Account Permission Overview
Last updated: 2025-12-24 14:59:00
If you need to implement fine-grained permission management for TDMQ for Apache Pulsar resources, you can use the Cloud Access Management (CAM) service to implement the following features:
User and permission assignment: Based on the organizational structure of the enterprise, create independent users or roles for members of different functional departments. Assign dedicated security credentials (such as the console login password and TencentCloud API key) or request temporary security credentials to ensure secure and controlled access to TDMQ for Apache Pulsar resources.
Fine-grained permission control: Set differentiated access policies based on employee responsibilities to precisely control the types of operations each user or role can perform and the scope of resources they can access, achieving strict permission isolation.
Account System Introduction
The following table describes the capability differences among different account types and relevant reference documentation.
Account Type | Root Account | Sub-account | ||
| | Sub-user | Collaborator | Message Recipient |
Definition | It has all Tencent Cloud resources and can access any of its resources. | It is created by the root account and fully owned by the root account that created it. | It has the root account identity. When it is added as a collaborator of the current root account, it becomes one of the sub-accounts of the current root account. It can switch back to its root account identity. | It can only receive messages. |
Console access | ✔ | ✔ | ✔ | - |
Programmatic access | ✔ | ✔ | ✔ | - |
Policy authorization | By default, it has all policies. | ✔ | ✔ | - |
Message notification | ✔ | ✔ | ✔ | ✔ |
Reference documentation | ||||
Note:
To ensure the security of your Tencent Cloud account and cloud resources, you should avoid directly using the Tencent Cloud root account to perform resource operations unless necessary. Instead, you should create sub-accounts and assign policies based on the principle of least privilege. Use sub-accounts with limited permissions to manage your cloud resources.
Policies
A policy is used to define and describe the syntax specification for one or more permissions. By default, the root account has access permissions for all resources under it, but sub-accounts do not have access permissions for any resources under the root account.
The root account can grant permissions to view and use specific resources by associating policies with users or user groups. The policy types of Tencent Cloud are classified into preset policies and custom policies.
Preset Policies
TDMQ for Apache Pulsar provides two types of preset policies for sub-accounts.
Policies | Description |
QcloudTDMQFullAccess | Full read-write access permissions, allowing sub-accounts to perform read and write operations in the product console. |
QcloudTDMQReadOnlyAccess | Read-only access permissions, only allowing sub-accounts to view relevant information in the console. |
Custom Policies
If system permission policies do not meet your requirements, you can create custom permission policies to achieve least privilege. Policy settings can be precisely specified to the API, resource, user/user group, allow/deny, and condition dimensions. Custom permission policies help you achieve fine-grained control and effectively enhance resource access security.
Currently, Tencent Cloud provides the following two methods for creating custom policies to flexibly meet different usage habits and requirements:
Visual view: Wizard-based operations are provided. Users can select elements such as cloud services, operations, resources, and conditions on the interface without the need to understand the policy syntax. The system automatically generates policies, lowering the barrier to use.
JSON view: After you select a policy template, you can edit the policy content according to specific requirements. You can also directly write JSON-formatted policy content in the editor. This method is suitable for users with a specific technical background.
Example of a Custom Policy
Sub-accounts granted this permission policy only have permissions to obtain the instance information of TDMQ for Apache Pulsar Pro Edition clusters, query the list of topics under namespaces, and consume messages in the console and by using APIs for the instance pulsar-xxx.
{"version": "2.0","statement": [{"effect": "allow","action": ["tdmq:DescribePulsarProInstanceDetail","tdmq:GetTopicList","tdmq:ReceiveMessage"],"resource": ["*"]}]}
Sub-account Authorization
When sub-accounts use TDMQ for Apache Pulsar, they need to be granted two types of permissions.
Type | Description | Reference Documentation |
Access permissions for other cloud products | During the use of TDMQ for Apache Pulsar, access to other cloud product resources such as Virtual Private Cloud VPC and Cloud Virtual Machine (CVM) is required. For example, a sub-account needs to view the information about the AZ to which the subnet of the user belongs. | |
Read/write permissions for TDMQ for Apache Pulsar resources | Read/write permissions for TDMQ for Apache Pulsar resources are required. |
Documentation
Purpose | Link |
Understanding the relationship between policies and users | |
Understanding the basic policy structure | |
Learning which products support CAM |
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback