Release Notes and Announcements

Release Notes

Cluster Version Updates

Product Announcements

Product Introduction

Introduction and Selection of the TDMQ Product Series

What Is TDMQ for Apache Pulsar

Strengths

Scenarios

How It Works

Product Series

Version Support Instructions for Open-Source Apache Pulsar

Comparison with Open-Source Apache Pulsar

High Availability

Quotas and Limits

Basic Concepts

Billing

Billing Overview

Pricing

Billing Examples

Renewal

Viewing Consumption Details

Overdue Payments

Refund

Getting Started

Getting Started Guide

Preparations

Using the SDK to Send and Receive General Messages

Using the SDK to Send and Receive Advanced Feature Messages

User Guide

Usage Process Guide

Configuring the Account Permission

Creating a Cluster

Configuring the Namespace

Configuring the Topic

Connecting to a Cluster

Managing the Cluster

Querying Messages and Traces

Cross-Region Replication

Viewing Monitoring Data and Configuring Alarm Rules

Use Cases

Client Usage

Abnormal Consumer Isolation

Traffic Throttling Mechanisms

Transaction Reconciliation

Message Idempotence

Message Compression

Migration Guide

Single-Write Multiple-Read Cluster Migration Solutions

Hitless Migration from Virtual Cluster to Pro Cluster

SDK Reference

API Overview

SDK Reference

SDK Overview

Recommended SDK Configuration Parameters

TCP Protocol (Apache Pulsar)

Security and Compliance

Permission Management

Deletion Protection

CloudAudit

FAQs

Monitoring

Clients

Agreements

Service Level Agreement

TDMQ Policy

Glossary

Account Permission Overview

PDF

Focus Mode

Font Size

Last updated: 2025-12-24 14:59:00

If you need to implement fine-grained permission management for TDMQ for Apache Pulsar resources, you can use the Cloud Access Management (CAM) service to implement the following features:
User and permission assignment: Based on the organizational structure of the enterprise, create independent users or roles for members of different functional departments. Assign dedicated security credentials (such as the console login password and TencentCloud API key) or request temporary security credentials to ensure secure and controlled access to TDMQ for Apache Pulsar resources.
Fine-grained permission control: Set differentiated access policies based on employee responsibilities to precisely control the types of operations each user or role can perform and the scope of resources they can access, achieving strict permission isolation.
Account System Introduction
The following table describes the capability differences among different account types and relevant reference documentation.
Account Type
Root Account
Sub-account
﻿
﻿
﻿
﻿
Sub-user
Collaborator
Message Recipient
Definition
It has all Tencent Cloud resources and can access any of its resources.
It is created by the root account and fully owned by the root account that created it.
It has the root account identity. When it is added as a collaborator of the current root account, it becomes one of the sub-accounts of the current root account. It can switch back to its root account identity.
It can only receive messages.
Console access
✔
✔
✔
- 
Programmatic access
✔
✔
✔
- 
Policy authorization
By default, it has all policies.
✔
✔
- 
Message notification
✔
✔
✔
✔
Reference documentation
Root Account Related
Creating a Sub-user
Creating a Collaborator
Creating a Message Recipient
Note:
To ensure the security of your Tencent Cloud account and cloud resources, you should avoid directly using the Tencent Cloud root account to perform resource operations unless necessary. Instead, you should create sub-accounts and assign policies based on the principle of least privilege. Use sub-accounts with limited permissions to manage your cloud resources.
Policies
A policy is used to define and describe the syntax specification for one or more permissions. By default, the root account has access permissions for all resources under it, but sub-accounts do not have access permissions for any resources under the root account.
The root account can grant permissions to view and use specific resources by associating policies with users or user groups. The policy types of Tencent Cloud are classified into preset policies and custom policies.
Preset Policies
TDMQ for Apache Pulsar provides two types of preset policies for sub-accounts.
Policies
Description
QcloudTDMQFullAccess
Full read-write access permissions, allowing sub-accounts to perform read and write operations in the product console.
QcloudTDMQReadOnlyAccess
Read-only access permissions, only allowing sub-accounts to view relevant information in the console.
Custom Policies
If system permission policies do not meet your requirements, you can create custom permission policies to achieve least privilege. Policy settings can be precisely specified to the API, resource, user/user group, allow/deny, and condition dimensions. Custom permission policies help you achieve fine-grained control and effectively enhance resource access security.
Currently, Tencent Cloud provides the following two methods for creating custom policies to flexibly meet different usage habits and requirements:
Visual view: Wizard-based operations are provided. Users can select elements such as cloud services, operations, resources, and conditions on the interface without the need to understand the policy syntax. The system automatically generates policies, lowering the barrier to use.
JSON view: After you select a policy template, you can edit the policy content according to specific requirements. You can also directly write JSON-formatted policy content in the editor. This method is suitable for users with a specific technical background.
Example of a Custom Policy
Sub-accounts granted this permission policy only have permissions to obtain the instance information of TDMQ for Apache Pulsar Pro Edition clusters, query the list of topics under namespaces, and consume messages in the console and by using APIs for the instance pulsar-xxx.
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "tdmq:DescribePulsarProInstanceDetail",
                "tdmq:GetTopicList",
                "tdmq:ReceiveMessage"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}
Sub-account Authorization
When sub-accounts use TDMQ for Apache Pulsar, they need to be granted two types of permissions.
Type
Description
Reference Documentation
Access permissions for other cloud products
During the use of TDMQ for Apache Pulsar, access to other cloud product resources such as Virtual Private Cloud VPC and Cloud Virtual Machine (CVM) is required. For example, a sub-account needs to view the information about the AZ to which the subnet of the user belongs.
Granting Access Permissions to Sub-accounts
Read/write permissions for TDMQ for Apache Pulsar resources
Read/write permissions for TDMQ for Apache Pulsar resources are required.
Granting Operation-Level Permissions to Sub-accounts
Granting Resource-Level Permissions to Sub-accounts
Granting Tag-Level Permissions to Sub-accounts
Documentation
Purpose
Link
Understanding the relationship between policies and users
Policy Management
Understanding the basic policy structure
Policy Syntax
Learning which products support CAM
Products That Support CAM
﻿

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

Account Type	Root Account	Sub-account
Account Type	Root Account			Sub-user	Collaborator	Message Recipient
Definition	It has all Tencent Cloud resources and can access any of its resources.	It is created by the root account and fully owned by the root account that created it.	It has the root account identity. When it is added as a collaborator of the current root account, it becomes one of the sub-accounts of the current root account. It can switch back to its root account identity.	It can only receive messages.
Console access	✔	✔	✔	-
Programmatic access	✔	✔	✔	-
Policy authorization	By default, it has all policies.	✔	✔	-
Message notification	✔	✔	✔	✔
Reference documentation	Root Account Related	Creating a Sub-user	Creating a Collaborator	Creating a Message Recipient

Policies	Description
QcloudTDMQFullAccess	Full read-write access permissions, allowing sub-accounts to perform read and write operations in the product console.
QcloudTDMQReadOnlyAccess	Read-only access permissions, only allowing sub-accounts to view relevant information in the console.

Type	Description	Reference Documentation
Access permissions for other cloud products	During the use of TDMQ for Apache Pulsar, access to other cloud product resources such as Virtual Private Cloud VPC and Cloud Virtual Machine (CVM) is required. For example, a sub-account needs to view the information about the AZ to which the subnet of the user belongs.	Granting Access Permissions to Sub-accounts
Read/write permissions for TDMQ for Apache Pulsar resources	Read/write permissions for TDMQ for Apache Pulsar resources are required.	Granting Operation-Level Permissions to Sub-accounts Granting Resource-Level Permissions to Sub-accounts Granting Tag-Level Permissions to Sub-accounts

Purpose	Link
Understanding the relationship between policies and users	Policy Management
Understanding the basic policy structure	Policy Syntax
Learning which products support CAM	Products That Support CAM

tencent cloud

TDMQ for Apache Pulsar

Account Permission Overview

Account System Introduction

Policies

Preset Policies

Custom Policies

Sub-account Authorization

Documentation

Help and Support