Release Notes and Announcements
- Release Notes
- Announcements
User Guide
Product Introduction
- Overview
- Features
- Available Regions
- Limits
- Concepts
- Service Regions and Service Providers
Purchase Guide
- Billing Overview
- Product Pricing
- Pay-as-You-Go
- Overdue Payments
- Cleaning up CLS resources
- Cost Optimization
- FAQs
Getting Started
Operation Guide
- Resource Management
- Permission Management
- Log Collection
- Metric Collection
- Log Storage
- Metric Storage
- Search and Analysis (Log Topic)
- Search and Analysis (Metric Topic)
- Dashboard
- Data Processing documents
- Shipping and Consumption
- Monitoring Alarm
- Cloud Insight
- Independent DataSight console
- Historical Documentation
Practical Tutorial
- Log Collection
- Search and Analysis
- Dashboard
- Monitoring Alarm
- Shipping and Consumption
- Cost Optimization
Developer Guide
API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Topic Management APIs
- Log Set Management APIs
- Index APIs
- Topic Partition (Abandoned) APIs
- Machine Group APIs
- Log Collection Configuration APIs
- Log APIs
- Metric Collection Configuration APIs
- Metric APIs
- Service APIs
- Alarm Policy APIs
- Data Processing APIs
- Console Customization APIs
- Kafka Consumption APIs
- CKafka Task APIs
- Kafka Data Subscription APIs
- COS Shipping Task APIs
- Dashboard APIs
- SCF Delivery Task APIs
- Scheduled SQL Analysis APIs
- COS Data Import Task APIs
- Cloud Product Integration APIs
- Unified Consumption APIs
- AI APIs
- DLC Task APIs
- es Data Import Task APIs
- Splunk Delivery APIs
- Query View APIs
- OpenClaw APIs
- Network Application APIs
- Data Types
- Error Codes
FAQs
- Explanation of Health Monitoring Problems
- Collection Related
- Log Search
- Others
CLS Service Level Agreement
CLS Policy
- Privacy Policy
- Data Processing And Security Agreement
Contact Us
Glossary

Authorizable Resource Types

Download

Focus Mode

Font Size

Last updated: 2026-05-20 10:12:39

Overview
Cloud Log Service (CLS) encompasses multiple resource types. Some APIs support granting permissions to users on a per-resource basis, for example, granting administrative permissions on a specified log topic.
The resource types that can be authorized in Cloud Access Management (CAM) are listed in the table below. "Authorization by Tag" indicates whether a resource type supports specifying the scope of resources on which a user has operational permissions by using Tags.
Resource Type
Resource Description Method in Access Policies
Authorization by Tag
Logset
qcs::cls:$region:$account:logset/*
qcs::cls:$region:$account:logset/$logsetId
Supported
Log topic
qcs::cls:$region:$account:topic/*
qcs::cls:$region:$account:topic/$topicId
Supported
Machine group
qcs::cvm:$region:$account:machinegroup/*
qcs::cvm:$region:$account:machinegroup/$machinegroupId
Supported
Collection configuration
qcs::cls:$region:$account:config/*
qcs::cls:$region:$account:config/$configId
Not supported
Dashboard (Non-regional Resource)
qcs::cls::$account:dashboard/*
qcs::cls::$account:dashboard/$dashboardId
Supported
Alarm policy
qcs::cls:$region:$account:alarm/*
qcs::cls:$region:$account:alarm/$alarmId
Supported
Notification channel group
qcs::cls:$region:$account:alarmNotice/*
qcs::cls:$region:$account:alarmNotice/$alarmNoticeId
Supported
Data processing task
qcs::cls:$region:uin/$account:datatransform/*
qcs::cls:$region:uin/$account:datatransform/$TaskId
Not supported
Shipping task (COS)
qcs::cls:$region:$account:shipper/*
qcs::cls:$region:$account:shipper/$shipperId
Not supported
DataSight dashboard (Non-regional resource)
qcs::cls::$account:datasight/*
qcs::cls::$account:datasight/datasightId
Supported
Other resource types (disused; used by APIs of earlier versions only)
Single chart in the dashboard:
qcs::cls:$region:$account:chart/*
qcs::cls:$region:$account:chart/$chartId
Not supported
Variable parameters such as $region and $account must be replaced with your actual values. Since Dashboard is a non-regional resource, the region parameter is not required.
For all APIs supported by CLS and their corresponding resource description methods, refer to CAM-Supported Business APIs > Storage > Storage Data Service > CLS. Among them, APIs with an "Authorization Granularity" of "Resource-level" support configuring permissions for users based on the aforementioned resource types in a resource-specific manner. For APIs with an "Authorization Granularity" of "Operation-level", the corresponding resource scope in the CAM permission policy must be *.
Practice
Since different types of resources in CLS are interrelated. For example: A logset contains log topics, and log topics require applying collection configuration to machine groups. Configuring permissions by directly specifying resource IDs in CAM permission policies can be difficult to manage and may result in "access denied" errors for certain API operations. Therefore, it is recommended that you configure CAM permission policies as follows:
For resource types and corresponding APIs that support authorization by Tag, bind Tags to the relevant resources, and then specify the resource scope for which a user has operational permissions by using the Tag method. For example, bind Tags to log topics, logsets, and related dashboards simultaneously. Then, grant management permissions for log topics with the specified Tags (including logsets), and grant management permissions for dashboards with the specified Tags. These two policies enable the user to have operational permissions for the APIs related to all three types of resources.
For resource types and corresponding APIs that do not support authorization by tag, to simplify management, you can directly set the resource range in the CAM permission policy to *, indicating all resources. To avoid misoperations by ordinary users, you can configure read-only permissions for ordinary users and management permissions for admins. For example, you can assign admins the management permissions on all data processing tasks and assign ordinary users the read-only permissions on all data processing tasks.
Note: 
For more usage scenarios, see CLS Access Policy Templates.
﻿

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

Resource Type	Resource Description Method in Access Policies	Authorization by Tag
Logset	`qcs::cls:$region:$account:logset/*` `qcs::cls:$region:$account:logset/$logsetId`	Supported
Log topic	`qcs::cls:$region:$account:topic/*` `qcs::cls:$region:$account:topic/$topicId`	Supported
Machine group	`qcs::cvm:$region:$account:machinegroup/*` `qcs::cvm:$region:$account:machinegroup/$machinegroupId`	Supported
Collection configuration	`qcs::cls:$region:$account:config/*` `qcs::cls:$region:$account:config/$configId`	Not supported
Dashboard (Non-regional Resource)	`qcs::cls::$account:dashboard/*` `qcs::cls::$account:dashboard/$dashboardId`	Supported
Alarm policy	`qcs::cls:$region:$account:alarm/*` `qcs::cls:$region:$account:alarm/$alarmId`	Supported
Notification channel group	`qcs::cls:$region:$account:alarmNotice/*` `qcs::cls:$region:$account:alarmNotice/$alarmNoticeId`	Supported
Data processing task	`qcs::cls:$region:uin/$account:datatransform/*` `qcs::cls:$region:uin/$account:datatransform/$TaskId`	Not supported
Shipping task (COS)	`qcs::cls:$region:$account:shipper/*` `qcs::cls:$region:$account:shipper/$shipperId`	Not supported
DataSight dashboard (Non-regional resource)	`qcs::cls::$account:datasight/*` `qcs::cls::$account:datasight/datasightId`	Supported
Other resource types (disused; used by APIs of earlier versions only)	Single chart in the dashboard: `qcs::cls:$region:$account:chart/*` `qcs::cls:$region:$account:chart/$chartId`	Not supported

tencent cloud

Cloud Log Service

Authorizable Resource Types

Overview

Practice

Help and Support