Account permission management overview
Last updated: 2025-09-19 17:31:52
If you need refined permission management for CKafka resources, the following features can be achieved by Cloud Access Management (CAM).
User and permission management: Create independent users or roles for members of different functional departments based on enterprise organizational structure, and assign exclusive security certificates (console login password, cloud API key, etc.) or request temporary security certificates to ensure secure and controllable access to CKafka resources.
Fine-grained access control: Set differentiated access policies based on personnel functions to precisely control the executable operations and accessible resource scope for each user/role, achieving strict permission isolation.
Account System Introduction
Capability differences between account types and related reference documents are as follows:
Account Type | Root Account | Sub-account | |||
| | Sub-user | WeCom Sub-user | Collaborator | Message recipient |
Definition | Owns all Tencent Cloud resources and can access any of them. | Created by the root account and fully owned by the root account that created it. | Imported by the root account through WeCom visible scope and fully owned by the root account that created the WeCom sub-user. | Originally has the identity of a root account. After being added as a collaborator of the current root account, it becomes one of the sub-accounts, able to switch back to the root account identity. | Only has message receiving capabilities. |
Console Access | ✔ | ✔ | Supported by default for console login | ✔ | - |
Programmatic Access | ✔ | ✔ | ✔ | ✔ | - |
Authorizing with Policies | Default has full policy access | ✔ | ✔ | ✔ | - |
Message Notification | ✔ | ✔ | ✔ | ✔ | ✔ |
Reference Documentation | - | ||||
Note:
To ensure the security of your Tencent Cloud account and cloud resource usage, avoid direct use of the Tencent Cloud root account for resource operations unless necessary. Create sub-accounts and assign policies based on the principle of least privilege, allowing sub-accounts with limited permission scopes to manage your cloud resources.
Policies
A policy is a syntax specification for defining and describing one or more permissions. By default, the root account has access to all its resources, while the sub-account doesn't have access to any resources under the root account.
The root account can grant users/user groups the permission to view and use specific resources by associating policies with them. Tencent Cloud policy types are divided into preset policies and custom policies.
Preset Policy
CKafka provides two preset policies for sub-accounts.
Policy | Description |
QcloudCKafkaFullAccess | Read-write access can perform read-write operations on the console |
QcloudCkafkaReadOnlyAccess | read-only access permission, only view console information |
Custom Policies
If the system permission policy cannot meet your requirements, you can create custom policies to implement minimum authorization. Policy settings can be precise to [API, resource, user/user group, allow/deny, condition] dimensions. Using custom policies helps achieve refined permission control, an effective method to enhance resource access security.
Tencent Cloud offers the following two flexible ways to create custom policies to meet different usage habits and needs:
Visual view: Use wizard-based operations. Users do not need to understand policy syntax, just select cloud service, perform, resource, condition and other elements via interface. The policy is automatically generated by the system to lower usage threshold.
JSON view: You can edit policy content after selecting a policy template depending on specific needs, or directly write policy content in JSON format within the frame. Suitable for users with a certain technical foundation.
Custom policy example
The sub-account granted this permission policy only has console and API permissions to obtain the instance specification configuration, query the Instance Version Information, and query messages for the instance ckafka-xxx.
{"version": "2.0","statement": [{"effect": "allow","action": ["ckafka:DescribeCkafkaTypeConfigs","ckafka:DescribeCkafkaVersion","ckafka:FetchMessageByOffset"],"resource": ["qcs::ckafka::uin/1000*****002:ckafkaId/ckafka-xxxx"]}]}
Sub-Account Authorization Operation
When using CKafka, sub-accounts need to authorize two aspects:
Type | Description | Reference Documentation |
access to other cloud services | When using CKafka, visiting users may need to access the rest of cloud product resources (VPC, CVM, etc.), such as viewing the AZ information where the user subnet is located in other scenarios. | |
Read/write permissions for CKafka resources | Obtain read/write permissions for CKafka resources. |
References
Target | Link |
Understand the Relationship Between Policy and User | |
Understand the Basic Policy Structure | |
Learn about which products support CAM |
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback