This document describes how to use a root account to grant a sub-account access to resources under a specific tag through tag authorization. The authorized sub-account can gain control over the resources associated with the corresponding tag.
Prerequisites
You have a Tencent Cloud root account and have activated the Tencent Cloud CAM service.
The root account should have at least one sub-account, and authorization has been granted according to "Retrieving access permissions for sub-accounts".
You have at least one RocketMQ cluster resource instance.
You have at least one tag. If you do not have one, you can go to TAG control panel > TAG list to create one.
Directions
You can use the policy feature of the CAM console to grant the sub-account read/write permissions for RocketMQ resources owned by the root account and already bound to a tag, by authorizing by TAG. For details, see Granting Resource Permissions to Sub-Accounts by TAG.
Step 1: Binding Tags to Resources
1. Use the root account to log in to the MQ for RocketMQ console, and navigate to the cluster management page.
2. Select the target cluster and then click Edit Resource Tag in the upper left corner to bind a tag to the cluster.
2. Click Create Custom Policy, and select Authorize by TAG.
3. In the visual policy generator, enter "rocketmq" in the service to filter. Select TROCKET(trocket) from the results. Select All actions in Action, or select the corresponding operation as needed.
4. Click Next and fill in the policy name as needed.
5. Click Select Users or Select User Groups to choose the user or user group that needs to be granted resource permissions.
6. Click Complete. The corresponding sub-accounts can now control resources under the specified tag according to the policy.
Unified Management of Resource Tags
You can also manage resource tags in a unified manner on the TAG Console. The detailed operations are as follows:
Yes
No
Was this page helpful?