tencent cloud

TDMQ for MQTT

Release Notes and Announcements
Release Notes
Product Introduction
TDMQ Product Series Introduction and Selection
What Is TDMQ for MQTT
Scenarios
Technical Architecture
Product series
MQTT Protocol Compatibility Notes
Comparison with Apache
High Availability
Product Constraints and Usage Quota
Basic Concepts
Supported Regions
Billing
Billing Overview
Renewal Instructions
Viewing Consumption Details
Overdue Payment Instructions
Refund
Getting Started
Guide for Getting Started
Preparations
Public Network Access
VPC Network Access
User Guide
Usage Process Guide
Configuring Account Permission
Creating a Cluster
Managing Topic
Connecting to the Cluster
Querying Messages
Managing Client
Managing a Cluster
Viewing Monitoring Metrics and Configuring Alarm Policies
Data Integration
Integrating Data Into SCF
Integrating Data Into CKafka
Integrating Data into RocketMQ
Development Guide
MQTT 5 Advanced Features
Data Plane HTTP API Description
Quota and Flow Control Mechanism Description
Configuring a Custom Domain Name
Configuring SQL Filtering
Configuring Point-to-Point Subscription
MQTT over QUIC
Managing Client Subscription
Message Enhancement Rule
Use Cases
Must-Knows for MQTT Client Development
Observability
Topic and Wildcard Subscriptions
​​API Reference
History
Introduction
API Category
Making API Requests
Cluster APIs
Topic APIs
Authorization Policy APIs
User APIs
Client APIs
Message Enhancement Rule APIs
Message APIs
Data Types
Error Codes
SDK Reference
Access Point Format
Java SDK
C SDK
Javascript/Node.JS/Mini Program
Go SDK
iOS SDK
JavaScript SDK
Dart SDK
Python SDK
.NET
Security and Compliance
Permission Management
FAQs
Related Agreement
Privacy Policy
Data Privacy And Security Agreement
TDMQ for MQTT Service Level Agreement
Contact Us
DocumentationTDMQ for MQTTUser GuideConfiguring Account PermissionGranting Tag-Level Permissions to Sub-accounts

Granting Tag-Level Permissions to Sub-accounts

PDF
Focus Mode
Font Size
Last updated: 2026-04-01 16:30:53

Scenarios

You can use the policy feature of the Cloud Access Management (CAM) console to grant the read/write permissions for MQTT resources owned by the root account and bound with tags to sub-accounts based on tags. Sub-accounts that obtain the permissions can then control resources under the corresponding tags.

Prerequisites

A sub-account has been created for an employee using the Tencent Cloud root account. For detailed operations, see Creating a Sub-account.
At least one MQTT cluster resource instance is available.
At least one Tag is available. If no tag exists, you can choose the Tag console > Tag List to create one.

Operation Steps

Step 1: Binding a Tag to a Resource

1. Log in with the root account to the TDMQ for MQTT console and go to the Cluster page.
2. Select the target cluster, click Edit Resource Tag in the upper left corner, and bind the resource tag to the cluster.


Step 2: Authorizing by Tag

1. Log in to the CAM console.
2. In the left sidebar, select Policy, click Create Custom Policy, and select Authorize by Tag for the policy creation method.
3. In the Visual Strategy Generator, enter mqtt in Service to filter, select TDMQ for MQTT (mqtt) from the results, select All actions (*) under Action, or select corresponding actions as needed.
Note:
All APIs of a service are included in Action. You can use "Whether authorization by tag is supported" to filter APIs and check whether they support authorization by tag.
Yes: APIs that support authorization by tag. They have action permissions for resources associated with correpsonding tags.
No: APIs that do not support authorization by tag. In subsequent steps, you can choose whether to grant action permissions for all resources to these APIs.
To support authorization for multiple services, you can click Add in the upper-left corner to add multiple authorization statements and configure authorization policies for other services.

4. In the Select Tag position, select the tag key and tag value bound to the cluster resource. Multiple tags are in an OR relationship, and only one of them needs to be met.
5. In the Select Condition Key section, select condition keys. You can select both resource_tag and request_tag, or select either one of them.

6. Determine whether to grant the permission of "resource": "*" to APIs that do not support tags. If you select this option, APIs that do not support tags will have action permissions for all resources.
7. Click Next, set Policy Name, which is automatically generated by the console, defaulting to "policygen" with a numerical suffix generated based on the creation date. You can customize it.
8. Click Select User or Select User Group to select the user or user group to grant resource permissions.

9. Click Complete to enable the sub-account to control resources under the specified tag based on policies.

Previous Topic: Granting Resource-Level Permissions to Sub-accountsNext Topic: Creating a Cluster

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback