tencent cloud

All product documents
Access Management (CAM)
Last updated: 2024-01-03 10:17:36
Access Management (CAM)
Last updated: 2024-01-03 10:17:36

Basic CAM Concepts

The root account authorizes sub-accounts by associating policies. The policy setting can be specific to the level of [API, Resource, User/User Group, Allow/Deny, and Condition].

Account

Root account: It owns all Tencent Cloud resources and can access any of its resources.
Sub-account: It includes sub-users and collaborators.
Sub-user: It is created and fully owned by a root account.
Collaborator: It has the identity of a root account. After it is added as a collaborator of the current root account, it becomes one of the sub-accounts of the current root account and can switch back to its root account identity.
Identity credential: It includes login credentials and access certificates. Login credential refers to a user's login name and password. Access certificate refers to Tencent Cloud API keys (SecretId and SecretKey).

Resource and permission

Resource: It is an object manipulated in Tencent Cloud services. TDMQ for CMQ resources include topics and queues.
Permission: It is an authorization that allows or forbids users to perform certain operations. By default, a root account has full access to all resources under it, while a sub-account does not have access to any resources under its root account.
Policy: It is a syntax rule that defines and describes one or more permissions. The root account performs authorization by associating policies with users/user groups.

Relevant Documents

Content
Document
Understand the relationship between policies and users
Understand the basic structure of policies
Check CAM-enabled products

List of APIs Supporting Resource-Level Authorization

TDMQ for CMQ supports resource-level authorization. You can grant a specified sub-account the API permission of a specified resource.
APIs supporting resource-level authorization include:
API Name
API Description
Resource Type
Six-Segment Resource Example
ModifyCmqTopicAttribute
Modifies TDMQfor CMQ topic attributes
Topic
qcs::tdmq:${region}:uin/${uin}:topic/${topicName}
CreateCmqSubscribe
Creates a TDMQ for CMQ subscription
Topic
qcs::tdmq:${region}:uin/${uin}:topic/${topicName}
ModifyCmqSubscriptionAttribute
Modifies TDMQf for CMQ subscription attributes
Subscription
qcs::tdmq:${region}:uin/${uin}:subscription/${topicName}/${subscriptionName}
RewindCmqQueue
Rewinds a TDMQf for CMQ queue
Queue
qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
ModifyCmqQueueAttribute
Modifies TDMQ for CMQ queue attributes
Queue
qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
ClearCmqSubscriptionFilterTags
Clears message subscription tags in TDMQ for CMQ
Subscription
qcs::tdmq:${region}:uin/${uin}:subscription/${topicName}/${subscriptionName}
ClearCmqQueue
Clears messages in a TDMQ for CMQ queue
Queue
qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
DeleteCmqSubscribe
Deletes a TDMQ for CMQ subscription
Subscription
qcs::tdmq:${region}:uin/${uin}:subscription/${topicName}/${subscriptionName}
DeleteCmqTopic
Deletes a TDMQ for CMQ topic
Topic
qcs::tdmq:${region}:uin/${uin}:topic/${topicName}
BatchReceiveMessage
Consumes messages in batches
Queue
qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
UnbindCmqDeadLetter
Unbinds a TDMQ for CMQ dead letter queue
Queue
qcs::tdmq:${region}:uin/${uin}:queue/${sourceQueueName}
DescribeCmqDeadLetterSourceQueues
Enumerates the source queues of a TDMQ for CMQ dead letter queue
Dead letter queue
qcs::tdmq:${region}:uin/${uin}:dlq/${sourceQueueName}/${deadLetterQueueName}
DescribeCmqTopics
Enumerates all TDMQ for CMQ topics
Topic
qcs::tdmq:${region}:uin/${uin}:topic/${topicName}
DescribeCmqSubscriptionDetail
Queries TDMQ for CMQ subscription details
Topic
qcs::tdmq:${region}:uin/${uin}:topic/${topicName}/${subscriptionName}
DescribeCmqQueues
Queries all TDMQ for CMQ queues
Queue
qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
PublishCmqMsg
Sends a TDMQ for CMQ topic message
Topic
qcs::tdmq:${region}:uin/${uin}:topic/${topicName}
SendCmqMsg
Sends a TDMQ for CMQ message
Queue
qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
DescribeCmqTopicDetail
Queries TDMQ for CMQ topic details
Topic
qcs::tdmq:${region}:uin/${uin}:topic/${topicName}qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
DescribeCmqQueueDetail
Queries TDMQ for CMQ queue details
Queue
qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
DeleteCmqQueue
Deletes a TDMQ for CMQ queue
Queue
qcs::tdmq:${region}:uin/${uin}:queue/${queueName}

List of APIs Not Supporting Resource-Level Authorization

API Name
API Description
Six-Segment Resource
CreateCmqTopic
Creates a TDMQ for CMQ topic
*
CreateCmqQueue
Creates a TDMQ for CMQ queue
*
For APIs that do not support resource-level authorization, the resource field can be configured with an asterisk *.

Authorization Scheme Examples

Full access policy

Grant a sub-user full access to the TDMQ for CMQ queue service (for creating, managing, etc.).
1. Log in to the CAM console.
2. Click Policy on the left sidebar.
3. In the policy list, click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, select Create by Policy Generator.
5. On the Edit Policy page, click Import Policy Syntax in the top-right corner.
6. On the Import Policy Syntax page, search for TDMQ, select QcloudTDMQFullAccess in the search results, and click OK.
7. On the Edit Policy page, click Next, enter the policy name and description, and select the user/user group you want to associate.
8. Click Complete.

Read-only access policy

The following takes granting the read-only permission of a queue service as an example.
1. Log in to the CAM console.
2. Click Policy on the left sidebar.
3. In the policy list, click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, select Create by Policy Generator and enter the policy information.
Parameter
Description
Effect
Select Allow
Service
Select TDMQ
Action
Select Read operation
Resource
Select Specific resources and click Add six-segment resource description
Region: Select the resource region
Account: it is automatically populated
Resource Prefix: queue
Enter the name of the queue service you want to authorize
Condition
Allow access to specified operations only when the request is from the specified IP range
5. Click Next, enter the policy name and description, and select the user/user group you want to associate.
6. Click Complete.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback

Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

7x24 Phone Support
Hong Kong, China
+852 800 906 020 (Toll Free)
United States
+1 844 606 0804 (Toll Free)
United Kingdom
+44 808 196 4551 (Toll Free)
Canada
+1 888 605 7930 (Toll Free)
Australia
+61 1300 986 386 (Toll Free)
EdgeOne hotline
+852 300 80699
More local hotlines coming soon