Permission Management
Last updated:2026-01-30 15:02:26
TDMQ for MQTT provides a comprehensive enterprise-level security protection system. Through master-sub account management, strict authorization and authentication mechanisms, it builds a multi-level, all-round security protection to ensure reliable protection for every step of message transmission and fully underwrite data security.
Control Plane Permission (Account-Level)
Through Cloud Access Management (CAM) features such as root account, sub-account, and collaborator, it enables authorization between root account and sub-account as well as across organizational accounts. At the same time, it also allows control over API calls to Tencent Cloud resources via account's Access Key Management.
Identity Verification
Access MQTT resources via console or TencentCloud API calls. Both methods require identity authentication to access the corresponding resource.
Logging in to the console: The login password needs to be verified, and login protection and login verification policies are provided to enhance identity authentication security. For detailed information, see Changing the Login Password and Setting Login Protection.
Call TencentCloud API: approval required for access key. The access key is a secure credential for user access to Tencent Cloud API to perform identity verification, consisting of SecretId and SecretKey. For details, see Access Key Management.
Access Control
Through Cloud Access Management (CAM), you can perform refined permission management for MQTT resources at the account level.
User and permission management: Based on the enterprise organizational structure, create independent users or roles for different department members, and allocate exclusive security credentials (console login password, cloud API key, etc.) or temporary credentials to ensure secure and controllable access to MQTT resources.
Fine-grained access control: Set differentiated access policies based on employee functions to precisely control the executable operations and accessible resource scope for each user/role, achieving strict permission isolation.
Data Plane Permissions (MQTT Resource Level)
MQTT provides double security protection through authentication management and authorization policy. The authentication method verifies device identity, while the authorization policy enables granular control over Topic operation permissions, achieving fine-grained resource-level access isolation.
Authentication
MQTT provides multiple authentication methods to ensure communication security between the server and clients. During client access, the configured authentication method verifies the client identity. Only after successful authentication is access permitted, ensuring legitimate device integration.
Currently supported five authentication methods: username+password authentication, X.509 certificate authentication, JWT Authentication, external HTTP authentication, and unique secret per device. Just select one of these five methods to use.
Authorization
MQTT supports fine-grained authorization policies, which can authorize by username, Client Identifier, topic, Client IP address, and action (connect, publish, subscribe). After enabling authorization policy management, when an MQTT Client connects, publishes, or subscribes, the server will query the authorization data source, match the queried access control rules with the action to be performed, and determine whether to allow or deny this operation based on the matching result.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback