Artifact sharing access levels

When sharing artifacts, in Cloudera Data Engineering, you can provide one of the following access levels to a user:

Full: Provides complete access to manage a particular artifact. A user with full access can manage, kill, or delete an artifact.
View only: Provides access to only view the artifact.

Role-based access for artifacts

Even though you are configuring the artifact access levels, implicit access to the artifacts is given to the users with higher roles. For example, DEAdmin gets full access to all the artifacts in the Cloudera Data Engineering environment, Service Admin gets full access to all the artifacts in that specific Service, and VC Admin gets full access to all the artifacts in that specific Virtual Cluster. The following tables outline the actions users with different roles can perform on artifacts in a Cloudera Data Engineering Virtual Cluster:

Table 1. Role based access
Role	Create	View	Update	Kill	Delete
DE Admin	Yes	Yes	Yes	Yes	Yes
Service Admin	Yes	Yes	Yes	Yes	Yes
VC Admin	Yes	Yes	Yes	Yes	Yes
VC User	Yes	Yes	Yes	Yes	Yes
VC Viewer	No	Yes	No	No	No

Table 2. Artifact sharing support for different users
Artifact name	DEAdmin	Service Admin	Service User	VC Admin	VC User	VC Viewer
Jobs	DEAdmin has full access to all the Jobs in all the Virtual Clusters and Services in a specific environment. DEAdmin can share or stop sharing a Job with a user or group whenever they want.	Service Admin has full access to all the Jobs in all the Virtual Clusters in a specific Cloudera Data Engineering Service. Service Admin can share or stop sharing a Job with a user or group whenever they want.	Service Users can share or stop sharing a Job only if they at least have a VC User role in the Virtual Cluster and they meet one of the following conditions: They have full access to the Job. They are the owner of the Job.	VC Admin has full access to all the Jobs in a specific Virtual Cluster. VC Admin can share or stop sharing a Job with a user or group whenever they want.	VC User can share or stop sharing a Job only if they have full access to the Job or are the owner of the Job.	View only
Job Runs	DEAdmin has full access to all the Job Runs in all the Virtual Clusters and Services in a specific environment.	Service Admin has full access to all the Job Runs in all the Virtual Clusters in a specific Cloudera Data Engineering Service.	Job Runs inherit the same access levels that of the Cloudera Data Engineering they are part of. Service Users must at least have a VC User role assigned in the Virtual Cluster to access or view a Job Run. Service Users can interact with a Job Run only if they have full access to that particular Job or if they created that Job Run. Otherwise, a Service User can only view the Job Run until they have access to the Job. If the access to the Job is removed, then the Service User cannot view the Job Runs that are created after the access is removed. They can only view the Job Runs that are created when they had access to that Job.	VC Admin has full access to all the Job Runs in a specific Virtual Cluster.	Job Runs inherit the same access levels that of the Cloudera Data Engineering Jobs they are part of. VC Users can view a Job Run only if it was created when they had access to that particular Job that the Job Run is part of. VC Users can view a Job Run if they have at least view-only access to the Job. However, they can interact (terminate or clone) with a Job Run only if they have full access to that Job Run. If the access to the Job is removed for the VC Users, then they cannot access or view the Job Runs that are created after the access is removed. They can only view the Job Runs that are created when they had access to that Job.	View only
Sessions	DEAdmin can view all the Sessions in all the Virtual Clusters and Services in a specific environment.	Service Admin can view all the Sessions in all the Virtual Clusters in a specific Cloudera Data Engineering Service.	A Service User must at least have a VC User role assigned in the Virtual Cluster to view the Sessions in that Virtual Cluster.	VC Admin can view all the Sessions in a specific Virtual Cluster.	VC Users can view a Session if they at least have view-only access to a specific Virtual Cluster.	View only
Repositories	DEAdmin has full access to all the Repositories in all the Virtual Clusters and Services in a specific environment. DEAdmin can share or stop sharing a Repository with a user or group whenever they want.	Service Admin has full access to all the Repositories in all the Virtual Clusters in a specificCloudera Data Engineering Service. Service Admin can share or stop sharing a Repository with a user or group whenever they want.	Service Users can share or stop sharing a Repository only if they at least have a VC User role in the Virtual Cluster and they meet one of the following conditions: They have full access to the Repository. They are the owner of the Repository.	VC Admin has full access to all the Repositories in a specific Virtual Cluster. VC Admin can share or stop sharing a Repository with a user or group whenever they want.	VC Users can share or stop sharing a Repository only if they have full access to the Repository or if they are the owner of the Repository.	View only
Resources	DEAdmin has full access to all the Resources in all the Virtual Clusters and Services in a specific environment. DEAdmin can share or stop sharing a Resource with a user or group whenever they want.	Service Admin has full access to all the Resources in all the Virtual Clusters in a specific Cloudera Data Engineering Service. Service Admin can share or stop sharing a Resource with a user or group whenever they want.	Service Users can share or stop sharing a Resource only if they at least have a VC User role in the Virtual Cluster and they meet one of the following conditions: They have full access to the Resource. They are the owner of the Resource.	VC Admin has full access to all the Resources in a specific Virtual Cluster. VC Admin can share or stop sharing a Resource with a user or group whenever they want.	VC Users can share or stop sharing a Resource only if they have full access to the Resource or if they are the owner of the Resource.	View only
Credentials	DEAdmin has full access to all the Credentials in all the Virtual Clusters and Services in a specific environment. DEAdmin can share or stop sharing a Credential with a user or group whenever they want.	Service Admin has full access to all the Credentials in all the Virtual Clusters in a specific Cloudera Data Engineering Service. Service Admin can share or stop sharing a Credential with a user or group whenever they want.	Service Users can share or stop sharing a Credential only if they at least have a VC User role in the Virtual Cluster and they meet one of the following conditions: They have full access to the Credential. They are the owner of the Credential.	VC Admin has full access to all the Credentials in a specific Virtual Cluster. VC Admin can share or stop sharing a Credential with a user or group whenever they want.	VC Users can share or stop sharing a Credential only if they have full access to the Credential or if they are the owner of the Credential.	View only

Table 3. Artifact sharing support in Cloudera Data Engineering UI, CLI, and API
Artifact name	Cloudera Data Engineering UI	Cloudera Data Engineering CLI	Cloudera Data Engineering API
Jobs	Yes	Yes	Yes
Job Runs important Job Runs inherit the same level of access as the parent Jobs have at the moment of the Job Run creation.	No	No	No
Sessions	Yes	Yes	Yes
Repositories	Supported only in Cloudera Data Engineering 1.5.5 SP1 and higher versions, during Repository update.	Yes	Yes
Resources	Supported only in Cloudera Data Engineering 1.5.5 SP1 and higher versions, during Resource update.	Yes	Yes
Credentials	No	Yes	Yes