Permission Management
The tcb permission command has been retired. Running it no longer performs any actual operation and only outputs migration guidance.
Please migrate to the new command tcb policy:
tcb permission set→tcb policy settcb permission get→tcb policy list/tcb policy get
The new command is based on the OPA Rego policy engine. Once set, the legacy gateway authentication will be invalidated.
The tcb permission command has been available since v3.0.0, and was retired after tcb policy (v3.5.7+) was introduced.
tcb permission is the resource permission management command under the legacy gateway model, with two subcommands: set and get. Both subcommands are now retired — invoking them only prints migration guidance and no longer makes any changes to or queries of resource permissions.
tcb permission set
Set access permissions for specified resources (retired, no longer effective). Executing it only prints migration guidance without modifying any permissions. Please use tcb policy set to set OPA Rego authentication policies.
tcb permission set <type>:<resource> --level <level> [options]
The historically supported resource types and permission levels are listed below (for migration reference only; the command no longer takes effect):
| Resource Type | Supported --level |
|---|---|
collection (Document Database collection) | readonly / private / adminwrite / adminonly / custom |
storage (bucket) | readonly / private / adminwrite / adminonly / custom |
table (SQL table) | readonly / private / adminwrite / adminonly |
function (SCF) | custom (only supports custom rules) |
Migrate to OPA Rego
The legacy --level levels cannot be directly mapped to OPA Rego policies. Please rewrite the rules in Rego after understanding the OPA input context:
- OPA concepts and
inputstructure: OPA Authentication Policy Introduction - Legacy gateway policy → Rego translation reference: Migration Guide
tcb permission get
Query the current permissions configuration for resources (retired, no longer effective). Executing it only prints migration guidance without querying any permissions. Please use tcb policy list to view the policy list, or tcb policy get to retrieve policy content.
tcb permission get [type[:resource,...]] [options]
Related Commands
tcb policy— OPA Rego policy management (recommended)- OPA Authentication Policy Introduction — OPA concepts,
inputcontext, and real-world cases - Migration Guide — Migrate legacy gateway authentication to OPA Rego
tcb role— Manage roles and access policies- Console configuration: CloudBase Console