Overview - - Alibaba Cloud Documentation Center

This topic describes the permission scope and authorization operations of ApsaraMQ for RocketMQ.

Background information

ApsaraMQ for RocketMQ allows you to use Resource Access Management (RAM) to manage permissions. RAM allows you to create and manage multiple identities for an Alibaba Cloud account and grant multiple permissions to a single identity or a group of identities. This way, you can authorize different identities to access different Alibaba Cloud resources.

For more information, see What is RAM?

Permission scope

The following table describes the permission scope of ApsaraMQ for RocketMQ resources based on usage methods.

Permission scope	Description	Authorization required or not
Call API operations	Call API operations to manage ApsaraMQ for RocketMQ resources. For example, you can call API operations to create instances, delete topics, and query messages.	Alibaba Cloud account: By default, all permissions are granted. No authorization is required. RAM user: You can access specific resources only after the corresponding permissions are granted.
Use the console	Perform operations in the ApsaraMQ for RocketMQ console. For example, you can create instances, delete topics, or query messages in the console.	Alibaba Cloud account: By default, all permissions are granted. No authorization is required. RAM user: You can access specific resources only after the corresponding permissions are granted.
Send and receive messages by using SDKs	Use SDKs to connect to ApsaraMQ for RocketMQ brokers to send and receive messages.	ApsaraMQ for RocketMQ 5.x instances use virtual private clouds (VPCs) for identity authentication. By default, Alibaba Cloud accounts and RAM users are granted permissions to send and receive messages on ApsaraMQ for RocketMQ 5.x instances. Therefore, you do not need to verify permissions on message sending and receiving by using RAM.

Authorization operations

The following table describes the authorization operations that are supported by ApsaraMQ for RocketMQ.

Authorization operation	Authorization scenario	Permission scope	Authorization granularity
Grant permissions to RAM users	An Alibaba Cloud account grants permissions to RAM users. The RAM users who are granted permissions can manage the specified resources in the Alibaba Cloud account by calling API operations or in the ApsaraMQ for RocketMQ console.	Call API operations Use the console	System resources: grant RAM users specific permissions on all ApsaraMQ for RocketMQ resources. Custom permissions: grant RAM users permissions on a specific ApsaraMQ for RocketMQ resource, such as an instance, a topic, or a group.
Grant permissions across Alibaba Cloud accounts by using a RAM role	Alibaba Cloud Account A grants permissions to RAM users in Alibaba Cloud Account B. RAM users in Alibaba Cloud Account B can manage the specified resources in Alibaba Cloud Account A by calling API operations or in the ApsaraMQ for RocketMQ console.	Call API operations Use the console
Service-linked roles	An Alibaba Cloud account assumes a specific service-linked role to obtain access permissions that are granted to the role. RAM users automatically inherit the service-linked role that the Alibaba Cloud account assumes.	Service-linked roles (RAM roles)	Access permissions on specific cloud services.

Version compatibility

Different from ApsaraMQ for RocketMQ 4.x brokers, ApsaraMQ for RocketMQ 5.x brokers require independent authorization.

For example, if you grant specific RAM users permissions to perform all operations in the ApsaraMQ for RocketMQ console by using permission policies for ApsaraMQ for RocketMQ 4.x brokers, the RAM users can perform operations on ApsaraMQ for RocketMQ 4.x resources in the console. If you want to manage ApsaraMQ for RocketMQ 5.x resources in the console, you must re-authorize the RAM users by using permission policies for ApsaraMQ for RocketMQ 5.x brokers.