SecurityPDF version

Access Control for Teams and Projects

When a team or project is created, the Team/Project Admin role is assigned to the user who created it. Other Team/Project Admins can be assigned later but there must always be at least one user assigned as Admin for the team or project. Team and project administrators then decide what level of access other users are granted per-team or per-project.

Users who are explicitly added to a project are referred to as project collaborators. Project collaborators can be assigned one of the following levels of access:

  • Viewer - Read-only access to code, data, and results.
  • Operator - Read-only access to code, data, and results. Additionally, Operators can start and stop existing jobs in the projects that they have access to.
  • Contributor - Can view, edit, create, and delete files and environmental variables, run sessions/experiments/jobs/models and execute code in running jobs. Additionally, Contributors can set the default engine for the project.
  • Admin - Has complete access to all aspects of the project. This includes the ability to add new collaborators, and delete the entire project.

Users who are explicitly added to a team are referred to as team members. Team members can be assigned one of the following levels of access:

  • Viewer - Read-only access to team projects. Cannot create new projects within the team but can be added to existing ones.
  • Operator - Read-only access to team projects. Cannot create new projects within the team but can be added to existing ones. Additionally, Operators can start and stop existing jobs in the projects that they have access to.
  • Contributor - Write-level access to all team projects to all team projects with Team or Public visibility. Can create new projects within the team. They can also be added to existing team projects.
  • Admin - Has complete access to all team projects, can add new team members, and modify team account information.

Projects can be created either in your personal context, or in a team context. Furthermore, projects can be created with one of the following visibility levels:

  • Private - Private projects can be created either in your personal context, or in a team context. They can only be accessed by project collaborators.
  • Team - Team projects can only be created in a team context. They can be viewed by all members of the team.
  • Public - Public projects can be created either in your personal context, or in a team context. They can be viewed by all authenticated Cloudera Data Science Workbench users.

It is important to remember that irrespective of the visibility level of the project, site administrators will always have complete Admin-level access to all projects on Cloudera Data Science Workbench. Additionally, depending on the visibility level of the project, and the context in which it was created, a few other users/team members might also have Contributor or Admin-level access to your project by default.

Use the following table to find out who might have default access to your projects on Cloudera Data Science Workbench.

Project Visibility Access Levels for Cloudera Data Science Workbench Users
Private Visibility

Private Projects Created in Personal Context

The following user roles will have access to private projects in your personal context:

Admin Access
  • Site Administrators
  • Project Admins
Contributor Access
  • Collaborators explicitly added to the project and given Contributor access.
Operator Access
  • Operators explicitly added to the project and given Operator access.
Viewer Access
  • Viewers explicitly added to the project and given Viewer access.

Private Projects Created in a Team Context

For private projects created within a team context, project-level permissions granted by Project Admins will take precedence over team-level permissions. The only exception to this rule are users who are Team Admins. Team Admins will always have Admin-level access to all projects within their team context, irrespective of the access level granted to them per-project.

The following user roles will have access to private projects created within a team context:

Admin Access
  • Site Administrators
  • Project Admins
  • Team Admins
Contributor Access
  • Collaborators explicitly added to the project and given Contributor access.

Operator Access
  • Operators explicitly added to the project and given Operator access.
Viewer Access
  • Viewers explicitly added to the project and given Viewer access.
Team Visibility

Team Projects

Projects with Team visibility can only be created in a team context. For team projects, both team access levels and project access levels must be taken into consideration to determine who has access to these projects.

Points to note:
  • Team members do not need to be explicitly added as project collaborators to have access to a team project. While you can explicitly invite specific team members to collaborate on your project, it is important to remember that all team members will have some level of access to your project.

    The project Collaborators page does not list all team members; it only lists those you have explicitly added as collaborators. However, team members will still have access to all team projects. By default, their level of access to the projects is the same as their level of access to the team.

  • Project Admins cannot downgrade access levels for team members. If project-level permissions don't match up to team-level permissions, team permissions will take precedence.

    For example, if you add a Team Contributor as a collaborator to a team project, but only give them Project Viewer permission, the user will still have Contributor-level access to the project. Similarly, Team Admins will always have Admin-level access to all projects within their team context, irrespective of the access level granted to them per-project.

  • Project Admins also cannot upgrade access levels for team members with Viewer-level access to the team. That is, Team Viewers cannot be given Contributor or Admin access to any team projects.

The following user roles will have access to team projects on Cloudera Data Science Workbench:

Admin Access
  • Site Administrators
  • Team Admins
  • Project Admins
Contributor Access
  • All team members with Contributor access.

Operator Access
  • All team members with Operator access.
Viewer Access
  • All team members with Viewer access.
Public Visibility

Public Projects Created in Personal Context

The following user roles will have access to public projects on Cloudera Data Science Workbench:

Admin Access
  • Site Administrators
  • Project Admins
Contributor Access
  • Collaborators explicitly added to the project and given Contributor access.
Operator Access
  • Operators explicitly added to the project and given Operator access.
Viewer Access
  • All authenticated CDSW users.

Public Projects Created in a Team Context

The following user roles will have access to public projects created in team contexts:

Admin Access
  • Site Administrators
  • Project Admins
  • Team Admins
Contributor Access
  • All team members with Contributor access.

    The team/project access rules and nuances described in the Team section apply here as well.

Operator Access
  • All team members with Operator access.
Viewer Access
  • All authenticated CDSW users.