-person collaboration within enterprises and gateway API access control, supporting the binding of Tencent Cloud gateway policies to roles.

createRole

1. API Description

API feature: Create user role

API declaration: app.permission.createRole(options): Promise<CreateRoleResp>

2. Input Parameters

FieldRequiredTypeDescription
roleNameRequiredStringRole name
roleIdentityRequiredStringUnique identifier for the role (in English, cannot be modified after creation)
descriptionNoStringRole description
memberUidsNostring[]Initial member UID list
policiesNoPermissionPolicyItem[]List of bound permission policies

PermissionPolicyItem

Currently ResourceType only supports gateway.

FieldRequiredTypeDescription
ResourceTypeRequiredStringResource type. Currently only supports gateway
ResourceRequiredStringResource identifier. Fill in the preset policy string when passing a preset policy; must match GatewayPolicyCode when passing a custom policy
EffectRequiredStringEffect: allow (is allowed) or deny (is denied)
GatewayPolicyCodeRequiredStringGateway policy code. Fill in the preset policy string when passing a preset policy; must match Resource when passing a custom policy
GatewayPolicyNameNoStringGateway policy name
GatewayPolicyDescriptionNoStringGateway policy description
GatewayPolicyExpressionNoStringGateway policy expression JSON string

3. Return Results

FieldTypeDescription
RequestIdStringUnique identifier of the request
Data.RoleIdStringCreated Role ID
Data.MemberUidsstring[]Added member UID list
Data.PoliciesPermissionPolicyItem[]Bound policy list

4. Sample Code

import CloudBase from '@cloudbase/manager-node'

const app = CloudBase.init({
secretId: 'Your SecretId',
secretKey: 'Your SecretKey',
envId: 'Your envId'
})

async function test() {
const result = await app.permission.createRole({
roleName: 'Read-only Operations',
roleIdentity: 'read-only-operator',
description: 'Read-only Operations Role',
policies: [
{ ResourceType: 'gateway', Resource: 'FunctionsAccess', Effect: 'allow', GatewayPolicyCode: 'FunctionsAccess' }
]
})
console.log('Created Role ID:', result.RoleId)
}

test()

describeRoleList

1. API Description

API feature: List roles, supporting filtering by role ID, identifier, and name.

API declaration: app.permission.describeRoleList(options?): Promise<DescribeRoleListResp>

2. Input Parameters

FieldRequiredTypeDescription
pageNumberNoNumberPage number, default: 1
pageSizeNoNumberNumber of items per page, default: 20
roleIdNoStringExact match by role ID
roleIdentityNoStringQuery by role unique identifier
roleNameNoStringQuery by role name with fuzzy search
loadDetailsNoBooleanWhether to return member and policy details, default false

3. Return Results

FieldTypeDescription
RequestIdStringUnique identifier of the request
Data.TotalCountNumberTotal system roles
Data.CustomTotalCountNumberTotal custom roles
Data.SystemRolesRoleItem[]System predefined role list
Data.CustomRolesRoleItem[]Custom role list

RoleItem

FieldTypeDescription
RoleIdStringRole ID
RoleIdentityStringUnique identifier for the role
RoleNameStringRole name
RoleTypeStringType: system / custom
DescriptionStringRole description
MembersMemberInfo[]Member list (returned when loadDetails=true)
PoliciesPermissionPolicyItem[]Policy list (returned when loadDetails=true)

modifyRole

1. API Description

API feature: Modify role information, supporting updates to name, description, members, and policies.

API declaration: app.permission.modifyRole(options): Promise<ModifyRoleResp>

2. Input Parameters

FieldRequiredTypeDescription
roleIdRequiredStringRole ID to be modified
roleNameNoStringNew role name
descriptionNoStringNew role description
addMemberUidsNostring[]Added member UID list
removeMemberUidsNostring[]Member UID list to remove
addPoliciesNoPermissionPolicyItem[]Added policies list
removePoliciesNoPermissionPolicyItem[]Policies list to remove

3. Return Results

FieldTypeDescription
RequestIdStringUnique identifier of the request
Data.SuccessBooleanwhether the modification was successful
Data.AddedMemberUidsstring[]Added members
Data.RemovedMemberUidsstring[]Removed members
Data.AddedPoliciesPermissionPolicyItem[]Added policies
Data.RemovedPoliciesPermissionPolicyItem[]Removed policies

deleteRoles

1. API Description

API feature: Batch delete roles

API declaration: app.permission.deleteRoles(options): Promise<DeleteRolesResp>

2. Input Parameters

FieldRequiredTypeDescription
roleIdsRequiredstring[]List of role IDs to be deleted

3. Return Results

FieldTypeDescription
RequestIdStringUnique identifier of the request
Data.SuccessCountNumberSuccessful deletion count
Data.FailedCountNumberFailed deletion count

4. Sample Code

import CloudBase from '@cloudbase/manager-node'

const app = CloudBase.init({
secretId: 'Your SecretId',
secretKey: 'Your SecretKey',
envId: 'Your envId'
})

async function test() {
// Query all custom roles
const { CustomRoles } = await app.permission.describeRoleList({
loadDetails: true
})
console.log('Custom roles count:', CustomRoles?.length)

// Modify role: Add new member
await app.permission.modifyRole({
roleId: 'role-123',
addMemberUids: ['uid-456'],
roleName: 'Operations Administrator (Updated)'
})

// Delete role
const res = await app.permission.deleteRoles({
roleIds: ['role-123', 'role-456']
})
console.log(`Successfully deleted ${res.SuccessCount} roles`)
}

test()

modifyResourcePermission

Deprecated

This interface is deprecated. Gateway authentication policies are now managed by OPA. Please use modifyEnvAuthzConfig instead.

1. API Description

API feature: Set access permissions for specified resources.

API declaration: app.permission.modifyResourcePermission(options): Promise<Object>

2. Input Parameters

FieldRequiredTypeDescription
resourceTypeYesPermissionResourceTypeResource type. Valid values: function / storage / table / collection
resourceNoStringResource name (e.g., function name, collection name). Can be omitted when resourceType is function
permissionRequiredBasePermissionPermission type (See table below)
securityRuleNoStringCustom security rule JSON string. Only required when permission = 'CUSTOM'

Permission Type (BasePermission)

table / collection

ValueDescription
READONLYRead all data, modify own data
PRIVATERead and modify own data
ADMINWRITERead all data, cannot modify data
ADMINONLYNo permissions
CUSTOMCustom security rules (Only supported for collection)

storage

ValueDescription
READONLYReadable by all users, writable only by the creator and administrators
PRIVATEReadable and writable only by the creator and administrators
ADMINWRITEReadable by all users, writable only by administrators
ADMINONLYReadable and writable only by administrators
CUSTOMCustom security rules

function

ValueDescription
CUSTOMCustom security rules

3. Return Results

FieldTypeDescription
RequestIdStringUnique identifier of the request
Data.SuccessBooleanwhether the setting was successful

4. Sample Code

import CloudBase from '@cloudbase/manager-node'

const app = CloudBase.init({
secretId: 'Your SecretId',
secretKey: 'Your SecretKey',
envId: 'Your envId'
})

async function test() {
// Set the database collection to be readable and writable only by administrators
await app.permission.modifyResourcePermission({
resourceType: 'collection',
resource: 'my-collection',
permission: 'ADMINONLY'
})

// Set custom security rules
await app.permission.modifyResourcePermission({
resourceType: 'collection',
resource: 'user-data',
permission: 'CUSTOM',
securityRule: JSON.stringify({
read: 'auth.uid == doc.uid',
write: 'auth.uid == doc.uid'
})
})
}

test()

describeResourcePermission

Deprecated

This interface is deprecated. Gateway authentication policies are now managed by OPA. Please use describeResourcePolicyList or describeEnvAuthzConfig instead.

1. API Description

API feature: Query the current access permissions of specified resources.

API declaration: app.permission.describeResourcePermission(options): Promise<Object>

2. Input Parameters

FieldRequiredTypeDescription
resourceTypeYesPermissionResourceTypeResource type: function / storage / table / collection
resourcesNostring[]List of resource names. For SCF, pass an empty array or do not pass this parameter; for cloud storage, pass the bucket name; for database tables, pass the table name. The list cannot exceed 100 entries.

3. Return Results

FieldTypeDescription
RequestIdStringUnique identifier of the request
Data.TotalCountNumberTotal count
Data.PermissionListResourcePermission[]Permission list

ResourcePermission

FieldTypeDescription
ResourceTypeStringResource type
ResourceStringResource name
PermissionStringCurrent permission value
SecurityRuleStringCustom security rule (present when permission is CUSTOM)