- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Developer Guide
- Operation Guide
- Practical Tutorial
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Cluster APIs
- Namespace APIs
- Topic APIs
- Message APIs
- CMQ Message APIs
- CMQ Management APIs
- UnbindCmqDeadLetter
- RewindCmqQueue
- ModifyCmqTopicAttribute
- ModifyCmqSubscriptionAttribute
- ModifyCmqQueueAttribute
- DescribeCmqTopics
- DescribeCmqTopicDetail
- DescribeCmqSubscriptionDetail
- DescribeCmqQueues
- DescribeCmqQueueDetail
- DescribeCmqDeadLetterSourceQueues
- DeleteCmqTopic
- DeleteCmqSubscribe
- DeleteCmqQueue
- CreateCmqTopic
- CreateCmqSubscribe
- CreateCmqQueue
- Other APIs
- Environment Role APIs
- TDMQ for RabbitMQ APIs
- RocketMQ APIs
- DescribeRocketMQVipInstanceDetail
- DescribeRocketMQMsg
- ModifyRocketMQTopic
- ModifyRocketMQNamespace
- ModifyRocketMQGroup
- ModifyRocketMQCluster
- DescribeRocketMQTopics
- DescribeRocketMQNamespaces
- DescribeRocketMQGroups
- DescribeRocketMQClusters
- DescribeRocketMQCluster
- DeleteRocketMQTopic
- DeleteRocketMQGroup
- DeleteRocketMQCluster
- CreateRocketMQTopic
- CreateRocketMQNamespace
- CreateRocketMQGroup
- CreateRocketMQCluster
- TDMQ for RocketMQ APIs
- Production and Consumption APIs
- Data Types
- Error Codes
- SDK Documentation
- FAQs
- TDMQ Policy
- Service Level Agreement
- General References
- Contact Us
- Glossary
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Developer Guide
- Operation Guide
- Practical Tutorial
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Cluster APIs
- Namespace APIs
- Topic APIs
- Message APIs
- CMQ Message APIs
- CMQ Management APIs
- UnbindCmqDeadLetter
- RewindCmqQueue
- ModifyCmqTopicAttribute
- ModifyCmqSubscriptionAttribute
- ModifyCmqQueueAttribute
- DescribeCmqTopics
- DescribeCmqTopicDetail
- DescribeCmqSubscriptionDetail
- DescribeCmqQueues
- DescribeCmqQueueDetail
- DescribeCmqDeadLetterSourceQueues
- DeleteCmqTopic
- DeleteCmqSubscribe
- DeleteCmqQueue
- CreateCmqTopic
- CreateCmqSubscribe
- CreateCmqQueue
- Other APIs
- Environment Role APIs
- TDMQ for RabbitMQ APIs
- RocketMQ APIs
- DescribeRocketMQVipInstanceDetail
- DescribeRocketMQMsg
- ModifyRocketMQTopic
- ModifyRocketMQNamespace
- ModifyRocketMQGroup
- ModifyRocketMQCluster
- DescribeRocketMQTopics
- DescribeRocketMQNamespaces
- DescribeRocketMQGroups
- DescribeRocketMQClusters
- DescribeRocketMQCluster
- DeleteRocketMQTopic
- DeleteRocketMQGroup
- DeleteRocketMQCluster
- CreateRocketMQTopic
- CreateRocketMQNamespace
- CreateRocketMQGroup
- CreateRocketMQCluster
- TDMQ for RocketMQ APIs
- Production and Consumption APIs
- Data Types
- Error Codes
- SDK Documentation
- FAQs
- TDMQ Policy
- Service Level Agreement
- General References
- Contact Us
- Glossary
Basic Concepts of CAM
The root account authorizes sub-accounts by binding policies, which can be precisely set at the [API, resource, user/user group, allow/deny, condition] dimension.
Account System
Root account: Owns and has unrestricted access to all Tencent Cloud resources.
Sub-account: Includes sub-users and collaborators.
Sub-user: Created by the main account and completely belongs to the root account that created the Sub-user.
Collaborator: A user with a main account identity added as a collaborator to the current root account, becoming one of its sub-accounts and able to switch back to the root account identity
Identity credentials: Includes log-in credentials and access certificates. Log-in credentials refer to a user’s log-in name and password. Access certificates refer to Tencent Cloud API keys (SecretId and SecretKey).
Resource and Permission
Resource: An object being operated in Tencent Cloud services, such as a CVM instance, a COS bucket, or a VPC instance
Permission: An authorization to allow or disallow some users to perform certain operations. By default, a root account has full access to all the resources under the account, while a sub-account does not have access to any resources under the root account.
Policy: A syntax rule that defines and describes one or more permissions. The root account performs authorization by associating policies with users/user groups.
Sub-Account Using Pulsar
To ensure that the sub-account can successfully use Pulsar, the root account needs to authorize the sub-account.
Root account logs in to CAM Console, finds the corresponding sub-account in the sub-account list, and clicks the Authorize in the operation column.
Pulsar offers two preset policies for sub-accounts: QcloudTDMQReadOnlyAccess and QcloudTDMQFullAccess. The former can only view related information in the console, while the latter can perform read-write operations in the product console.
In addition to the above preset policies, for ease of use, the root account needs to grant the sub-accounts appropriate permissions to call other cloud services based on actual needs. The use of Pulsar involves the following API permissions of various cloud services:
Tencent Cloud Services | API Name | API Function | Corresponding Role in Pulsar |
TCOP (Monitor) | GetMonitorData | Query metric monitoring data. | View the corresponding monitoring metrics displayed in the console. |
TCOP (Monitor) | DescribeDashboardMetricData | Query metric monitoring data. | View the corresponding monitoring metrics displayed in the console. |
Resource Tag (Tags) | DescribeResourceTagsByResourceIds | Query resource tag. | View cluster resource tags. |
To grant the sub-account the above permissions, for the root account, you need to go to the CAM Console on the Policies page, and perform the Create Custom Policy operation. Click Create by****Policy Syntax for creation, then select Blank Template, and enter the following policy syntax:
{"version": "2.0","statement": [{"effect": "allow","action": ["monitor:GetMonitorData","monitor:DescribeDashboardMetricData","tag:DescribeResourceTagsByResourceIds"],"resource": ["*"]}]}
After the policy is created, associate the newly created policy with the sub-account as shown below:
Yes
No
Was this page helpful?