Release Notes and Announcements

Release Notes

Announcements

Security Announcements

Product Introduction

Overview

Strengths

Architecture

Features

Use Cases

Constraints and Limits

Technical Support Scope

Product release

Purchase Guide

EMR on CVM Billing Instructions

EMR on TKE Billing Instructions

EMR Serverless HBase Billing Instructions

Getting Started

EMR on CVM Quick Start

EMR on TKE Quick Start

EMR on CVM Operation Guide

Planning Cluster

Administrative rights

Configuring Cluster

Managing Cluster

Managing Service

Monitoring and Alarms

TCInsight

EMR on TKE Operation Guide

Introduction to EMR on TKE

Configuring Cluster

Cluster Management

Service Management

Monitoring and Ops

Application Analysis

EMR Serverless HBase Operation Guide

EMR Serverless HBase Product Introduction

Quotas and Limits

Planning an Instance

Managing an Instance

Monitoring and Alarms

Development Guide

EMR Development Guide

Hadoop Development Guide

Spark Development Guide

Hbase Development Guide

Phoenix on Hbase Development Guide

Hive Development Guide

Presto Development Guide

Sqoop Development Guide

Hue Development Guide

Oozie Development Guide

Flume Development Guide

Kerberos Development Guide

Knox Development Guide

Alluxio Development Guide

Kylin Development Guide

Livy Development Guide

Kyuubi Development Guide

Zeppelin Development Guide

Hudi Development Guide

Superset Development Guide

Impala Development Guide

Druid Development Guide

TensorFlow Development Guide

Kudu Development Guide

Ranger Development Guide

Kafka Development Guide

Iceberg Development Guide

StarRocks Development Guide

Flink Development Guide

JupyterLab Development Guide

MLflow Development Guide

Practical Tutorial

Practice of EMR on CVM Ops

Data Migration

Practical Tutorial on Custom Scaling

API Documentation

History

Introduction

API Category

Cluster Resource Management APIs

Cluster Services APIs

User Management APIs

Data Inquiry APIs

Scaling APIs

Configuration APIs

Other APIs

Serverless HBase APIs

YARN Resource Scheduling APIs

Making API Requests

Data Types

Error Codes

FAQs

EMR on CVM

Service Level Agreement

Collaborator or Sub-user Authorization

PDF

Focus Mode

Font Size

Last updated: 2026-01-13 16:29:11

Authorization Scheme
In practical cases, the product usage accounts are typically collaborators or sub-users. Depending on authorization requirements, you can grant different granularity operation permissions to sub-users or collaborators through the following methods.
Authorization Scheme
Applicable Scenario
Operation Instructions
Authorization based on preset permissions
Applicable to sub-users to configure management permissions for all resources.
Set sub-user permissions: Quickly grant relevant access permissions to sub-users through preset policies. For details, see Preset Policy Overview.
Authorization based on custom permission policies
Applicable to granular management of sub-user permissions, including:
Operation-based authorization: Grant sub-users partial operation configuration permissions.
Basic tag-based authorization: Grant sub-users management permissions for resources with different attribute tags.
Mandatory tag-based authorization: Grant sub-users management permissions for resources with different attribute tags, requiring sub-users to bind only the resources with authorized tags when creating resources.
Set resource tags: Add attribute tags to resources when creating resources.
Set sub-user permissions: Create a CAM custom policy and grant it to a sub-user. For more examples of custom policy application scenarios, see Custom Policy Operation Guide.
Prerequisites
Complete EMR service (service-related) role authorization. For details, see Role Authorization.
Preset Policy Operation Examples
Preset Policy Overview
Policy Name
Description
Required or Optional
Description
QcloudEMRFullAccess
Full read-write access for EMR (EMR)
No
Full feature operation permissions for EMR products. 
QcloudEMRReadOnlyAccess
Read-only access for EMR (EMR)
No
View permissions for all features of EMR products
QcloudEMRPurchaseAccess
Financial permissions for EMR products
No
If purchase or change of configuration is not needed, this permission can be disabled.
QcloudCamRoleFullAccess
Full read-write access for CAM Users and Roles
No
This permission can be added to create users, custom policies, and custom roles, as well as to perform other operations.
Note:
The pre-defined QcloudEMRPurchaseAccess policy allows you to manage the financial permissions for purchasing EMR products for all users. When this policy is granted to a user, it includes the financial permissions for CVM, CDB, and EMR. If you need to restrict a user's ability to purchase CVM and CDB, do not grant the corresponding product ordering permissions.
Purchase and manage EMR clusters
For scenarios involving resource purchasing (including creating clusters, modifying configurations, or scaling out), granting collaborators or sub-users the EMR access policy, EMR financial policy, and the custom TencentDB purchase policy is required. If there are no resource purchasing scenarios (including service configuration management or restarts), only the EMR access policy is required.
Note:
For the annual/monthly subscription purchase method, if financial permissions are not granted, a pending order will be generated and linked to an account with financial permissions for approval. The pay-as-you-go purchase method does not support order approval; financial permissions must be granted.
Policy Category
Policy Name
Policy Description
EMR Preset Policy
QcloudEMRFullAccess
Full read-write access for EMR (select one)
EMR Preset Policy
QcloudEMRReadOnlyAccess
Read-only access for EMR (choose one of the two)
EMR Preset Policy
QcloudEMRPurchaseAccess
Financial permissions for EMR products
The root account grants the above permissions to the Sub-user or Collaborator. The steps are as follows:
1. Log in to CAM Console, find the corresponding Sub-user or collaborator in Users > User List, then click Authorize.
﻿
2. Search for the policy listed in the table above (the following image takes QcloudEMRFullAccess policy as an example) within Associated Policies. Once the policy is selected, click OK to confirm.
3. Grant the EMR financial policy QcloudEMRPurchaseAccess, similar to step 2.
﻿
Setting Custom Service Role
For scenarios involving setting custom service roles, including setting the cluster COS service role, which is used for precise control of COS bucket permissions (For details, see Custom Cluster COS Service Role), and granting collaborators or sub-users the CAM access policy is required. The specific steps are as follows:
1. Log in to the CAM console, find the corresponding sub-user or collaborator in User > User List, then click Authorize.
﻿
2. Search for QcloudCamRoleFullAccess policy within Associated Policies. Once the policy is selected, click OK to confirm.
﻿
﻿

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

Elastic MapReduce

Collaborator or Sub-user Authorization

Authorization Scheme

Prerequisites

Preset Policy Operation Examples

Preset Policy Overview

Purchase and manage EMR clusters

Setting Custom Service Role

Help and Support

Authorization Scheme	Applicable Scenario	Operation Instructions
Authorization based on preset permissions	Applicable to sub-users to configure management permissions for all resources.	Set sub-user permissions: Quickly grant relevant access permissions to sub-users through preset policies. For details, see Preset Policy Overview.
Authorization based on custom permission policies	Applicable to granular management of sub-user permissions, including: Operation-based authorization: Grant sub-users partial operation configuration permissions. Basic tag-based authorization: Grant sub-users management permissions for resources with different attribute tags. Mandatory tag-based authorization: Grant sub-users management permissions for resources with different attribute tags, requiring sub-users to bind only the resources with authorized tags when creating resources.	Set resource tags: Add attribute tags to resources when creating resources. Set sub-user permissions: Create a CAM custom policy and grant it to a sub-user. For more examples of custom policy application scenarios, see Custom Policy Operation Guide.

Policy Name	Description	Required or Optional	Description
QcloudEMRFullAccess	Full read-write access for EMR (EMR)	No	Full feature operation permissions for EMR products.
QcloudEMRReadOnlyAccess	Read-only access for EMR (EMR)	No	View permissions for all features of EMR products
QcloudEMRPurchaseAccess	Financial permissions for EMR products	No	If purchase or change of configuration is not needed, this permission can be disabled.
QcloudCamRoleFullAccess	Full read-write access for CAM Users and Roles	No	This permission can be added to create users, custom policies, and custom roles, as well as to perform other operations.

Policy Category	Policy Name	Policy Description
EMR Preset Policy	QcloudEMRFullAccess	Full read-write access for EMR (select one)
EMR Preset Policy	QcloudEMRReadOnlyAccess	Read-only access for EMR (choose one of the two)
EMR Preset Policy	QcloudEMRPurchaseAccess	Financial permissions for EMR products