Account Permission Management Overview

Last updated:2026-01-20 16:52:39

Account Permission Management Overview

Last updated: 2026-01-20 16:52:39

To perform fine-grained permission management for TDMQ for CKafka (CKafka) resources, you can use Cloud Access Management (CAM) to achieve the following features:
User and permission assignment: Based on the enterprise organizational structure, independent users or roles are created for members of different functional departments, and dedicated security credentials (such as the console login password and cloud API key) or temporary credentials are assigned to ensure secure and controlled access to CKafka resources.
Fine-grained permission control: Set differentiated access policies based on employee responsibilities to precisely control the types of operations each user or role can perform and the scope of resources they can access, achieving strict permission isolation.
Account System Introduction
The capability differences between different account types and the reference documentation are as follows:
Account Type
Root Account
Sub-account
﻿
﻿
﻿
﻿
Sub-user
Collaborator
Message Recipient
Definition
It owns all Tencent Cloud resources and can access any of its resources.
It is created by the root account and fully owned by the root account that created the sub-user.
It has the root account identity. When it is added as a collaborator of a root account, it becomes one of the sub-accounts of the root account. It can switch back to its root account identity.
It can only receive messages.
Console access
✔
✔
✔
- 
Programmatic access
✔
✔
✔
- 
Policy authorization
By default, it owns all policies.
✔
✔
- 
Message notification
✔
✔
✔
✔
Reference Documentation
Root Account Related
Creating a Sub-user
Creating a Collaborator
Creating a Message Recipient
Note:
To ensure the security of your Tencent Cloud account and cloud resource usage, avoid using the Tencent Cloud root account directly to operate resources unless necessary. Instead, create sub-accounts, assign them policies based on the principle of least privilege, and use these sub-accounts with limited permissions to operate your cloud resources.
Policies
Policies are used to define and describe the syntax rules for one or more permissions. By default, the root account has access permissions for all resources under it, while its sub-accounts have no access permissions for any resources under it.
The root account can grant users/user groups the permission to view and use specific resources by associating policies with them. Tencent Cloud policies are categorized into preset policies and custom policies.
Preset Policies
CKafka provides two preset policies for sub-accounts:
Policies
Description
QcloudCKafkaFullAccess
Full read/write access permissions, which allow you to perform read/write operations in the product console.
QcloudCkafkaReadOnlyAccess
Read-only access permissions, which allow you to view related information in the console only.
Custom Policies
If the system permission policy cannot meet your requirements, you can create a custom permission policy to achieve least privilege. Policy settings can be precisely controlled at the API, [resources, users/user groups, allow/deny, conditions] dimensions. Using custom permission policies helps achieve fine-grained control of permissions and is an effective means to enhance resource access security.
Currently, Tencent Cloud provides the following two flexible custom policy creation methods to meet different usage habits and requirements:
Visual view: Wizard-based operations are provided. Users can select elements such as cloud services, operations, resources, and conditions on pages without needing to understand the policy syntax. The system automatically generates policies, lowering the barrier to use.
JSON view: After you select a policy template, you can edit the policy content based on specific requirements. You can also directly write JSON-formatted policy content in the editor. This method is suitable for users with a specific technical background.
Custom Policy Example
In the following example, the sub-account with UIN 1000*****002 will have permissions to obtain instance specification configurations, query instance version information, and query messages for the instance ckafka-test in the Guangzhou region via both the console and APIs.
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "ckafka:DescribeCkafkaTypeConfigs",
                "ckafka:DescribeCkafkaVersion",
                "ckafka:FetchMessageByOffset"
            ],
            "resource": [
                "qcs::ckafka:ap-guangzhou:uin/1000*****002:ckafkaId/ckafka-test"
            ]
        }
    ]
}
Sub-account Authorization Operations
When a sub-account uses CKafka, permissions need to be granted in two aspects:
Type
Description
Reference Documentation
Permissions to access other cloud products
During the use of CKafka, access to other cloud product resources such as Virtual Private Cloud VPC and Cloud Virtual Machine (CVM) is required. For example, a sub-account needs to view the information about the AZ to which the subnet of the user belongs.
Granting Access Permissions for Other Cloud Products to Sub-accounts
Read/Write permissions for CKafka resources
Read/Write permissions for CKafka resources are required.
Granting Operation-Level Permissions to Sub-accounts
Granting Resource-Level Permissions to Sub-accounts
Granting Tag-Level Permissions to Sub-accounts
Documentation
Target
Link
Understand the relationship between policies and users.
Policy Management
Understand the basic structure of a policy.
Policy Syntax
Understand which other products support CAM.
Products that Support CAM
﻿

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

Feedback

Account Type	Root Account	Sub-account
Account Type	Root Account			Sub-user	Collaborator	Message Recipient
Definition	It owns all Tencent Cloud resources and can access any of its resources.	It is created by the root account and fully owned by the root account that created the sub-user.	It has the root account identity. When it is added as a collaborator of a root account, it becomes one of the sub-accounts of the root account. It can switch back to its root account identity.	It can only receive messages.
Console access	✔	✔	✔	-
Programmatic access	✔	✔	✔	-
Policy authorization	By default, it owns all policies.	✔	✔	-
Message notification	✔	✔	✔	✔
Reference Documentation	Root Account Related	Creating a Sub-user	Creating a Collaborator	Creating a Message Recipient

Policies	Description
QcloudCKafkaFullAccess	Full read/write access permissions, which allow you to perform read/write operations in the product console.
QcloudCkafkaReadOnlyAccess	Read-only access permissions, which allow you to view related information in the console only.

Type	Description	Reference Documentation
Permissions to access other cloud products	During the use of CKafka, access to other cloud product resources such as Virtual Private Cloud VPC and Cloud Virtual Machine (CVM) is required. For example, a sub-account needs to view the information about the AZ to which the subnet of the user belongs.	Granting Access Permissions for Other Cloud Products to Sub-accounts
Read/Write permissions for CKafka resources	Read/Write permissions for CKafka resources are required.	Granting Operation-Level Permissions to Sub-accounts Granting Resource-Level Permissions to Sub-accounts Granting Tag-Level Permissions to Sub-accounts

Target	Link
Understand the relationship between policies and users.	Policy Management
Understand the basic structure of a policy.	Policy Syntax
Understand which other products support CAM.	Products that Support CAM

tencent cloud

Account System Introduction

Policies

Preset Policies

Custom Policies

Sub-account Authorization Operations

Documentation