This document describes how to use the root account to authorize sub-accounts at the resource level. After successful authorization, the sub-accounts will have the capability to control a certain resource.
Prerequisites
You must have a Tencent Cloud root account and have activated the Cloud Access Management (CAM) service.
Your root account must have at least one sub-account, and you have completed the authorization as instructed in Access Authorization for Sub-Accounts.
You must have at least one TDMQ for RocketMQ cluster instance.
Directions
By using the policy feature in the CAM console, you can grant a sub-account access to the TDMQ for RocketMQ resources owned by the root account. Taking cluster resource as an example, the following describes the detailed steps for granting the sub-account access to TDMQ for RocketMQ resources, which also apply to other types of resources.
Step 1. Obtain the TDMQ for RocketMQ cluster ID
1. Log in to the TDMQ for RocketMQ console with root account, select an existing cluster instance, and click it to enter the details page.
2. In Basic Info, the field ID indicates the ID of the current TDMQ for RocketMQ cluster.
2. Click Create Custom Policy > Create by Policy Generator.
3. In the visual policy generator, select Allow for Effect, enter "TDMQ" in Service to filter, and select **Tencent Distributed Message Queue (tdmq)**.
4. Select All actions in Action, and you can also select the action type as needed.
Note
Currently, some APIs don't support resource authentication, which is as displayed in the console page. For the list of APIs that support resource-level authorization, see the list of APIs supporting resource-level authorization in the appendix.
5. In the Resource field, select Specific resources, find the cluster resource type, and you can select Any resource of this type on the right to authorize all cluster resources, or click Add a six-segment resource description to authorize specific cluster resources.
6. If you click Add a six-segment resource description, enter the cluster ID for Resource in the pop-up dialog box. For how to obtain the cluster ID, see Step 1.
7. Click Next and enter a policy name as needed.
8. Click Select Users or Select User Groups to select the users or user groups that need to be granted resource permissions.
9. Click Complete. The sub-account with granted resource permissions will have the capability to access related resources.
List of APIs supporting resource-level authorization
TDMQ supports resource-level authorization. You can grant a specified sub-account the API permission of a specified resource. APIs supporting resource-level authorization include:
