tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Elastic MapReduce
    Documentation
    Download PDF

    Collaborator/Sub-user Permissions

    Last updated: 2025-02-18 16:59:52
    Download PDF
      Tencent Cloud EMR (hereinafter referred to as EMR) requires access to or operations on other related cloud products during operation. To ensure normal operation and use of EMR by Collaborator or Sub-user, this document provides guidance on granting relevant permissions.

      Permission Policies Overview

      Policy Name
      Description
      Required or Optional
      Description
      QcloudCamRoleFullAccess
      Full read-write access for CAM Users and Roles
      No
      Used as a Custom service role, it provides granular permission control for inter-product data access. Refer to Cluster COS Service Role for details
      QcloudEMRFullAccess
      Full read-write access for EMR (EMR)
      No
      Full feature operation permissions for EMR products. For details, see Purchase and Management of EMR Clusters
      QcloudEMRReadOnlyAccess
      Read-only access for EMR (EMR)
      No
      View permissions for all features of EMR products
      QcloudEMRPurchaseAccess
      Financial permissions for EMR products
      No
      For details, see Purchase and Management of EMR Clusters. If purchase or change of configuration is not needed, this permission can be disabled.
      Caution
      The pre-defined QcloudEMRPurchaseAccess policy allows you to manage the financial permissions for purchasing EMR products for all users. When this policy is granted to a user, it includes the financial permissions for CVM, CDB, and EMR. If you need to restrict a user's ability to purchase CVM and CDB, do not grant the corresponding product ordering permissions.

      Application scenario

      Authorize EMR to access other cloud product permissions

      1. Service Role (mandatory): When using EMR services, access to cloud services like CVM, CBS, and TencentDB is required. During the initial product purchase, the service role EMR_QCSRole for EMR must be assigned and granted the policy QcloudAccessForEMRRole (for requesting basic resources such as CVM, CBS, TencentDB, and read permissions for COS) and EMR's access permissions to cloud resources.
      2. Service-related role (optional): If EMR directly writes to or processes data in COS, to ensure data security, EMR needs the corresponding service role EMR_QCSLinkedRoleInApplicationDataAccess and must bind to the QcloudAccessForEMRLinkedRoleInApplicationDataAccess pre-defined policy to read and write COS resources using temporary keys.
      Special Note on COS Bucket Access Authorization:
      1. Since August 20, 2023, for new users or existing users modifying their authorization policies, the default service-related role EMR_QCSLinkedRoleInApplicationDataAccess is granted.
      2. The current authorization policy for existing users is to bind the QcloudAccessForEMRRoleInApplicationDataAccess policy in the service role EMR_QCSRole.
      3. When both the service-related role and service role are authorized, the service-related role is used by default. In the cluster instance information authorization policy, COS will show as authorized, and the cluster COS service role will display the EMR_QCSLinkedRoleInApplicationDataAccess role.

      Purchase and manage EMR clusters

      For scenarios involving resource purchasing, such as creating clusters, adding components, modifying configurations, or expanding collaborators/sub-users, it is necessary to grant QcloudEMRFullAccess. This is according to the Definition TencentDB purchasing policy. If there are no resource purchasing scenarios, such as for service configuration management or restarts, only the QcloudEMRFullAccess policy needs to be granted.
      Caution
      For the annual/monthly subscription purchase method, if financial permissions are not granted, a pending order will be generated and linked to an account with financial permissions for approval. The pay-as-you-go purchase method does not support order approval; financial permissions must be granted.
      Policy Category
      Policy Name
      Policy Description
      EMR Preset Policy
      QcloudEMRFullAccess
      Full read-write access for EMR (select one)
      EMR Preset Policy
      QcloudEMRReadOnlyAccess
      Read-only access for EMR (choose one of the two)
      EMR Preset Policy
      QcloudEMRPurchaseAccess
      Financial permissions for EMR products
      The root account grants the above permissions to the Sub-user or Collaborator. The steps are as follows:
      1. Log in to CAM Console, find the corresponding Sub-user or collaborator in Users > User List, then click Authorize.
      
      
      
      2. Search for the policy listed in the table above (the following image takes QcloudEMRFullAccess policy as an example) within Associated Policies. Once the policy is selected, click OK to confirm.
      3. Grant the EMR financial policy QcloudEMRPurchaseAccess, similar to step 2.
      
      
      

      Cluster COS Service Role

      EMR root account or Collaborator and Sub-user with QcloudCamRoleFullAccess can precisely control COS bucket permissions and other cloud resource permissions. For details, see Cluster COS Service Role. Root account grants QcloudCamRoleFullAccess to Sub-user or Collaborator, the specific steps are as follows:
      1. Log in to CAM Console, find the corresponding Sub-user or collaborator in Users > User List, then click Authorize.
      
      
      
      2. Search for QcloudCamRoleFullAccess policy within Associated Policies. Once the policy is selected, click OK to confirm.
      
      
      
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2025 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy