- Release Notes and Announcements
- Release Notes
- Announcements
- Notice on Disabling the Automatic Group Creation for Some Virtual Clusters in TDMQ for RocketMQ 4.x
- Notice on the Cessation of Purchase for TDMQ RocketMQ 4.x Virtual Clusters Switching Cluster Billing Modes
- Commercial Launch of TDMQ for RocketMQ Exclusive Cluster
- TDMQ for RocketMQ Beta Test to Be Ended
- TDMQ for RocketMQ Beta Test Start
- Product Introduction
- Purchase Guide
- RocketMQ 5.x
- RocketMQ 4.x
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Development Guide
- Practical Tutorial
- SDK Documentation
- Migration to Cloud
- API Documentation
- FAQs
- TDMQ for RocketMQ Service Level Agreement
- Contact Us
- Release Notes and Announcements
- Release Notes
- Announcements
- Notice on Disabling the Automatic Group Creation for Some Virtual Clusters in TDMQ for RocketMQ 4.x
- Notice on the Cessation of Purchase for TDMQ RocketMQ 4.x Virtual Clusters Switching Cluster Billing Modes
- Commercial Launch of TDMQ for RocketMQ Exclusive Cluster
- TDMQ for RocketMQ Beta Test to Be Ended
- TDMQ for RocketMQ Beta Test Start
- Product Introduction
- Purchase Guide
- RocketMQ 5.x
- RocketMQ 4.x
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Development Guide
- Practical Tutorial
- SDK Documentation
- Migration to Cloud
- API Documentation
- FAQs
- TDMQ for RocketMQ Service Level Agreement
- Contact Us
Granting Sub-Account Access to TDMQ for RocketMQ
Last updated: 2023-10-19 10:45:00
Basic CAM Concepts
The root account authorizes sub-accounts by associating policies. The policy setting can be specific to the level of **[API, Resource, User/User Group, Allow/Deny, and Condition]**.
Account system
Root account: It owns all the resources in Tencent Cloud and can access any of these resources.
Sub-account: It includes sub-users and collaborators.
Sub-user: It is created and fully owned by a root account.
Collaborator: It has the identity of a root account. After it is added as a collaborator of the current root account, it becomes one of the sub-accounts of the current root account and can switch back to its root account identity.
Identity credential: It includes login credentials and access certificates. Login credential refers to a user's login name and password. Access certificate refers to TencentCloud API keys (SecretId and SecretKey).
Resource and permission
Resource: It refers to an object operated in Tencent Cloud services, such as a CVM instance, a COS bucket, or a VPC instance.
Permission: It is used to allow or deny some user operations. By default, the root account has full access to all its resources, while a sub-account does not have access to any resources under its root account.
Policy: It is a syntax rule used to define and describe one or more permissions. The root account can authorize users or user groups by associating them with policies.
Allowing Sub-Accounts to Use TDMQ for RocketMQ
To allow a sub-account to use TDMQ for RocketMQ, the root account needs to authorize the sub-account.
Log in to the CAM console as a root account, select the target sub-user in the user list, and click Authorize in the Operation column.
TDMQ for RocketMQ provides two preset policies for sub-accounts:
QcloudTrocketReadOnlyaccess and QcloudTrocketFullAccess. The former only allows sub-accounts to view information in the console while the latter allows sub-accounts to perform read or write operations in the console.In addition to the preset policies, the root account can authorize sub-accounts to call the APIs of other Tencent Cloud products as needed. TDMQ for RocketMQ may require the API permissions of the following Tencent Cloud products:
Tencent Cloud Product | API Name | Description | Purpose in TDMQ for RocketMQ |
Tencent Cloud Observability Platform (TCOP) | GetMonitorData | Queries the monitoring data of metrics. | Queries the monitoring data displayed in the console. |
TCOP | DescribeDashboardMetricData | Queries the monitoring data of metrics. | Queries the monitoring data displayed in the console. |
Tencent Cloud Tag | DescribeResourceTagsByResourceIds | Queries resource tags. | Queries the resource tags of a cluster. |
To grant the above permissions to the sub-account, the root account needs to go to the CAM console, and click Create Custom Policy on the Policies page. In the pop-up window, select Create by Policy Syntax > Blank Template, and enter the following policy syntax.
{"version": "2.0","statement": [{"effect": "allow","action":["monitor:GetMonitorData","monitor:DescribeDashboardMetricData","tag:DescribeResourceTagsByResourceIds"],"resource": ["*"]}]}
After the policy is created, return to the policy list and associate it with the sub-account in the Operation column.
Relevant Documentation
For more information, see the following documents:
Yes
No
Was this page helpful?