Permission Management
v3.0.0+
The tcb permission command has been available since v3.0.0.
The tcb permission command is used to manage access permissions for CloudBase resources (such as database collections, buckets, SCF, etc.).
Supported Resource Types and Permission Levels
| Resource Type | Supported --level | Description |
|---|---|---|
collection (Document Database collection) | readonly / private / adminwrite / adminonly / custom | |
storage (bucket) | readonly / private / adminwrite / adminonly / custom | |
table (SQL table) | readonly / private / adminwrite / adminonly | |
function (SCF) | custom | Only supports custom rules |
Permission Level Meaning
| Level | Collection/Table | Storage |
|---|---|---|
readonly | Read all data, modify own data | Readable by all users, writable only by creators and administrators |
private | Read and modify own data | Readable and writable only by creators and administrators |
adminwrite | Read all data, cannot modify data | Readable by all users, writable only by administrators |
adminonly | No permissions (administrators only) | Readable and writable only by administrators |
custom | Custom security rules (requires --rule) | Same as left |
tcb permission set
Set access permissions for specified resources.
tcb permission set <type>:<resource> --level <level> [options]
tcb permission set function --level custom --rule '<json>' [options]
Parameters
| Parameter | Description |
|---|---|
<type>:<resource> | Resource descriptor, such as collection:users, storage:my-bucket, table:orders |
-e, --env-id <envId> | Environment ID |
--level <level> | Permission level (See table above) |
--rule <json> | Custom security rules (JSON string), required when level=custom |
--json | Output JSON |
Example
# Set the collection users to be readable by everyone and writable by the owner
tcb permission set collection:users --level readonly -e my-env-id
# Set the bucket to be accessible only by administrators
tcb permission set storage:my-bucket --level adminonly -e my-env-id
# Setting SCF Custom Security Rules
tcb permission set function --level custom --rule '{"read": true, "write": false}' -e my-env-id
# Set SQL table permissions
tcb permission set table:orders --level private -e my-env-id
tcb permission get
Query the current permissions configuration for one or more resources.
tcb permission get [type[:resource,...]] [options]
Parameters
| Parameter | Description |
|---|---|
[type[:resource]] | Optional. If not passed, queries all types; pass table to query all resources of that type; pass table:users for exact match |
-e, --env-id <envId> | Environment ID |
--json | Output JSON |
Example
# Query Permissions for All Resource Types
tcb permission get -e my-env-id
# Query All Collection Permissions
tcb permission get collection -e my-env-id
# Exact Query for Specified Collection
tcb permission get collection:users -e my-env-id
# Batch Query of Multiple Collections
tcb permission get collection:users,orders -e my-env-id
# Query SCF Permissions
tcb permission get function -e my-env-id
Related Commands
tcb role— Manage roles and access policies- Console configuration: CloudBase Console