Help Center/ Distributed Message Service for Kafka/ API Reference/ Permissions and Supported Actions/ Actions Supported by Policy-based Authorization
Updated on 2025-11-19 GMT+08:00
View PDF
Share

Actions Supported by Policy-based Authorization

This section describes the actions supported by DMS for Kafka in policy-based authorization.

Supported Actions

System-defined policies that can be directly used in IAM are provided. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:

  • Permissions: statements in a policy that allow or deny certain operations
  • APIs: REST APIs that can be called by a user who has been granted specific permissions
  • Actions: specific operations that are allowed or denied in a custom policy
  • Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
  • IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM and enterprise management, see Differences Between IAM and Enterprise Management.

DMS for Kafka supports the following actions in custom policies:

  • Lifecycle management actions, including actions supported by Kafka instance lifecycle management APIs, such as the APIs for creating an instance, querying the instance list, modifying instance information, and batch restarting or deleting instances.
  • Instance management actions, including actions supported by Kafka instance management APIs, such as the APIs for resetting passwords and enabling or disabling automatic topic creation.
  • Smart Connect actions, including actions supported by Smart Connect APIs, such as the APIs for enabling or disabling Smart Connect, creating a Smart Connect task.
  • Specification modification management action, supported by the specification modification management API for modifying instance specifications.
  • Topic management actions, including actions supported by topic management APIs, such as the APIs for creating, querying, and modifying topics.
  • User management actions, including actions supported by user management APIs, such as the APIs for creating users, querying users, and configuring user permissions.
  • Message query actions, including actions supported by message query APIs, such as the API for querying messages.
  • Background task management actions, including actions supported by background task management APIs, such as the APIs for querying the background task list of an instance and querying a specified background task.
  • Tag management actions, including actions supported by tag management APIs, such as the APIs for querying instance tags and project tags.

Lifecycle Management

Table 1 Lifecycle management actions

Permission

API

Action

IAM

(Project)

Enterprise

(Enterprise Project)

Creating an instance

POST /v2/{project_id}/kafka/instances

dms:instance:create

Querying the instance list

GET /v2/{project_id}/instances

dms:instance:list

Querying an instance

GET /v2/{project_id}/instances/{instance_id}

dms:instance:get

Deleting an instance

DELETE /v2/{project_id}/instances/{instance_id}

dms:instance:delete

Modifying an instance

PUT /v2/{project_id}/instances/{instance_id}

dms:instance:modify

Batch restarting or deleting instances

POST /v2/{project_id}/instances/action

Restart: dms:instance:modifyStatus

Delete: dms:instance:delete

Instance Management

Table 2 Instance management actions

Permission

API

Action

IAM

(Project)

Enterprise

(Enterprise Project)

Resetting a password

POST /v2/{project_id}/instances/{instance_id}/password

dms:instance:resetAuthInfo

Resetting the Kafka Manager password

PUT /v2/{project_id}/instances/{instance_id}/kafka-manager-password

dms:instance:resetAuthInfo

Restarting Kafka Manager

PUT /v2/{project_id}/instances/{instance_id}/restart-kafka-manager

dms:instance:modifyStatus

Configuring automatic topic creation

POST /v2/{project_id}/instances/{instance_id}/autotopic

dms:instance:modify

Modifying the private IP address for cross-VPC access

POST /v2/{project_id}/instances/{instance_id}/crossvpc/modify

dms:instance:modify

Resetting consumer group offset to the specified position

POST /v2/{project_id}/instances/{instance_id}/management/groups/{group}/reset-message-offset

dms:instance:modify

Smart Connect

Table 3 Smart Connect

Permission

API

Action

IAM Project

Enterprise Project

Enabling Smart Connect

POST /v2/{project_id}/instances/{instance_id}/connector

dms:instance:connector

Disabling Smart Connect

POST /v2/{project_id}/kafka/instances/{instance_id}/delete-connector

dms:instance:connector

Creating a Smart Connect task

POST /v2/{project_id}/instances/{instance_id}/connector/tasks

dms:instance:createConnectorSinkTask

Listing Smart Connect tasks

GET /v2/{project_id}/instances/{instance_id}/connector/tasks

dms:instance:listConnectorSinkTask

Querying Smart Connect task details

GET /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id}

dms:instance:getConnectorSinkTask

Deleting Smart Connect tasks

DELETE /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id}

dms:instance:deleteConnectorSinkTask

Pausing Smart Connect tasks

PUT /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id}/pause

dms:instance:updateConnectorTask

Restarting Smart Connect tasks

PUT /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id}/resume

dms:instance:updateConnectorTask

Starting a Smart Connect task or restarting a paused or running Smart Connect task

PUT /v2/{project_id}/kafka/instances/{instance_id}/connector/tasks/{task_id}/restart

dms:instance:updateConnectorTask

Specification Modification Management

Table 4 Specification modification management action

Permission

API

Action

IAM Project

Enterprise Project

Modifying instance specifications

POST /v2/{project_id}/kafka/instances/{instance_id}/extend

dms:instance:scale

Topic Management

Table 5 Topic management actions

Permission

API

Action

IAM Project

Enterprise Project

Creating a topic in a Kafka instance

POST /v2/{project_id}/instances/{instance_id}/topics

dms:instance:modify

Querying a topic in a Kafka instance

GET /v2/{project_id}/instances/{instance_id}/topics

dms:instance:get

Modifying topics of a Kafka instance

PUT /v2/{project_id}/instances/{instance_id}/topics

dms:instance:modify

Deleting topics in a Kafka instance in batches

POST /v2/{project_id}/instances/{instance_id}/topics/delete

dms:instance:modify

User Management

Table 6 User management actions

Permission

API

Action

IAM Project

Enterprise Project

Querying the user list

GET /v2/{project_id}/instances/{instance_id}/users

dms:instance:get

Creating a user

POST /v2/{project_id}/instances/{instance_id}/users

dms:instance:modify

Deleting users in batches

PUT /v2/{project_id}/instances/{instance_id}/users

dms:instance:modify

Resetting a user password

PUT /v2/{project_id}/instances/{instance_id}/users/{user_name}

dms:instance:get

Querying user permissions

GET /v1/{project_id}/instances/{instance_id}/topics/{topic_name}/accesspolicy

dms:instance:get

Granting user permissions

POST /v1/{project_id}/instances/{instance_id}/topics/accesspolicy

dms:instance:modify

Message Query

Table 7 Message query actions

Permission

API

Action

IAM Project

Enterprise Project

Querying messages

GET /v2/{project_id}/instances/{instance_id}/messages

dms:instance:get

Background Task Management

Table 8 Background task management actions

Permission

API

Action

IAM Project

Enterprise Project

Listing background tasks

GET /v2/{project_id}/instances/{instance_id}/tasks

dms:instance:getBackgroundTask

Querying a background task

GET /v2/{project_id}/instances/{instance_id}/tasks/{task_id}

dms:instance:getBackgroundTask

Deleting a background task

DELETE /v2/{project_id}/instances/{instance_id}/tasks/{task_id}

dms:instance:deleteBackgroundTask

Tag Management

Table 9 Tag management actions

Permission

API

Action

IAM Project

Enterprise Project

Batch adding or deleting tags

POST /v2/{project_id}/kafka/{instance_id}/tags/action

dms:instance:modify

Listing tags of an instance

GET /v2/{project_id}/kafka/{instance_id}/tags

dms:instance:get

Listing tags of a project

GET /v2/{project_id}/kafka/tags

dms:instance:get

Table 10 shows fine-grained permission dependencies of DMS for Kafka.

Table 10 Fine-grained permission dependencies of DMS for Kafka

Permission

Description

Dependency

dms:instance:list

Viewing the instance list

None.

dms:instance:get

Viewing instance details

None.

dms:instance:create

Creating an instance
  • vpc:vpcs:get
  • vpc:ports:create
  • vpc:securityGroups:get
  • vpc:ports:get
  • vpc:subnets:get
  • vpc:vpcs:list
  • vpc:publicIps:get
  • vpc:publicIps:list
  • vpc:ports:update
  • vpc:publicIps:update
  • vpc:ports:delete

dms:instance:getBackgroundTask

Viewing background task details

None.

dms:instance:deleteBackgroundTask

Deleting a background task

None.

dms:instance:modifyStatus

Restarting an instance

None.

dms:instance:resetAuthInfo

Resetting an instance password

None.

dms:instance:modifyAuthInfo

Changing an instance password

None.

dms:instance:modify

Modifying an instance
  • vpc:vpcs:get
  • vpc:ports:create
  • vpc:securityGroups:get
  • vpc:ports:get
  • vpc:subnets:get
  • vpc:vpcs:list
  • vpc:publicIps:get
  • vpc:publicIps:list
  • vpc:ports:update
  • vpc:publicIps:update
  • vpc:ports:delete

dms:instance:scale

Enabling instance scale-up
  • vpc:vpcs:get
  • vpc:ports:create
  • vpc:securityGroups:get
  • vpc:ports:get
  • vpc:subnets:get
  • vpc:vpcs:list
  • vpc:publicIps:get
  • vpc:publicIps:list
  • vpc:ports:update
  • vpc:publicIps:update

dms:instance:delete

Deleting an instance

None.

dms:instance:connector

Enabling dumping
  • vpc:vpcs:get
  • vpc:ports:create
  • vpc:securityGroups:get
  • vpc:ports:get
  • vpc:subnets:get
  • vpc:vpcs:list
  • vpc:publicIps:get
  • vpc:publicIps:list
  • vpc:ports:update
  • vpc:publicIps:update

dms:instance:createConnectorSinkTask

Creating a dumping task

None.

dms:instance:getConnectorSinkTask

Viewing dumping task details

None.

dms:instance:listConnectorSinkTask

Viewing the dumping task list

None.

dms:instance:deleteConnectorSinkTask

Deleting a dumping task

None.
Parent Topic: Permissions and Supported Actions