プライバシーポリシー
データプライバシーとセキュリティ契約
Granting Resource-Level Permissions to Sub-accounts
フォーカスモード
フォントサイズ
Scenarios
You can grant MQTT resources owned by a root account to its sub-accounts through the policy feature in the Cloud Access Management (CAM) console. A sub-account that obtains permissions can use the resources. This document describes how to grant permissions for resources in a cluster to a sub-account. The operation steps for other types of resources are similar.
Prerequisites
A sub-account has been created for an employee using the Tencent Cloud root account. For detailed operations, see Creating a Sub-account.
At least one MQTT cluster is available.
Operation Steps
Step 1: Obtaining the Resource ID of an MQTT Cluster
Log in with the root account to the TDMQ for MQTT console, and obtain and copy the cluster ID on the Cluster page.
Step 2: Creating an Authorization Policy
1. Log in to the CAM console.
2. In the left sidebar, select Policy, click Create Custom Policy, and select Create by Policy Generator as the policy creation method.
3. In the Visual Strategy Generator, keep the Effect as Allow, enter mqtt in Service to filter, and select TDMQ for MQTT (mqtt) from the results.
4. In Action, you can choose All actions (mqtt:*) or select the operation type as needed.
Note:
Certain APIs do not support resource authentication temporarily. For the APIs that support resource authentication, those displayed on the console page shall prevail.
5. In Resource, select Specific resources, find the instance resource type. You can check Any resource of this type (authorize all cluster resources) on the right, or click Add a six-segment resource description (authorize specific cluster resource). In the pop-up sidebar dialog box, fill in cluster ID under Resource Prefix.
6. In the pop-up sidebar dialog box, fill in the resource ID to authorize under Resource Prefix.
7. In Condition, select whether to specify the source IP based on actual business needs. If specified, only requests from the specified IP range are allowed to access the specified action.
8. Click Next, set Policy Name, which is automatically generated by the console, defaulting to "policygen" with a numerical suffix generated based on the creation date. You can customize it.
9. Click Select User or Select User Group to select the user or user group to grant resource permissions.
10. Click Complete. The sub-account granted resource permissions can access relevant resources.
フィードバック