Role-Based Access Control

AutoMQ supports Role-Based Access Control (RBAC), providing fine-grained permission management to ensure that member accounts and service accounts can access necessary resources with the principle of least privilege. Through RBAC, environment administrators can effectively manage and control access to AutoMQ resources, ensuring system security and stability.

RBAC Principles

The core principle of RBAC is to bind predefined roles to member accounts and service accounts. Each role contains a set of predefined permissions that determine the actions an account can perform. This approach allows administrators to flexibly assign and manage permissions, ensuring users can only access and operate on the resources they are authorized to.

Appendix: Predefined System Roles

AutoMQ provides a series of built-in roles, each corresponding to different levels of permissions to meet the needs of various scenarios. Below is a list of the built-in roles supported by AutoMQ along with their operation lists:

Role	Action	Permission Level and Applicable Scenarios
InstanceViewer	Instance:ListInstances	Role Description: Instance Viewer Role Permission Scope: Read-only access to specified instances within the environment (excluding message viewing).
	Instance:GetInstance
	Instance:GetInstanceMetadata
	Instance:ListInstanceACLPolicies
	Instance:ListInstanceACLUsers
	ConsumerGroup:ListConsumerGroups
	ConsumerGroup:GetConsumerGroup
	Topic:GetTopic
	Topic:ListTopics
	Profile:GetDeployProfile
	Profile:ListDeployProfiles
	KafkaLinking:ListKafkaLinks
	KafkaLinking:GetKafkaLink
InstanceDeveloper	Instance:GetInstance	Role Description: Instance Developer Permission Scope: Access to specified instances within the environment and management of resources like Topic and Group within the instance. Instance developers cannot perform instance configuration changes, upgrades, etc.
	Instance:ListInstances
	Instance:ListInstanceACLPolicies
	Instance:CreateInstanceACLPolicy
	Instance:DeleteInstanceACLPolicy
	Instance:GetInstanceMetadata
	Instance:ListInstanceACLUsers
	Instance:CreateInstanceACLUser
	Instance:DeleteInstanceACLUser
	ConsumerGroup:ListConsumerGroups
	ConsumerGroup:CreateConsumerGroup
	ConsumerGroup:GetConsumerGroup
	ConsumerGroup:UpdateConsumerGroup
	ConsumerGroup:DeleteConsumerGroup
	Topic:ListTopics
	Topic:CreateTopic
	Topic:GetTopic
	Topic:DeleteTopic
	Topic:UpdateTopic
	Topic:CreateMessage
	Profile:GetDeployProfile
	Profile:ListDeployProfiles
	Environment:GetMessage
InstanceAdmin	Instance:GetInstance	Role Description: Instance Admin Role Permission Scope: Access to view, modify, and delete specified instances within the environment.
	Instance:ListInstances
	Instance:UpdateInstance
	Instance:GetInstanceMetadata
	Instance:DeleteInstance
	Instance:UpdateInstanceIntegration
	Instance:ListInstanceACLUsers
	Instance:CreateInstanceACLUser
	Instance:DeleteInstanceACLUser
	Instance:ListInstanceACLPolicies
	Instance:CreateInstanceACLPolicy
	Instance:DeleteInstanceACLPolicy
	ConsumerGroup:ListConsumerGroups
	ConsumerGroup:CreateConsumerGroup
	ConsumerGroup:GetConsumerGroup
	ConsumerGroup:UpdateConsumerGroup
	ConsumerGroup:DeleteConsumerGroup
	Topic:CreateTopic
	Topic:GetTopic
	Topic:DeleteTopic
	Topic:UpdateTopic
	Topic:ListTopics
	Topic:CreateMessage
	Profile:GetDeployProfile
	Profile:ListDeployProfiles
	Environment:GetMessage
	Integration:ListIntegrations
	Integration:ListIntegrationTypes
	KafkaLinking:CreateKafkaLink
	KafkaLinking:ListKafkaLinks
	KafkaLinking:GetKafkaLink
	KafkaLinking:DeleteKafkaLink
IntegrationAdmin	Integration:UpdateInstanceIntegration	Role Description: Integration Administrator Permission Scope: Access and edit specified integrations within the environment.
	Integration:ListIntegrations
	Integration:GetIntegration
	Integration:UpdateIntegration
	Integration:DeleteIntegration
	Integration:ListIntegrationTypes
	Profile:ListDeployProfiles
	Profile:GetDeployProfile
EnvironmentViewer	Instance:GetInstance	Role Description: Environment Read-Only Member Role Permission Scope: Read-only access to instance resources within the environment; cannot manage the environment or other members (excluding message viewing). Instance Viewing Integration Viewing
	Instance:ListInstances
	Instance:ListInstanceACLPolicies
	Instance:GetInstanceMetadata
	Instance:ListInstanceACLUsers
	ConsumerGroup:ListConsumerGroups
	ConsumerGroup:GetConsumerGroup
	Topic:ListTopics
	Topic:GetTopic
	Integration:ListIntegrations
	Integration:GetIntegration
	Integration:ListIntegrationTypes
	Migration:ListMigrations
	Migration:GetMigration
	Profile:ListDeployProfiles
	Profile:GetDeployProfile
	Environment:ListProductVersions
	Environment:ListProviders
	Environment:ListRegions
	Environment:ListZones
	Environment:ListSubnets
	Environment:ListNodeGroups
	Environment:GetNodeGroup
	Environment:GetEnvironment
	KafkaLinking:ListKafkaLinks
	KafkaLinking:GetKafkaLink
EnvironmentOperator	Instance:GetInstance	Role Description: Environment Operator Member Role Permission Scope: Write access to instance resources within the environment; cannot manage the environment or other members: Integration Management Instance Management
	Instance:ListInstances
	Instance:ListInstanceACLPolicies
	Instance:CreateInstanceACLPolicy
	Instance:DeleteInstanceACLPolicy
	Instance:CreateInstance
	Instance:UpdateInstance
	Instance:DeleteInstance
	Instance:GetInstanceMetadata
	Instance:UpdateInstanceIntegration
	Instance:ListInstanceACLUsers
	Instance:CreateInstanceACLUser
	Instance:DeleteInstanceACLUser
	Topic:ListTopics
	Topic:CreateTopic
	Topic:GetTopic
	Topic:DeleteTopic
	Topic:UpdateTopic
	Topic:CreateMessage
	ConsumerGroup:ListConsumerGroups
	ConsumerGroup:CreateConsumerGroup
	ConsumerGroup:GetConsumerGroup
	ConsumerGroup:UpdateConsumerGroup
	ConsumerGroup:DeleteConsumerGroup
	Integration:ListIntegrations
	Integration:CreateIntegration
	Integration:GetIntegration
	Integration:UpdateIntegration
	Integration:DeleteIntegration
	Integration:ListIntegrationTypes
	Migration:CreateMigration
	Migration:UpdateMigration
	Migration:ListMigrations
	Migration:GetMigration
	Migration:DeleteMigration
	Profile:ListDeployProfiles
	Profile:GetDeployProfile
	Profile:CreateDeployProfile
	Profile:UpdateDeployProfile
	Profile:DeleteDeployProfile
	Environment:CreateProductVersion
	Environment:GetDeploymentOrder
	Environment:ListProductVersions
	Environment:ListProviders
	Environment:ListRegions
	Environment:ListZones
	Environment:ListSubnets
	Environment:ListNodeGroups
	Environment:GetNodeGroup
	Environment:GetMessage
	Environment:DeleteEndPoint
	Environment:CreateEndPoint
	KafkaLinking:CreateKafkaLink
	KafkaLinking:ListKafkaLinks
	KafkaLinking:GetKafkaLink
	KafkaLinking:DeleteKafkaLink
EnvironmentAdmin	All	Role Description: Environment Administrator Permissions: Has full operational access to all resources within the environment, including but not limited to: Manage Members Manage Integrations Manage Instances

By utilizing built-in roles and their corresponding operations, administrators can flexibly manage permissions in the AutoMQ console, ensuring both system security and efficiency.