Comparison of Permission Isolation Solutions
This article presents two employee environment isolation solutions, helping enterprises choose the most suitable solution based on their specific needs.
Solution Overview
| Solution 1: CAM Sub-account | Solution 2: Enterprise Internal System | |
|---|---|---|
| Core Concept | Create a Tencent Cloud CAM sub-account for each employee to achieve environment isolation through permission policies | Use the enterprise's own Identity Authentication system as an authorization middleware layer, without the need for CAM sub-accounts |
| Employee Account System | Tencent Cloud CAM sub-account | Enterprise-owned Account (SSO/LDAP) |
| Environment Isolation Method | CAM permission policies are precise at the environment level | Temporary key + environment ID binding |
| Brand Perception | Tencent Cloud brand is perceptible to employees | Employees only access corporate domains without exposure to Tencent Cloud |
| Login Portal | Standard TCB Authorization Page | Enterprise-customized Authorization Page (auth.your-domain.com) |
| SSO Integration | Not Supported | Supported (can integrate with enterprise LDAP/SSO) |
Account and Permission Management
Solution 1 (CAM Sub-account):
- Each employee corresponds to a Tencent Cloud CAM sub-account
- Restrict sub-accounts to accessing only their own TCB environments through CAM permission policies
- Employees need to be aware of their Tencent Cloud account information
Solution 2 (Enterprise Internal System):
- Employees use existing corporate accounts (e.g., corporate email, employee ID) without the need for Tencent Cloud accounts
- The corporate internal system maintains the mapping relationships between employees and TCB environments
- Employees are completely unaware of Tencent Cloud, resulting in a more unified experience
Security Comparison
| Security Dimension | Solution 1 (CAM Sub-account) | Solution 2 (Enterprise Internal System) |
|---|---|---|
| Credential Type | Long-term API Keys | Short-term Temporary Keys (Automatically Expire) |
| Permission Control Granularity | CAM Policy (Fine-grained) | Environment Level (Fine-grained) |
| Audit Capability | Tencent Cloud CloudAudit | Enterprise Self-built + Tencent Cloud CloudAudit |
Applicable Scenarios
Solution 1 (CAM Sub-account) is suitable for:
- ✅ No specific requirements for the Tencent Cloud brand
- ✅ Employees accept using Tencent Cloud accounts to log in
- ✅ There is no existing enterprise SSO system that needs to be integrated
Solution 2 (Enterprise Internal System) is suitable for:
- ✅ There is a white-label/OEM requirement, and employees should not be aware of Tencent Cloud
- ✅ There is an existing enterprise SSO/LDAP system, and a unified login portal is desired
- ✅ Compliance requirements exist, necessitating enterprises to autonomously manage the mapping between employees and cloud resources
- ✅ Desire to use the enterprise's own domain to provide an AI development environment
Selection Recommendations
The two solutions are not mutually exclusive. Enterprises can first use Solution 1 to quickly go live, and after verifying the results, upgrade to Solution 2 as needed to achieve deeper brand customization and system integration.