Role Authorization

Authorization function of Message Queue primary-sub-account is implemented through IAM(Identity and Access Management, IAM). For more information on IAM, please go to IAM to view.

Description:

• It is required to create different IAM roles to achieve permission division

• The cost for the resource creation or use by the role player is put under the primary account of role creation in a unified way

• The primary account has the permission to create and delete the role and its policy

Authorization Process:

Message Queue has been fully connected to the access control service. Users are required to go to the Access Control Menu to set the authorization of the role.

1. Primary Account A creates the user role, e.g. RoleA, and grants the corresponding policy to the user role. Refer to.

   • For the system policy, refer to:

     System Policy Name	Permission Description	Type	Resource Scope	Remarks
     JDCloudAdmin	Message Queue (JCQ) administrator permission	System type	All resources of message queue JCQ under the primary account	All authorities of message queue JCQ, including management and message releasing and subscription
     JDCloudJCQTopicManagement	Message Queue (JCQ) topic management permission	System type	All resources of message queue JCQ under the primary account	Can manage the topic of message queue JCQ, including creating, deleting and changing the topic
     JDCloudJCQPub	Message Queue (JCQ) releasing permission	System type	All resources of message queue JCQ under the primary account	Can release messages to existing topics
     JDCloudJCQSub	Message queue (JCQ) subscription permission	System type	All resources of message queue JCQ under the primary account	Can create, delete and manage subscriptions to existing topics and consume messages
     JDCloudJCQRead	Message queue (JCQ) reading permission	System type	All resources of message queue JCQ under the primary account	Can query the information of existing topics and dead letter queue, without modification permission

   • For the customized policy, refer to.

2. Log in to Primary Account B to create an IAM sub-user SubB, and grant the security token system policy to JDCloudStsAdmin, refer to.

3. Log in to the IAM sub-user SubB to enter the sub-user Console, click "Switch Role" in the menu at the upper-right corner to log in to the role identity, enter the accountID of the primary account and the role name of RoleA; and after login, SubB will access and manage the resources of Primary Account A with the identity and permission of RoleA.