tencent cloud

Feedback

Granting Tag-Level Permissions to Sub-Accounts

Last updated: 2024-01-17 16:43:53

    Overview

    This document describes how to use a root account to grant a sub-account access to resources under a specific tag through tag authorization. The authorized sub-account can gain control over the resources associated with the corresponding tag.

    Prerequisites

    You have a Tencent Cloud root account and have activated the Tencent Cloud CAM service.
    The root account should have at least one sub-account, and authorization has been granted according to "Retrieving access permissions for sub-accounts".
    You have at least one RocketMQ cluster resource instance.
    You have at least one tag. If you do not have one, you can go to TAG control panel > TAG list to create one.

    Directions

    You can use the policy feature of the CAM console to grant the sub-account read/write permissions for RocketMQ resources owned by the root account and already bound to a tag, by authorizing by TAG. For details, see Granting Resource Permissions to Sub-Accounts by TAG.

    Step 1: Binding Tags to Resources

    1. Use the root account to log in to the MQ for RocketMQ console, and navigate to the cluster management page.
    2. Select the target cluster and then click Edit Resource Tag in the upper left corner to bind a tag to the cluster.
    

    Step 2: Authorizing by Tag

    1. Open the CAM console and click Policies on the left sidebar.
    2. Click Create Custom Policy, and select Authorize by TAG.
    3. In the visual policy generator, enter "rocketmq" in the service to filter. Select TROCKET(trocket) from the results. Select All actions in Action, or select the corresponding operation as needed.
    
    4. Click Next and fill in the policy name as needed.
    5. Click Select Users or Select User Groups to choose the user or user group that needs to be granted resource permissions.
    
    6. Click Complete. The corresponding sub-accounts can now control resources under the specified tag according to the policy.

    Unified Management of Resource Tags

    You can also manage resource tags in a unified manner on the TAG Console. The detailed operations are as follows:
    1. Log in to the Tag console.
    2. On the left sidebar, select Resource Tag and choose the query conditions as needed, and then choose TROCKET > RocketMQ Instance in Resource type.
    3. Click Query Resources.
    4. Select the required resources in the results, and click Edit Tag. You can bind or unbind tags in batches.
    

    Other Authorization Methods

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support