Granting Resource-Level Permissions to Sub-Accounts

Recent Pages

Granting Resource-Level Permissions to Sub-Accounts

Last updated: 2024-01-17 16:43:42

Overview
This document describes how to use the root account to grant a sub-account resource-level permissions. After the authorization, the sub-account will possess control over a specific resource.
Operation Prerequisites
You have a Tencent Cloud root account and have activated the Tencent Cloud CAM service.
The root account should have at least one sub-account, and authorization has been granted according to "Retrieving access permissions for sub-accounts".
You have at least one RocketMQ instance.
Directions:
You can use the policy feature in the CAM console to grant a sub-account permissions of the root account's RocketMQ resources. For details, see Granting RocketMQ Resources to Sub-Accounts. This example demonstrates how to grant a cluster resource to a sub-account. The operation for other resource types are similar.
Step 1: Acquiring the Resource ID of the RocketMQ Cluster
1. Use the root account to log in to the TDMQ for RocketMQ console, select an existing cluster instance, and click to open the details page.
﻿
2. In Basic Info, the field ID is the ID of the current RocketMQ cluster.
﻿
Step 2: Creating an Authorization Policy
1. Open the CAM console and click Policies on the left sidebar.
2. Click Create Custom Policy, and choose Create by Policy Generator.
3. In the visual policy generator, keep Effect set to Allow. In Service, enter "rocketmq" to filter and select RocketMQ (trocket) from the results.
﻿
4. Select All Actions in Action. You can also select action types as needed.
﻿
5. In Resource, select Specific resources. You can either select Any resource of this type (grant access to all resources in this category) on the right, or click on **Add a Six-segment Resource description (authorize specific resources)**.
6. In the displayed sidebar under Resource, specify the ID of the resource you want to authorize. For the acquisition procedure, see Step 1.
﻿
7. Click Next and fill in the policy name as needed.
8. Click Select Users or Select User Groups to choose the user or user group that needs to be granted resource permissions.
﻿
9. Click Complete. The sub-accounts granted with resource permissions can access the related resources.
Other Authorization Methods
﻿Operational Level Authorization﻿
﻿Tag-Level Authorization﻿
Appendix
List of APIs Supporting Resource-Level Authorization
TDMQ supports resource-level authorization, enabling you to bestow upon a particular sub-account, the API permissions of a specific resource.
The APIs supporting resource-level authorization are as follows:
API Name
API Description
Resource Type
Six-Segment Example of Resource
CreateConsumerGroup
Creates consumer groups
consumerGroup
qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/*
CreateInstance
Creates instances
instance
qcs::trocket:${region}:uin/${uin}:instance/*
CreateInstanceEndpoint
Creates access points
instance
qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
CreateRole
Adds roles
role
qcs::trocket:${region}:uin/${uin}:role/${instanceId}/*
CreateTopic
Creates topics
topic
qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/*
DeleteConsumerGroup
Deletes consumer groups
consumerGroup
qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
DeleteInstance
Deletes instances
instance
qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
DeleteInstanceEndpoint
Deletes access points
instance
qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
DeleteRole
Deletes roles
role
qcs::trocket:${region}:uin/${uin}:role/${instanceId}/${role}
DeleteTopic
Deletes topics
topic
qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
DescribeConsumerClient
Queries consumer client details
consumerGroup
qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
DescribeConsumerClientList
Queries client connections under consumer group
consumerGroup
qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
DescribeConsumerGroup
Queries consumer group details
consumerGroup
qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
DescribeConsumerGroupList
Queries consumer group lists
consumerGroup
qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
DescribeInstance
Queries instances
instance
qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
DescribeInstanceList
Queries instance lists
instance
qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
DescribeInstanceTopUsages
Obtains instance resource consumption ranking
instance
qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
DescribeMessage
Queries messages
topic
qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
DescribeMessageList
Queries message lists
topic
qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
DescribeMessageTrace
Queries message traces
topic
qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
DescribeRoleList
Queries role lists
role
qcs::trocket:${region}:uin/${uin}:role/${instanceId}/${role}
DescribeTopic
Queries topic details
topic
qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
DescribeTopicList
Queries topic lists
topic
qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
DescribeTopicListByGroup
Obtains topic lists based on the consumer group
consumerGroup
qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
DescribeTopicStatisticalList
Obtains the number and types of topics under a specified instance
instance
qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
ExportMessage
Exports messages
topic
qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
ModifyConsumerGroup
Modifies consumer group attributes
consumerGroup
qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
ModifyInstance
Modifies instances
instance
qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
ModifyInstanceEndpoint
Modifies access points
instance
qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
ModifyRole
Modifies roles
role
qcs::trocket:${region}:uin/${uin}:role/${instanceId}/${role}
ResetConsumerGroupOffset
Resets consumption offset
consumerGroup
qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
SendMessage
Sends messages
topic
qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
VerifyMessageConsumption
Verifies message consumption
topic
qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
﻿

Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

7x24 Phone Support

tencent cloud

Recent Pages

Granting Resource-Level Permissions to Sub-Accounts

Overview

Operation Prerequisites

Directions:

Step 1: Acquiring the Resource ID of the RocketMQ Cluster

Step 2: Creating an Authorization Policy

Other Authorization Methods

Appendix

List of APIs Supporting Resource-Level Authorization

Was this page helpful?

Was this page helpful?

API Name	API Description	Resource Type	Six-Segment Example of Resource
CreateConsumerGroup	Creates consumer groups	consumerGroup	qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/*
CreateInstance	Creates instances	instance	qcs::trocket:${region}:uin/${uin}:instance/*
CreateInstanceEndpoint	Creates access points	instance	qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
CreateRole	Adds roles	role	qcs::trocket:${region}:uin/${uin}:role/${instanceId}/*
CreateTopic	Creates topics	topic	qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/*
DeleteConsumerGroup	Deletes consumer groups	consumerGroup	qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
DeleteInstance	Deletes instances	instance	qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
DeleteInstanceEndpoint	Deletes access points	instance	qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
DeleteRole	Deletes roles	role	qcs::trocket:${region}:uin/${uin}:role/${instanceId}/${role}
DeleteTopic	Deletes topics	topic	qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
DescribeConsumerClient	Queries consumer client details	consumerGroup	qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
DescribeConsumerClientList	Queries client connections under consumer group	consumerGroup	qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
DescribeConsumerGroup	Queries consumer group details	consumerGroup	qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
DescribeConsumerGroupList	Queries consumer group lists	consumerGroup	qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
DescribeInstance	Queries instances	instance	qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
DescribeInstanceList	Queries instance lists	instance	qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
DescribeInstanceTopUsages	Obtains instance resource consumption ranking	instance	qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
DescribeMessage	Queries messages	topic	qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
DescribeMessageList	Queries message lists	topic	qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
DescribeMessageTrace	Queries message traces	topic	qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
DescribeRoleList	Queries role lists	role	qcs::trocket:${region}:uin/${uin}:role/${instanceId}/${role}
DescribeTopic	Queries topic details	topic	qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
DescribeTopicList	Queries topic lists	topic	qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
DescribeTopicListByGroup	Obtains topic lists based on the consumer group	consumerGroup	qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
DescribeTopicStatisticalList	Obtains the number and types of topics under a specified instance	instance	qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
ExportMessage	Exports messages	topic	qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
ModifyConsumerGroup	Modifies consumer group attributes	consumerGroup	qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
ModifyInstance	Modifies instances	instance	qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
ModifyInstanceEndpoint	Modifies access points	instance	qcs::trocket:${region}:uin/${uin}:instance/${instanceId}
ModifyRole	Modifies roles	role	qcs::trocket:${region}:uin/${uin}:role/${instanceId}/${role}
ResetConsumerGroupOffset	Resets consumption offset	consumerGroup	qcs::trocket:${region}:uin/${uin}:consumerGroup/${instanceId}/${consumerGroup}
SendMessage	Sends messages	topic	qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}
VerifyMessageConsumption	Verifies message consumption	topic	qcs::trocket:${region}:uin/${uin}:topic/${instanceId}/${topic}

tencent cloud

Sign Up

Log in

Recent Pages

Granting Resource-Level Permissions to Sub-Accounts

Overview

Operation Prerequisites

Directions:

Step 1: Acquiring the Resource ID of the RocketMQ Cluster

Step 2: Creating an Authorization Policy

Other Authorization Methods

Appendix

List of APIs Supporting Resource-Level Authorization

Was this page helpful?

Was this page helpful?