Skip to Main Content

Role-Based Access Control

AutoMQ supports Role-Based Access Control (RBAC), providing fine-grained permission management to ensure that member accounts and service accounts can access necessary resources with the principle of least privilege. Through RBAC, environment administrators can effectively manage and control access to AutoMQ resources, ensuring system security and stability.

RBAC Principles

The core principle of RBAC is to bind predefined roles to member accounts and service accounts. Each role contains a set of predefined permissions that determine the actions an account can perform. This approach allows administrators to flexibly assign and manage permissions, ensuring users can only access and operate on the resources they are authorized to.

Appendix: Predefined System Roles

AutoMQ provides a series of built-in roles, each corresponding to different levels of permissions to meet the needs of various scenarios. Below is a list of the built-in roles supported by AutoMQ along with their operation lists:

Role
Action
Permission Level and Applicable Scenarios
InstanceViewer

Instance:ListInstances


  • Role Description: Instance Viewer Role
  • Permission Scope: Read-only access to specified instances within the environment (excluding message viewing).

Instance:GetInstance


Instance:GetInstanceMetadata


Instance:ListInstanceACLPolicies


Instance:ListInstanceACLUsers


ConsumerGroup:ListConsumerGroups


ConsumerGroup:GetConsumerGroup


Topic:GetTopic


Topic:ListTopics


Profile:GetDeployProfile


Profile:ListDeployProfiles


KafkaLinking:ListKafkaLinks


KafkaLinking:GetKafkaLink


InstanceDeveloper

Instance:GetInstance


  • Role Description: Instance Developer
  • Permission Scope: Access to specified instances within the environment and management of resources like Topic and Group within the instance. Instance developers cannot perform instance configuration changes, upgrades, etc.

Instance:ListInstances


Instance:ListInstanceACLPolicies


Instance:CreateInstanceACLPolicy


Instance:DeleteInstanceACLPolicy


Instance:GetInstanceMetadata


Instance:ListInstanceACLUsers


Instance:CreateInstanceACLUser


Instance:DeleteInstanceACLUser


ConsumerGroup:ListConsumerGroups


ConsumerGroup:CreateConsumerGroup


ConsumerGroup:GetConsumerGroup


ConsumerGroup:UpdateConsumerGroup


ConsumerGroup:DeleteConsumerGroup


Topic:ListTopics


Topic:CreateTopic


Topic:GetTopic


Topic:DeleteTopic


Topic:UpdateTopic


Topic:CreateMessage


Profile:GetDeployProfile


Profile:ListDeployProfiles


Environment:GetMessage


InstanceAdmin

Instance:GetInstance


  • Role Description: Instance Admin Role
  • Permission Scope: Access to view, modify, and delete specified instances within the environment.

Instance:ListInstances


Instance:UpdateInstance


Instance:GetInstanceMetadata


Instance:DeleteInstance


Instance:UpdateInstanceIntegration


Instance:ListInstanceACLUsers


Instance:CreateInstanceACLUser


Instance:DeleteInstanceACLUser


Instance:ListInstanceACLPolicies


Instance:CreateInstanceACLPolicy


Instance:DeleteInstanceACLPolicy


ConsumerGroup:ListConsumerGroups


ConsumerGroup:CreateConsumerGroup


ConsumerGroup:GetConsumerGroup


ConsumerGroup:UpdateConsumerGroup


ConsumerGroup:DeleteConsumerGroup


Topic:CreateTopic


Topic:GetTopic


Topic:DeleteTopic


Topic:UpdateTopic


Topic:ListTopics


Topic:CreateMessage


Profile:GetDeployProfile


Profile:ListDeployProfiles


Environment:GetMessage


Integration:ListIntegrations


Integration:ListIntegrationTypes


KafkaLinking:CreateKafkaLink


KafkaLinking:ListKafkaLinks


KafkaLinking:GetKafkaLink


KafkaLinking:DeleteKafkaLink


IntegrationAdmin

Integration:UpdateInstanceIntegration


  • Role Description: Integration Administrator
  • Permission Scope: Access and edit specified integrations within the environment.

Integration:ListIntegrations


Integration:GetIntegration


Integration:UpdateIntegration


Integration:DeleteIntegration


Integration:ListIntegrationTypes


Profile:ListDeployProfiles


Profile:GetDeployProfile


EnvironmentViewer

Instance:GetInstance


  • Role Description: Environment Read-Only Member Role
  • Permission Scope: Read-only access to instance resources within the environment; cannot manage the environment or other members (excluding message viewing).
    • Instance Viewing
    • Integration Viewing

Instance:ListInstances


Instance:ListInstanceACLPolicies


Instance:GetInstanceMetadata


Instance:ListInstanceACLUsers


ConsumerGroup:ListConsumerGroups


ConsumerGroup:GetConsumerGroup


Topic:ListTopics


Topic:GetTopic


Integration:ListIntegrations


Integration:GetIntegration


Integration:ListIntegrationTypes


Migration:ListMigrations


Migration:GetMigration


Profile:ListDeployProfiles


Profile:GetDeployProfile


Environment:ListProductVersions


Environment:ListProviders


Environment:ListRegions


Environment:ListZones


Environment:ListSubnets


Environment:ListNodeGroups


Environment:GetNodeGroup


Environment:GetEnvironment


KafkaLinking:ListKafkaLinks


KafkaLinking:GetKafkaLink


EnvironmentOperator

Instance:GetInstance


  • Role Description: Environment Operator Member Role
  • Permission Scope: Write access to instance resources within the environment; cannot manage the environment or other members:
    • Integration Management
    • Instance Management

Instance:ListInstances


Instance:ListInstanceACLPolicies


Instance:CreateInstanceACLPolicy


Instance:DeleteInstanceACLPolicy


Instance:CreateInstance


Instance:UpdateInstance


Instance:DeleteInstance


Instance:GetInstanceMetadata


Instance:UpdateInstanceIntegration


Instance:ListInstanceACLUsers


Instance:CreateInstanceACLUser


Instance:DeleteInstanceACLUser


Topic:ListTopics


Topic:CreateTopic


Topic:GetTopic


Topic:DeleteTopic


Topic:UpdateTopic


Topic:CreateMessage


ConsumerGroup:ListConsumerGroups


ConsumerGroup:CreateConsumerGroup


ConsumerGroup:GetConsumerGroup


ConsumerGroup:UpdateConsumerGroup


ConsumerGroup:DeleteConsumerGroup


Integration:ListIntegrations


Integration:CreateIntegration


Integration:GetIntegration


Integration:UpdateIntegration


Integration:DeleteIntegration


Integration:ListIntegrationTypes


Migration:CreateMigration


Migration:UpdateMigration


Migration:ListMigrations


Migration:GetMigration


Migration:DeleteMigration


Profile:ListDeployProfiles


Profile:GetDeployProfile


Profile:CreateDeployProfile


Profile:UpdateDeployProfile


Profile:DeleteDeployProfile


Environment:CreateProductVersion


Environment:GetDeploymentOrder


Environment:ListProductVersions


Environment:ListProviders


Environment:ListRegions


Environment:ListZones


Environment:ListSubnets


Environment:ListNodeGroups


Environment:GetNodeGroup


Environment:GetMessage


Environment:DeleteEndPoint


Environment:CreateEndPoint


KafkaLinking:CreateKafkaLink


KafkaLinking:ListKafkaLinks


KafkaLinking:GetKafkaLink


KafkaLinking:DeleteKafkaLink


EnvironmentAdmin

All


  • Role Description: Environment Administrator
  • Permissions: Has full operational access to all resources within the environment, including but not limited to:
    • Manage Members
    • Manage Integrations
    • Manage Instances

By utilizing built-in roles and their corresponding operations, administrators can flexibly manage permissions in the AutoMQ console, ensuring both system security and efficiency.