tencent cloud

TDMQ for Apache Pulsar

Release Notes and Announcements
Release Notes
Cluster Version Updates
Product Announcements
Product Introduction
Introduction and Selection of the TDMQ Product Series
What Is TDMQ for Apache Pulsar
Strengths
Scenarios
How It Works
Product Series
Version Support Instructions for Open-Source Apache Pulsar
Comparison with Open-Source Apache Pulsar
High Availability
Quotas and Limits
Basic Concepts
Billing
Billing Overview
Pricing
Billing Examples
Renewal
Viewing Consumption Details
Overdue Payments
Refund
Getting Started
Getting Started Guide
Preparations
Using the SDK to Send and Receive General Messages
Using the SDK to Send and Receive Advanced Feature Messages
User Guide
Usage Process Guide
Configuring the Account Permission
Creating a Cluster
Configuring the Namespace
Configuring the Topic
Connecting to a Cluster
Managing the Cluster
Querying Messages and Traces
Cross-Region Replication
Viewing Monitoring Data and Configuring Alarm Rules
Use Cases
Client Usage
Abnormal Consumer Isolation
Traffic Throttling Mechanisms
Transaction Reconciliation
Message Idempotence
Message Compression
Migration Guide
Single-Write Multiple-Read Cluster Migration Solutions
Hitless Migration from Virtual Cluster to Pro Cluster
SDK Reference
API Overview
SDK Reference
SDK Overview
Recommended SDK Configuration Parameters
TCP Protocol (Apache Pulsar)
Security and Compliance
Permission Management
Deletion Protection
CloudAudit
FAQs
Monitoring
Clients
Agreements
Service Level Agreement
TDMQ Policy
Contact Us
Glossary
DocumentationTDMQ for Apache PulsarUser GuideConfiguring the Account PermissionGranting the Resource-Level Permission to Sub-accounts

Granting the Resource-Level Permission to Sub-accounts

PDF
Focus Mode
Font Size
Last updated: 2025-12-24 14:59:00

Scenarios

You can use the policy feature in the Cloud Access Management (CAM) console to grant sub-accounts access permissions for the TDMQ for Apache Pulsar resources owned by the root account. The sub-accounts that are granted these permissions can use the resources. This document describes how to grant permissions for the resources of a cluster to a sub-account. The operation steps for other resource types are similar.

Prerequisites

Sub-accounts have been created for employees by using the Tencent Cloud root account. For detailed operations, see Creating a Sub-account.
At least one TDMQ for Apache Pulsar cluster has been created.

Operation Steps

Step 1: Obtaining the ID of a TDMQ for Apache Pulsar Cluster

1. Log in to the TDMQ for Apache Pulsar console by using the root account, and click an existing cluster instance to go to the Details page.
2. On the Basic Info tab, the ID field is the ID of the current TDMQ for Apache Pulsar cluster.


Step 2: Creating an Authorization Policy

1. Log in to the CAM console.
2. In the left sidebar, choose Policies, click Create a custom policy, and then select Create by policy bulider for the policy creation method.
3. In the visual policy generator, retain Allow for Effect, enter TDMQ in the Service field for filtering, and then select Tencent Distributed Message Queue (tdmq) from the results.
4. Select All actions for Actions. You can also select appropriate operation types based on your actual business requirements.
Note:
Currently, some APIs do not support resource-level authorization. The APIs supporting resource-level authorization are subject to those displayed in the console.



5. In the Resource section, select Specific resources, find the cluster resource type. You can select Any resource of this type (authorize all cluster resources) on the right of the cluster resource type, or click Add a six-segment resource description (authorize specific cluster resources) for the cluster resource type. In the pop-up dialog box on the right, enter the cluster ID in the Resource Prefix field.

6. In the Condition section, determine whether to specify the source IP address based on actual business requirements. If it is specified, access to the specified operation is allowed only when the request comes from the specified IP address range.
Click Next and set the policy name. The policy name is automatically generated by the console. By default, the policy name is policygen, with a suffix number generated based on the creation date. You can customize the policy name.
7. Click Select User or Select User Group to select the users or user groups to which resource permissions need to be granted.



8. Click completed. The sub-account granted resource permissions can access the relevant resources.
Previous Topic: Granting the Operation-Level Permission to Sub-accountsNext Topic: Granting the Tag-Level Permission to Sub-accounts

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback