tencent cloud

Granting Resource-Level Permissions to Sub-accounts
Download PDF
Last updated:2026-01-30 14:55:28
Granting Resource-Level Permissions to Sub-accounts
Last updated: 2026-01-30 14:55:28
Download PDF

Scenarios

You can use the policy feature in the CAM console to authorize MQTT resources owned by the root account to a sub-account. The sub-account will get the privilege to use the resources. This document bases on granting permission for a cluster to a sub-account. The procedure for other types of resources is similar.

Prerequisites

The Tencent Cloud root account has been used to create a sub-account for the employee. For detailed instructions, see create sub-account.
Have at least one MQTT cluster.

Operation Steps

Step 1: Obtain the Resource ID of an MQTT Cluster

Log in with your root account to the TDMQ for MQTT console, and get and copy the cluster "ID" on the Cluster page.


Step 2: Create Authorization Policy

1. Log in to the CAM console.
2. Select Policies in the left sidebar, click Create a custom policy, and choose Create by Policy Builder as the create policy method.
3. In the Visual Strategy Generator, keep the Effect as Allow, enter mqtt in Service to filter, and select TDMQ for MQTT (mqtt) from the results.
4. In Action, you can choose All actions (mqtt:*) or select the operation type as needed.
Note:
Certain APIs do not support resource authentication temporarily. For the APIs that support resource authentication, those displayed on the console page shall prevail.
5. In Resource, select Specific resources, find the instance resource type. You can check Any resource of this type (authorize all cluster resources) on the right, or click Add a six-segment resource description (authorize specific cluster resource). In the pop-up sidebar dialog box, fill in cluster ID under Resource Prefix.
6. In the pop-up sidebar dialog box, fill in the resource ID to authorize in ID.

7. In Condition, select whether to specify the source IP based on actual business needs. If specified, only requests from the specified IP range are allowed to access the specified action.
8. Click Next, set policy name. The Policy Name is automatically generated by the console, defaulting to "policygen" with a numerical suffix generated based on the creation date. You can customize it.
9. Click Select User or Select User Group to choose the user or user group to grant resource permissions.

10. Click completed, and the sub-account granted resource permissions will have the ability to access related resources.

Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback