Release Notes and Announcements

Release Notes

Broker Release Notes

Announcement

Product Introduction

Introduction and Selection of the TDMQ Product Series

What Is TDMQ for CKafka

Strengths

Scenarios

Technology Architecture

Product Series Introduction

Apache Kafka Version Support Description

Comparison with Apache Kafka

High Availability

Use Limits

Regions and AZs

Related Cloud Services

Billing

Billing Overview

Pricing

Billing Example

Changing from Postpaid by Hour to Monthly Subscription

Renewal

Viewing Consumption Details

Overdue Payments

Refund

Getting Started

Guide for Getting Started

Preparations

VPC Network Access

Public Domain Name Access

User Guide

Usage Process Guide

Configuring Account Permission

Creating Instance

Configuring Topic

Connecting Instance

Managing Messages

Managing Consumer Group

Managing Instance

Changing Instance Specification

Configuring Traffic Throttling

Configuring Elastic Scaling Policy

Configuring Advanced Features

Viewing Monitoring Data and Configuring Alarm Rules

Synchronizing Data Using CKafka Connector

Use Cases

Cluster Resource Assessment

Client Practical Tutorial

Log Integration

Open-Source Ecosystem Integration

Replacing Supporting Route (Old)

Migration Guide

Migration Solution Overview

Migrating Cluster Using Open-Source Tool

Troubleshooting

Topics

Clients

Messages

API Reference

History

Introduction

API Category

Making API Requests

Other APIs

ACL APIs

Instance APIs

Routing APIs

DataHub APIs

Topic APIs

Data Types

Error Codes

SDK Reference

SDK Overview

Java SDK

Python SDK

Go SDK

PHP SDK

C++ SDK

Node.js SDK

SDK for Connector

Security and Compliance

Permission Management

Network Security

Deletion Protection

Event Record

CloudAudit

FAQs

Instances

Topics

Consumer Groups

Client-Related

Network-Related

Monitoring

Messages

Agreements

CKafka Service Level Agreements

Glossary

Granting Resource-Level Permissions to Sub-accounts

PDF

Focus Mode

Font Size

Last updated: 2026-01-20 16:52:40

Scenarios
You can use the policy feature in the Cloud Access Management (CAM) console to grant sub-accounts access permissions for TDMQ for CKafka (CKafka) resources owned by the root account. The sub-accounts that are granted these permissions can use the resources. This document describes how to grant permissions for the resources of a cluster to a sub-account. The operation steps for other resource types are similar.
Prerequisites
A sub-account has been created for an employee using the Tencent Cloud root account. For detailed operations, see Creating a Sub-account.
At least one CKafka instance has been created.
Operation Steps
Step 1: Obtaining the ID of a CKafka Cluster
1. Log in to the CKafka console by using the root account, and click an existing cluster instance ID to go to the details page.
2. On the Basic Info tab, the ID field is the ID of the current CKafka cluster.
﻿
Step 2: Creating an Authorization Policy
1. Log in to the CAM console.
2. In the left sidebar, select Policies, click Create a custom policy, and select Create by Policy Builder for the policy creation method.
3. In the visualized policy generator, keep Effect as Allow, enter ckafka in Service for filtering, and select CKafka (ckafka) from the results.
﻿
4. Select All Actions (Ckafka:*) for Action. You can also select your desired operation types.
Note:
Certain APIs do not support resource authentication temporarily. For the APIs that support resource authentication, those displayed on the console page shall prevail.
﻿
﻿
﻿
5. In the Resource section, select Specific resources, and locate the ckafkaId resource type. You can check Any resource of this type (authorize all cluster resources) on the right, or click Add a six-segment resource description (authorize specific cluster resources). In the pop-up sidebar dialog box, enter the cluster ID in the Resource Prefix field.
﻿
6. In the Condition section, select whether to specify the source IP address based on actual business requirements. After a source IP address is specified, access to the specified operation is allowed only when requests come from the specified IP address.
7. Click Next and set the policy name. The policy name is automatically generated by the console and is set to policygen by default, with a suffix number generated based on the creation date. You can customize it.
8. Click Select User or Select User Group to select the users or user groups to be granted resource permissions.
﻿
﻿
﻿
9. Click completed. The sub-account granted resource permissions can access relevant resources.
﻿