Comparison of Permission Isolation Approaches
This document presents two user environment isolation solutions to help enterprises select the most suitable solution based on their specific circumstances.
Solution Overview
| Solution 1: Isolation Solution Based on CAM Sub-accounts | Solution 2: Isolation Solution Without CAM Sub-accounts | |
|---|---|---|
| Core Approach | Create Tencent Cloud CAM sub-accounts for each employee and implement environment isolation through access policies | Use the enterprise/platform's own identity authentication system as an authorization middleware layer, without the need for CAM sub-accounts |
| User Account System | Tencent Cloud CAM sub-accounts | Enterprise in-house accounts (SSO/LDAP) or platform proprietary account systems |
| Environment Isolation Method | CAM access policies granular to the environment level | Temporary keys + environment ID binding |
| Brand Perception | Users can perceive the Tencent Cloud brand | Users only interact with enterprise/platform-owned domains without exposure to Tencent Cloud |
| Login Entry Point | Standard TCB authorization page | Enterprise/platform-customized authorization page (auth.your-domain.com) |
| SSO Integration | Not supported | Supported (can integrate with enterprise LDAP/SSO or the platform's proprietary account system) |
| Manual Cloud Resource Management | Supported. Employees can log in to the Tencent Cloud console via CAM sub-accounts | Not supported. Users do not have Tencent Cloud accounts |
Account and Permission Management
Solution 1 (Isolation Solution Based on CAM Sub-accounts):
- Each employee is assigned a Tencent Cloud CAM sub-account
- The enterprise internal system automatically creates sub-accounts, environments, and servers, and uses CAM access policies to restrict sub-accounts to accessing only their own TCB environments
- Automatically install TCB Skill/MCP via TAT and log in to TCB, ready for out-of-the-box use
Solution 2 (Isolation Solution Without CAM Sub-accounts):
- Users log in using enterprise/platform current accounts (such as corporate email, employee ID, or platform accounts) without Tencent Cloud accounts
- Enterprise/platform systems maintain the mapping relationships between users and TCB environments.
- Users are completely unaware of Tencent Cloud, resulting in a more unified experience
Security Comparison
| Security Dimension | Solution 1 (Isolation Solution Based on CAM Sub-accounts) | Solution 2 (Isolation Solution Without CAM Sub-accounts) |
|---|---|---|
| Credential Type | Long-term API Key | Short-term Temporary Key (automatically expired) |
| Permission Control Granularity | CAM policy (fine-grained) | Environment level (fine-grained) |
| Audit Capability | Tencent Cloud CloudAudit | Self-built by enterprise + Tencent Cloud CloudAudit |
| Manual Review of AI Operations | Employees can log in to the console to review AI operation results | Only reviewable via API/logs |
Applicable Scenarios
Solution 1 (Isolation Solution Based on CAM Sub-accounts) is suitable for:
- ✅ No special requirements for the Tencent Cloud brand
- ✅ Employees are willing to log in using Tencent Cloud accounts
- ✅ No existing enterprise SSO system needs to be integrated
- ✅ Employees can log in to the Tencent Cloud console to manually manage/inspect cloud resources and audit AI operation results
Solution 2 (Isolation Solution Without CAM Sub-accounts) is suitable for:
- ✅ White-label/OEM requirements exist, and users should not perceive Tencent Cloud
- ✅ Existing enterprise SSO/LDAP system or proprietary account system, desires a unified login portal
- ✅ Compliance requirements exist, necessitating enterprises/platforms to autonomously control the mapping between users and cloud resources.
- ✅ Desire to provide AI development environments using their own domain
Solution Selection Recommendations
The two solutions are not mutually exclusive. Enterprises can first use Solution 1 to quickly launch, after verifying the results, then upgrade to Solution 2 to achieve deeper brand customization and system integration.