Account Permission Management Overview
Last updated:2026-01-30 14:55:28
If you need refined permission management for MQTT resources, the following features can be achieved by Cloud Access Management (CAM):
User and permission assignment: Create independent users or roles for members of different functional departments based on enterprise organizational structure, and allocate exclusive security credentials (console login password, cloud API key) or request temporary security credentials to ensure secure and controllable access to MQTT resources.
Fine-grained access control: Set differentiated access policies based on employee functions to precisely control the executable operations and accessible resource scope for each user/role, achieving strict permission isolation.
Account System Introduction
Capability differences between different account types and related reference documents are as follows:
Account Type | Root Account | Sub-account | ||
| | Sub-user | Collaborator | Message recipient |
Definition | Owns all Tencent Cloud resources and can access any of them. | Created by the root account and fully owned by the root account that created it. | Originally has the identity of a root account. After being added as a collaborator of the current root account, it becomes one of the sub-accounts, able to switch back to the root account identity. | Only has message receiving capabilities. |
Console Access | ✔ | ✔ | ✔ | - |
Programmatic Access | ✔ | ✔ | ✔ | - |
Authorizing with Policies | Default has full policy access | ✔ | ✔ | - |
Message Notification | ✔ | ✔ | ✔ | ✔ |
Reference Documentation | ||||
Note:
To ensure the security of your Tencent Cloud account and cloud resource usage, avoid using the Tencent Cloud root account directly to operate resources unless necessary. Instead, create sub-accounts, assign them policies based on the principle of least privilege, and use these sub-accounts with limited permissions to operate your cloud resources.
Policies
Policies are syntax specifications for defining and describing one or more permissions. By default, the root account has access to all its resources, while the sub-account doesn't have access to any resources under the root account.
The root account can grant users/user groups the permissions to view and use specific resources by associating policies. Tencent Cloud policy types are divided into preset policies and custom policies.
Preset Policy
MQTT provides two preset policies for sub-accounts:
Policy | Description |
QcloudMQTTFullAccess | Full read-write access can be performed on the product console |
QcloudMQTTReadOnlyAccess | Read-only access: only view console information |
Custom Policies
If the system permission policy cannot meet your requirements, you can create custom permission policies to implement minimum authorization. Policy settings can be precise to [API, resource, user/user group, allow/deny, condition] dimensions. Using custom permission policies helps achieve refined permission control, which is an effective method to enhance resource access security.
Currently Tencent Cloud offers the following two flexible ways to create custom policies to meet different usage habits and requirements:
Visual view: Use wizard-based operations. Users do not need to understand policy syntax and can select cloud services, operations, resources, conditions, and other elements through the interface. The policy is automatically generated by the system to lower the usage threshold.
JSON view: You can edit policy content after selecting a policy template, or directly write policy content in JSON format within the frame. Suitable for users with a certain technical foundation.
Custom policy example
The subaccount granted this permission policy can only query certificate details, query the MQTT client list, and query MQTT instance details for the instance mqtt-xxx.
{"version": "2.0","statement": [{"effect": "allow","action": ["mqtt:DescribeClientList","mqtt:DescribeInstance","mqtt:DescribeCaCertificate"],"resource": ["qcs::mqtt::uin/1000****5002:instance/mqtt-****"]}]}
Authorizing Your Sub-Account
When using MQTT, sub-accounts need authorization in two aspects:
Type | Description | Reference Documentation |
Access to other cloud services | During the process of using MQTT, it may be necessary to access the user's other cloud product resources (VPC, CVM, etc.), such as viewing the AZ information where the user subnet resides. | |
Read/write permissions for MQTT resources | Obtain read/write permissions for MQTT resources. |
References
Target | Link |
Understand the Relationship Between Policy and User | |
Understand the Basic Policy Structure | |
Learn about which products support CAM |
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback