AutoMQ supports Role-Based Access Control (RBAC), providing fine-grained permission management to ensure that member accounts and service accounts can access necessary resources with the principle of least privilege. Through RBAC, environment administrators can effectively manage and control access to AutoMQ resources, ensuring system security and stability.

RBAC Principles

The core principle of RBAC is to bind predefined roles to member accounts and service accounts. Each role contains a set of predefined permissions that determine the actions an account can perform. This approach allows administrators to flexibly assign and manage permissions, ensuring users can only access and operate on the resources they are authorized to.

Appendix: Predefined System Roles

AutoMQ provides a series of built-in roles, each corresponding to different levels of permissions to meet the needs of various scenarios. Below is a list of the built-in roles supported by AutoMQ along with their operation lists:
Role
Action
Permission Level and Applicable Scenarios
InstanceViewer
Instance:ListInstances
  • Role Description: Instance Viewer Role
  • Permission Scope: Read-only access to specified instances within the environment (excluding message viewing).
Instance:GetInstance
Instance:GetInstanceMetadata
Instance:ListInstanceACLPolicies
Instance:ListInstanceACLUsers
ConsumerGroup:ListConsumerGroups
ConsumerGroup:GetConsumerGroup
Topic:GetTopic
Topic:ListTopics
Profile:GetDeployProfile
Profile:ListDeployProfiles
KafkaLinking:ListKafkaLinks
KafkaLinking:GetKafkaLink
InstanceDeveloper
Instance:GetInstance
  • Role Description: Instance Developer
  • Permission Scope: Access to specified instances within the environment and management of resources like Topic and Group within the instance. Instance developers cannot perform instance configuration changes, upgrades, etc.
Instance:ListInstances
Instance:ListInstanceACLPolicies
Instance:CreateInstanceACLPolicy
Instance:DeleteInstanceACLPolicy
Instance:GetInstanceMetadata
Instance:ListInstanceACLUsers
Instance:CreateInstanceACLUser
Instance:DeleteInstanceACLUser
ConsumerGroup:ListConsumerGroups
ConsumerGroup:CreateConsumerGroup
ConsumerGroup:GetConsumerGroup
ConsumerGroup:UpdateConsumerGroup
ConsumerGroup:DeleteConsumerGroup
Topic:ListTopics
Topic:CreateTopic
Topic:GetTopic
Topic:DeleteTopic
Topic:UpdateTopic
Topic:CreateMessage
Profile:GetDeployProfile
Profile:ListDeployProfiles
Environment:GetMessage
InstanceAdmin
Instance:GetInstance
  • Role Description: Instance Admin Role
  • Permission Scope: Access to view, modify, and delete specified instances within the environment.
Instance:ListInstances
Instance:UpdateInstance
Instance:GetInstanceMetadata
Instance:DeleteInstance
Instance:UpdateInstanceIntegration
Instance:ListInstanceACLUsers
Instance:CreateInstanceACLUser
Instance:DeleteInstanceACLUser
Instance:ListInstanceACLPolicies
Instance:CreateInstanceACLPolicy
Instance:DeleteInstanceACLPolicy
ConsumerGroup:ListConsumerGroups
ConsumerGroup:CreateConsumerGroup
ConsumerGroup:GetConsumerGroup
ConsumerGroup:UpdateConsumerGroup
ConsumerGroup:DeleteConsumerGroup
Topic:CreateTopic
Topic:GetTopic
Topic:DeleteTopic
Topic:UpdateTopic
Topic:ListTopics
Topic:CreateMessage
Profile:GetDeployProfile
Profile:ListDeployProfiles
Environment:GetMessage
Integration:ListIntegrations
Integration:ListIntegrationTypes
KafkaLinking:CreateKafkaLink
KafkaLinking:ListKafkaLinks
KafkaLinking:GetKafkaLink
KafkaLinking:DeleteKafkaLink
IntegrationAdmin
Integration:UpdateInstanceIntegration
  • Role Description: Integration Administrator
  • Permission Scope: Access and edit specified integrations within the environment.
Integration:ListIntegrations
Integration:GetIntegration
Integration:UpdateIntegration
Integration:DeleteIntegration
Integration:ListIntegrationTypes
Profile:ListDeployProfiles
Profile:GetDeployProfile
EnvironmentViewer
Instance:GetInstance
  • Role Description: Environment Read-Only Member Role
  • Permission Scope: Read-only access to instance resources within the environment; cannot manage the environment or other members (excluding message viewing).
    • Instance Viewing
    • Integration Viewing
Instance:ListInstances
Instance:ListInstanceACLPolicies
Instance:GetInstanceMetadata
Instance:ListInstanceACLUsers
ConsumerGroup:ListConsumerGroups
ConsumerGroup:GetConsumerGroup
Topic:ListTopics
Topic:GetTopic
Integration:ListIntegrations
Integration:GetIntegration
Integration:ListIntegrationTypes
Migration:ListMigrations
Migration:GetMigration
Profile:ListDeployProfiles
Profile:GetDeployProfile
Environment:ListProductVersions
Environment:ListProviders
Environment:ListRegions
Environment:ListZones
Environment:ListSubnets
Environment:ListNodeGroups
Environment:GetNodeGroup
Environment:GetEnvironment
KafkaLinking:ListKafkaLinks
KafkaLinking:GetKafkaLink
EnvironmentOperator
Instance:GetInstance
  • Role Description: Environment Operator Member Role
  • Permission Scope: Write access to instance resources within the environment; cannot manage the environment or other members:
    • Integration Management
    • Instance Management
Instance:ListInstances
Instance:ListInstanceACLPolicies
Instance:CreateInstanceACLPolicy
Instance:DeleteInstanceACLPolicy
Instance:CreateInstance
Instance:UpdateInstance
Instance:DeleteInstance
Instance:GetInstanceMetadata
Instance:UpdateInstanceIntegration
Instance:ListInstanceACLUsers
Instance:CreateInstanceACLUser
Instance:DeleteInstanceACLUser
Topic:ListTopics
Topic:CreateTopic
Topic:GetTopic
Topic:DeleteTopic
Topic:UpdateTopic
Topic:CreateMessage
ConsumerGroup:ListConsumerGroups
ConsumerGroup:CreateConsumerGroup
ConsumerGroup:GetConsumerGroup
ConsumerGroup:UpdateConsumerGroup
ConsumerGroup:DeleteConsumerGroup
Integration:ListIntegrations
Integration:CreateIntegration
Integration:GetIntegration
Integration:UpdateIntegration
Integration:DeleteIntegration
Integration:ListIntegrationTypes
Migration:CreateMigration
Migration:UpdateMigration
Migration:ListMigrations
Migration:GetMigration
Migration:DeleteMigration
Profile:ListDeployProfiles
Profile:GetDeployProfile
Profile:CreateDeployProfile
Profile:UpdateDeployProfile
Profile:DeleteDeployProfile
Environment:CreateProductVersion
Environment:GetDeploymentOrder
Environment:ListProductVersions
Environment:ListProviders
Environment:ListRegions
Environment:ListZones
Environment:ListSubnets
Environment:ListNodeGroups
Environment:GetNodeGroup
Environment:GetMessage
Environment:DeleteEndPoint
Environment:CreateEndPoint
KafkaLinking:CreateKafkaLink
KafkaLinking:ListKafkaLinks
KafkaLinking:GetKafkaLink
KafkaLinking:DeleteKafkaLink
EnvironmentAdmin
All
  • Role Description: Environment Administrator
  • Permissions: Has full operational access to all resources within the environment, including but not limited to:
    • Manage Members
    • Manage Integrations
    • Manage Instances
By utilizing built-in roles and their corresponding operations, administrators can flexibly manage permissions in the AutoMQ console, ensuring both system security and efficiency.