Subaccount Management
The Subaccount Management feature of the EMQX Platform is an essential component designed to help enterprises achieve fine-grained multi-role management and access control. This functionality allows users to create and manage subaccounts, assign different roles and permissions, and meet the needs of complex team collaborations, ensuring the secure and efficient utilization of resources and data.
This page provides a comprehensive guide to the Subaccount Management functionality, including creating subaccounts, assigning role permissions, and managing common operations for subaccounts. This helps enterprises maximize collaboration and security through effective user management
Subaccounts System
A subaccount is an independent account created and activated by the root user (or an administrator account) in the EMQX Platform. Each subaccount has a specific role, such as Administrator, Project Administrator, Project User, Accountant, or Auditor, each with a defined scope of permissions. These roles cover various scenarios, including project and deployment management, financial operations, and auditing.
The role-based permission system allows enterprises to allocate specific functional modules and operations to subaccounts, making it easier to manage projects and resources based on responsibility.
The platform also provides an intuitive interface for subaccount management, enabling users to authorize projects, modify roles, manage passwords, and activate or deactivate accounts.
Roles and Permissions
Administrator: This account has full platform permissions equivalent to the root user and acts as the super administrator within the sub-account system. Although administrators have the same functionality as the primary account, they are still part of the subaccount hierarchy.
Project Administrator: Has permission to view and modify projects, as well as to modify and delete deployments. This role is primarily intended for managing project deployments. For example, if an organization or department requires exclusive management of a specific project cluster, a designated individual can be assigned as a Project Administrator to oversee those projects without access to unauthorized projects.
Project User: Has permission to view projects and to view and edit deployments. Typically, Project Users are business personnel who, in addition to viewing projects and deployments, can access deployment details, utilize data integration and monitoring features, and address relevant business needs.
Accountant: Has financial management permissions and can also view projects and deployments. Financial personnel can monitor the current billing status of the platform account and manage balances, invoices, and other related matters.
Auditor: Can view projects and deployments, as well as sub-user and financial details. The Auditor role is designed to meet internal audit needs within a company, providing read-only access to various platform functionalities.
Subaccount Login
Subaccount login is conducted through a dedicated login page, separate from the root user. After entering the assigned account credentials, subaccounts can access resources and projects based on their assigned roles.
Below is the subaccount login interface:
Create and Activate Subaccounts
Create a Subaccount
Subaccounts can only be created by the root user or an administrator.
- Click Subaccounts from the top menu of the Console.
- Click + Create Subaccount and fill in the required details:
- Subaccount: Enter the invitee's email address.
- Password: Set a password (modifiable later by the administrator or the subaccount itself).
- Role: Assign one or more roles.
- Note: Optional field for additional details.
- Click Confirm to complete the creation process.
Activate an Account
Subaccounts need to be activated after email verification. The invited user will receive an activation email, and they can verify and activate the account by clicking the link in the email.
Please note that the invitation email contains two addresses: one for the initial activation and login, and the other for regular login used in the future. The initial password is provided by the user who created the sub-account (the root user or administrator).
Note
The activation link in the invitation email is valid for 1 hour. Please complete the login verification within the specified time.
The first link in the image is for the initial activation and login, while the second link is for regular subsequent logins. Please do not confuse the two.
After the subaccount logs in, it can manage the platform according to the role permissions set by the root user or administrator. If access to a specific project is needed, please contact the root user or administrator.
Manage Subaccounts
The user management functionality is only available for two types of subaccount roles: Administrators, who have full operational permissions, and Auditors, who can view the user list.
At the top of the user management page, the subaccount login address is displayed, specifically for subaccount login. It can be sent to members if they forget the login address.
The project list displays the current subaccount information. A subaccount's status will only be activated once it has passed email verification. When creating a new user as a project administrator or project user role, a prompt will appear to authorize the project to that user. Otherwise, after logging in, the subaccount will not have access to any projects or deployments.
Project authorization operations can be modified from the account's perspective, associating the current role with specific projects. It is important to note that when the account's role is only Accountant, Audit, or Administrator, the project authorization functionality will be grayed out. This is because administrators have default access to all project permissions, while Account and Audit roles have default read-only access to all projects.
When an account has both the Project Administrator and Project User roles, remember to switch between the different roles to manage authorization.
More Operating Options
More operations provide additional action options for the subaccounts.
Change Password: The root user or administrator role can modify the subaccount's password.
Change Role: You can modify or add roles for the subaccount.
Disable/Enable: Once a subaccount is disabled, it will no longer be able to log in until the account is reactivated.
When a role is disabled, it cannot be associated with projects and will not appear in the list of associated projects in the project center.
Delete: Deleting an account is irreversible.
Role Permissions Matrix
The user management feature provides a detailed permissions matrix to cater to enterprise needs for role-based management. Each role is assigned specific operational and project permissions.
Note: ✓ (Allow), ✗ (Deny), Read only (View only)
| Permissions | Project Administrator | Project User | Accountant | Auditor | |
|---|---|---|---|---|---|
| Deployment | View deployment list | ✓ | ✓ | ✓ | ✓ |
| View deployment details (all features within deployments) | ✓ | ✓ | ✓ | ✓ | |
| Create new deployments | ✓ | ✗ | ✗ | ✗ | |
| Move deployments to other projects | ✓ | ✗ | ✗ | ✗ | |
| Start/Stop the deployment | ✓ | ✗ | ✗ | ✗ | |
| Delete deployment | ✓ | ✗ | ✗ | ✗ | |
| Change deployment's name | ✓ | ✓ | ✗ | ✗ | |
| Change deployment tiers | ✓ | ✗ | ✗ | ✗ | |
| Change spend limit for Serverless | ✓ | ✗ | ✗ | ✗ | |
| Update BYOC license | ✓ | ✗ | ✗ | ✗ | |
| Ports management | ✓ | ✓ | ✗ | ✗ | |
| TLS/SSL configuration | ✓ | ✓ | Read only | Read only | |
| Deployment API key | ✓ | ✓ | Read only | Read only | |
| VPC/PrivateLink configuration | ✓ | ✓ | Read only | Read only | |
| NAT gateway/Internal endpoint configuration | ✓ | Read only | Read only | Read only | |
| Access control configuration | ✓ | ✓ | Read only | Read only | |
| Monitoring management | ✓ | ✓ | Read only | Read only | |
| Data integration configuration | ✓ | ✓ | Read only | Read only | |
| Cluster linking configuration (Premium) | ✓ | ✓ | Read only | Read only | |
| Gateway configuration (Dedicated & Premium) | ✓ | ✓ | Read only | Read only | |
| Logs | ✓ | ✓ | ✓ | ✓ | |
| View event history (Premium) | ✓ | ✓ | ✓ | ✓ | |
| Online test | ✓ | ✓ | ✓ | ✓ | |
| EMQX Streaming (Premium) | View overview | ✓ | ✓ | ✓ | ✓ |
| Streams management | ✓ | ✓ | Read only | Read only | |
| View consumer groups | ✓ | ✓ | ✓ | ✓ | |
| Access control configuration | ✓ | ✓ | Read only | Read only | |
| Smart Data Hub (Dedicated/Premium) | Subscribe/Unsubscribe | ✓ | ✓ | ✗ | ✗ |
| Schema Registry | ✓ | ✓ | Read-only | Read-only | |
| Schema Validation | ✓ | ✓ | Read-only | Read-only | |
| Message Transformation | ✓ | ✓ | Read-only | Read-only | |
| Subaccounts | View subaccounts list | ✗ | ✗ | ✗ | ✓ |
| Subaccounts operation | ✗ | ✗ | ✗ | ✗ | |
| Project Management | View project list | ✓ (authorized projects only) | ✓ (authorized projects only) | ✓ | ✓ |
| Create new projects | ✗ | ✗ | ✗ | ✗ | |
| Delete project | ✗ | ✗ | ✗ | ✗ | |
| Edit project name and note | ✓ | ✗ | ✗ | ✗ | |
| Project bind subaccounts | ✗ | ✗ | ✗ | ✗ | |
| Billing | Billing overview | ✗ | ✗ | ✓ | ✓ |
| Change payment info | ✗ | ✗ | ✓ | ✗ | |
| View bills page | ✗ | ✗ | ✓ | ✓ | |
| View charges by services page | ✗ | ✗ | ✓ | ✓ | |
| View coupons | ✗ | ✗ | ✓ | ✓ | |
| View invoices | ✗ | ✗ | ✓ | ✓ | |
| Download invoices | ✗ | ✗ | ✓ | ✗ | |
| Subscription renewal | ✓ | ✗ | ✗ | ✗ | |
| Audit Logs | ✗ | ✗ | ✗ | ✓ | |
| Platform API key | View platform API key | ✗ | ✗ | ✗ | ✓ |
| Manage platform API key | ✗ | ✗ | ✗ | ✗ | |
| Tickets | ✓ | ✓ | ✓ | ✓ | |