TDMQ for RocketMQ provides a complete enterprise-level security protection system. Through sub-account management, strict authorization and authentication mechanisms, it builds a multi-level and comprehensive security system to ensure reliable protection for each step of message transmission and fully guarantee data security.
Control Plane Permission (Account Level)
Through the Cloud Access Management (CAM) service with features like root account, sub-account, and collaborator, it enables authorization between root account and sub-account as well as across organizational accounts. It also allows controlling Tencent Cloud resources via API calls through Access Key Management by account.
Identity Verification
Access RocketMQ resources via console or call TencentCloud API. Both methods require identity authentication to access the corresponding resource.
Call TencentCloud API: verify the access key (AccessKey). The access key is secure credentials required for users to access Tencent Cloud API and perform identity verification, consisting of SecretId and SecretKey. For details, see Account Access Key Management. Access Control
By accessing the Cloud Access Management (CAM) service, you can perform refined permission management for RocketMQ resources at the account level.
User and permission management: Create independent users or roles for department members in different functions based on the enterprise organizational structure, and allocate exclusive security credentials (console login password, cloud API key, etc.) or temporary credentials to ensure secure and controllable access to RocketMQ resources.
Fine-grained access control: Set differentiated access policies based on employee functions to precisely control the executable operations and accessible resource scope for each user/role, achieving strict permission isolation.
Data Plane Permissions (RocketMQ Resource Level)
RocketMQ supports role-based authorization to assign independent roles to each producer and consumer, granting production/consumption permissions for different namespaces to achieve permission isolation between roles. When a client-side operation involves producing messages or consuming, the system will authenticate and reject unauthorized operations.
This mechanism effectively implements permission isolation between different business units, ensuring message system security while meeting resource control requirements in team collaboration scenarios. By adhering to the principle of least privilege, it fundamentally prevents data corruption caused by unauthorized access.