tencent cloud

TencentDB for MongoDB

Release Notes and Announcements
Release Notes
Announcements
User Guide
Product Introduction
Overview
Strengths
Use Cases
Cluster Architecture
Product Specifications
Features
Regions and AZs
Terms
Service Regions and Service Providers
Purchase Guide
Billing Overview
MongoDB Pricing
Billing Formula
Payment Overdue
Backup Space Billing
Configuration Adjustment Billing
Getting Started
Quickly Creating an Instance
Connecting to a TencentDB for MongoDB Instance
Reading/Writing Database
Operation Guide
Access Management
Instance Management
Node Management
Version Upgrade
Network Configuration
Monitoring
Backup and Rollback
Database Audit
Data Security
SSL Authentication
Log Management
Database Management
Multi-AZ Deployment
Disaster Recovery/Read-Only Instances
Parameter Configuration
Recycle Bin
Task Management
Performance Optimization
Data Migration Guide
Practical Tutorial
Optimizing Indexes to Break Through Read/Write Performance Bottlenecks
Troubleshooting Mongos Load Imbalance in Sharded Cluster
Considerations for Using Shard Clusters
Sample of Reading and Writing Data in MongoDB Instance
Methods for Importing and Exporting Data Based on CVM Connected with MongoDB
What to Do for Errors of Repeated Instance Creation and Deletion of Databases with the Same Names?
Troubleshooting MongoDB Connection Failures
Shard Removal Task: Guide for Confirming the Progress and Troubleshooting Issues
Performance Fine-Tuning
Ops and Development Guide
Development Specifications
Command Support in Sharded Cluster v3.2
Command Support in v3.6
Development Ops
Troubleshooting
Increased Slow Queries
Number of Connections Exceeding Limit
API Documentation
History
Introduction
API Category
Making API Requests
Instance APIs
Backup APIs
Account APIs
Other APIs
Task APIs
Introduction
Data Types
Error Codes
Instance Connection
Shell Connection Sample
PHP Connection Sample
Node.js Connection Sample
Java Connection Sample
Python Connection Sample
Python Read/Write Sample
Go Connection Sample
PHP Reconnection Sample
Product Performance
Test Environment
Test Method
Test Result
FAQs
Cost
Features
Sharded Cluster
Instance
Rollback and Backup
Connection
Data Migration
Others
Service Agreement
Service Level Agreement
Terms of Service
Glossary
Contact Us
DocumentationTencentDB for MongoDBOperation GuideAccess ManagementAuthorization Permission Policy

Authorization Permission Policy

PDF
Focus Mode
Font Size
Last updated: 2025-08-08 17:44:14
Permissions of Tencent Cloud root accounts and sub-accounts are separated. You can grant sub-accounts different permissions as needed, which avoids security risks caused by exposure of your Tencent Cloud account key.

Granting a Sub-account a Permission Policy

Background

Company A activates the TencentDB for MongoDB service and wants its team members to manage the involved resources. For security or trust considerations, it does not want to directly disclose its Tencent Cloud account key to the team members; instead, it wants to create corresponding sub-accounts for them. The sub-accounts can manage resources only with authorization by its root account and separate usage calculation and billing are not required, as all fees are charged to its Tencent Cloud account. It also wants to be able to revoke or delete the operation permissions of sub-accounts at any time.

Operation Steps

Step 1. Creating a Sub-account User

You can create a sub-account user through the console or an API.
Log in to the CAM console and enter the User List page to create a user. For detailed directions, see Creating Sub-User.
Create a sub-user and configure permissions for them by calling the AddUser API with an access key. For more information, see AddUser.

(Optional) Step 2. Creating a Custom Permission Policy

1. On the Policies page in the CAM console, search for a target policy by policy name in the search box in the top-right corner.
2. If the permission policy does not exist, you need to customize one. For detailed directions, see Creating Custom Policy.

Step 3. Assigning a Permission Policy to the Sub-account

On the Policies page in the CAM console, find the target permission policy and associate it with the target sub-account. For detailed directions, see Authorization Management.
On the User List page in the CAM console, find the target sub-account and associate them with the target policy. For detailed directions, see Authorization Management.

References

Logging In to the Console

You can let your team members use a sub-account to log in to the Tencent Cloud console and access TencentDB for MongoDB. For detailed directions, see Logging in to Console with Sub-account.

Modifying a Sub-account

You can view and modify the information of a sub-account as instructed in User Information.

Deleting a Sub-account

You can revoke or delete the operation permissions of a sub-account as instructed in Deleting Sub-Users.

Granting a Permission Policy Across Tencent Cloud Accounts

Background

Company A activates TencentDB for MongoDB and wants company B to have part of the permissions of its TencentDB for MongoDB operations, such as instance read/write and slow query operation. Company B wants to have a sub-account to handle such businesses. In this case, company A can authorize the root account of company B to access TencentDB for MongoDB resources through a role. For the specific concept and use cases of role, see Role Overview.

Operation Steps

Step 1. Company A Creates a Role for Company B

1. Log in to the CAM console and go to the Roles page.
2. Click Create Role. In the Select role entity window, select Tencent Cloud Account
3. On the Create Custom Role page, create a role. a. On the Enter role entity info page, select Other root account as Tencent Cloud account, enter the root account of company B as Account ID, set other parameters as prompted, and click Next. b. On the Configure Role Policy page, select the target policy and click Next. c. On the Review page, enter a role name such as DevOpsRole in the Role Name box, review the selected policy, and click Complete.

Step 2. Company B Grants a Sub-account the Permission to Assume the Role

1. On the Policies page in the CAM console, click Create Custom Policy.
2. In the Select Policy Creation Method window, select Create by Policy Syntax.
3. On the Create by Policy Syntax page, create a policy. a. In the Select a template type section, select Blank Template and click Next. b. On the Edit Policy page, enter a policy name such as sts:AssumeRole in the Policy Name input box. c. In Policy Content, set the policy content according to the policy syntax and click Complete. Below are examples:
{
 "version": "2.0",
 "statement": [
 {
     "effect": "allow",
     "action": ["name/sts:AssumeRole"],
     "resource": ["qcs::cam::uin/12345:RoleName/DevOpsRole"]
 }
 ]
}
4. Return to the Policies page, find the created custom policy, and click Associate Users/Groups in the Operation column.
5. Associate the custom policy with the sub-account of company B and click OK.

Step 3. Company B Uses the Sub-account to Access Tencent Cloud Resources Through the Role

1. Log in to the console with the sub-account of company B and select Switch Role in the profile photo drop-down list.
2. On the role switch page, enter the root account of company A and role name to switch to the role of company A.

References

You can modify a role as instructed in Modifying Role.
You can delete a role as instructed in Deleting a Role.
For more information on how to use CAM, see Overview.
Previous Topic: Authorization Policy SyntaxNext Topic: Creating TencentDB for MongoDB Instance

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback