This document describes how to grant a user with CMQ permissions by taking write permissions for message consumption and batch message consumption of the CMQ queue model as an example.
After CAM is connected, a sub-account can only view lists by default without any other operation permissions (the sub-account key is used for console login). The sub-account can get access permission only after it is authorized by the root account in CAM.
If the sub-account wants to view monitoring data in the console, it needs the permissions of Cloud Monitor APIs, which can be granted in CAM.
You can create a custom policy to grant the permissions of a specific API. The following takes the write permission (message consumption and batch message consumption) of CMQ queues as an example:
Log in to the CAM console, go to Policies from the left sidebar, and click Create Custom Policy on the upper left corner.
Select Create by Policy Generator in the pop-up dialog box.
Provide the following information in the Visual Policy Generator tab.
qcs::cmqqueue:bj:uin/1238423:queueName/uin/3232/myqueue
. For more information, see [Authorization of CAM-Enabled APIs](#Authorization of CAM-Enabled APIs).qcs
.cmqqueue
for queue model or cmqtopic
for topic model.gz
, bj
, or sh
. If you want to specify all regions, leave this segment empty.uin/{root account uin}
of the root account.queueName/uin/{creator Uin}/{queue name}
for queue model or topicName/uin/{creator Uin}/{topic name}
for topic model. You can find the creator Uin
on the details page in the console or in the returned value of createUin
of the GetQueueAttributes
or GetTopicAttributes
API.Click Add Statement > Next to go to the policy editing page.
On the policy editing page, set the policy name, add description, and confirm the policy content. The policy name and content are automatically generated by the console.
policygen
by default. The suffix number is generated based on the creation date and can be customized.Click Done to complete the custom policy creation .
In the policy list, select the target policy, click Associated Users/Groups in the Action column, select the users or user groups to associate, and click Confirm to complete the configuration.
For more information about CAM policies, see Policy.
Note:The
list
API permissions of CMQ are all enabled by default (i.e., you can view the specific resource lists in the CMQ console after logging in). You can use the permissions to control what resource content can be displayed.
API Name | API Description | Resource Type | Example of Resource Six-Segment Description |
---|---|---|---|
ClearSubscriptionFilterTags | Clears the message tags of a subscriber. | Subscription API | qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name} |
CreateSubscribe | Creates a subscription API. | Subscription API | qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name} |
DeleteSubscribe | Deletes a subscription. | Subscription API | qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name} |
ModifySubscriptionAttribute | Modifies subscription attributes. | Subscription API | qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name} |
CreateTopic | Creates a topic. | Topic API | qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name} |
DeleteTopic | Deletes a topic. | Topic API | qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name} |
ModifyTopicAttribute | Modifies topic attributes. | Topic API | qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name} |
ClearQueue | Clears the messages in a queue. | Queue API | qcs::cmqqueue:$region:uin/{root account uin}:queueName/uin/{creator Uin}/{queue name} |
CreateQueue | Creates a queue. | Queue API | qcs::cmqqueue:$region:uin/{root account uin}:queueName/uin/{creator Uin}/{queue name} |
DeleteQueue | Deletes a queue. | Queue API | qcs::cmqqueue:$region:uin/{root account uin}:queueName/uin/{creator Uin}/{queue name} |
ModifyQueueAttribute | Modifies queue attributes. | Queue API | qcs::cmqqueue:$region:uin/{root account uin}:queueName/uin/{creator Uin}/{queue name} |
API Name | API Description | Resource Type | Example of Resource Six-Segment Description |
---|---|---|---|
DescribeSubscriptionDetail | Queries subscription details. | Subscription API | * |
DescribeTopicDetail | Queries topic details. | Topic API | * |
DescribeDeadLetterSourceQueues | Enumerates the source queues of a dead letter queue. | Queue API | * |
DescribeQueueDetail | Enumerates queues. | Queue API | * |
RewindQueue | Rewinds a queue. | Queue API | * |
UnbindDeadLetter | Unbinds a dead letter queue. | Queue API | * |
Was this page helpful?