This document describes how to use the root account to authorize sub-accounts at the resource level. After successful authorization, the sub-accounts will have the capability to control a certain resource.
You must have a Tencent Cloud root account and have activated the Cloud Access Management (CAM) service.
Your root account must have at least one sub-account, and you have completed the authorization as instructed in Getting Access Authorization.
You must have at least one CKafka instance.
By using the policy feature in the CAM console, you can grant a sub-account access to the CKafka resources owned by the root account. Taking cluster resource as an example, the following describes the detailed steps for granting the sub-account access to CKafka resources, which also apply to other types of resources.
Step 1. Obtain the CKafka cluster ID
1. Log in to the CKafka console with root account, select an existing cluster instance, and click it to enter the details page.
2. In Basic Info, the field ID indicates the ID of the current CKafka cluster.
Step 2. Create a new authorization policy
2. Click Create Custom Policy > Create by Policy Generator.
3. In the visual policy generator, select Allow for Effect, enter CKafka in Service to filter, and select **CKafka (ckafka)**.
4. Select All actions in Action, and you can also select the action type as needed.
5. In the Resource field, select Specific resources, find the ckafkaId resource type, and you can select Any resource of this type on the right to authorize all cluster resources, or click Add a six-segment resource description to authorize specific cluster resources.
6. If you click Add a six-segment resource description, enter the cluster ID for Resource in the pop-up dialog box. For how to obtain the cluster ID, see Step 1.
7. Click Next and enter a policy name as needed.
8. Click Select Users or Select User Groups to select the users or user groups that need to be granted resource permissions.
9. Click Complete. The sub-account with granted resource permissions will have the capability to access related resources.
Other authorization methods