Skip to main content

Permission Management

Deprecated

The tcb permission command has been retired. Running it no longer performs any actual operation and only outputs migration guidance.

Please migrate to the new command tcb policy:

  • tcb permission settcb policy set
  • tcb permission gettcb policy list / tcb policy get

The new command is based on the OPA Rego policy engine. Once set, the legacy gateway authentication will be invalidated.

v3.0.0+

The tcb permission command has been available since v3.0.0, and was retired after tcb policy (v3.5.7+) was introduced.

tcb permission is the resource permission management command under the legacy gateway model, with two subcommands: set and get. Both subcommands are now retired — invoking them only prints migration guidance and no longer makes any changes to or queries of resource permissions.

tcb permission set

Set access permissions for specified resources (retired, no longer effective). Executing it only prints migration guidance without modifying any permissions. Please use tcb policy set to set OPA Rego authentication policies.

tcb permission set <type>:<resource> --level <level> [options]

The historically supported resource types and permission levels are listed below (for migration reference only; the command no longer takes effect):

Resource TypeSupported --level
collection (Document Database collection)readonly / private / adminwrite / adminonly / custom
storage (bucket)readonly / private / adminwrite / adminonly / custom
table (SQL table)readonly / private / adminwrite / adminonly
function (SCF)custom (only supports custom rules)

Migrate to OPA Rego

The legacy --level levels cannot be directly mapped to OPA Rego policies. Please rewrite the rules in Rego after understanding the OPA input context:


tcb permission get

Query the current permissions configuration for resources (retired, no longer effective). Executing it only prints migration guidance without querying any permissions. Please use tcb policy list to view the policy list, or tcb policy get to retrieve policy content.

tcb permission get [type[:resource,...]] [options]