Cloudera Data Flow user roles
As a security administrator with the PowerUser role, you must assign one or more Cloudera Data Flow roles to a user to allow the user to perform tasks in the Cloudera Data Flow Catalog, the Cloudera Data Flow environment, and the Apache NiFi cluster.
Review each of the following Cloudera Data Flow roles to determine which roles a user requires:
For information on configuring Cloudera user management, see User Management in the Cloudera Management Console documentation.
DFAdmin
A user with the DFAdmin role can perform the following tasks:
- Enable a Cloudera environment for Cloudera Data Flow
- View an environment
- View environment details and Cloudera Data Flow Settings
- Disable an environment
- Update resource roles
- Grant remote access to an environment
- Revoke remote access to an environment
- Terminate all running deployments when disabling the Cloudera Data Flow service for an environment.
A user with the DFAdmin and PowerUser roles can perform the following additional tasks:
- Assign the DFAdmin role to other users
- Revoke the DFAdmin role from other users
DFCatalogAdmin
This role allows a user to centrally manage flow definitions and ReadyFlows.
A user with the DFCatalogAdmin role can perform the following tasks in the Cloudera Data Flow Catalog:
- View and search flow definitions
- Import flow definitions
- Import new versions of existing flow definitions
- View flow definition details
- Publish flow drafts to the Catalog
- Delete flow definitions
- View and search ReadyFlows
- Add ReadyFlows to the Catalog
DFCatalogPublisher
- View and search flow definitions
- Import flow definitions
- Import new versions of existing flow definitions
- View flow definition details
- Publish flow drafts to the Catalog
A user with the DFCatalogPublisher, and the DFCollectionMemeber or DFCollectionAdmin roles can perform the following additional task:
- Import a flow definition into a Catalog collection
DFCatalogViewer
- View and search flow definitions in the Cloudera Data Flow Catalog
- View and search ReadyFlows in the ReadyFlow Gallery
DFCollectionAdmin
This role is automatically assigned to users with DFCollectionsCreator role upon creating a collection.
A use with the DFCollectionAdmin role can perform the following roles within a collection:
- Add/remove users and groups
- Change user and group roles (DFCollectionAdmin, DFCollectionMember, or DFCollectionViewer)
- Modify the collection name and description
- Delete the collection.
DFCollectionsAdmin
This role allows a user to centrally manage collections.
A user with the DFCollectionsAdmin role can perform the following tasks in a tenant:
- Create and manage collections
- Edit users and groups assigned to collections
- Delete collections
DFCollectionsCreator
This role allows the user to create Cloudera Data Flow Catalog collections.
A user with the DFCollectionsCreator role can perform the following tasks in a tenant:
- Create and manage collections
- The DFCollectionsCreator automatically receives administrator (DFCollectionAdmin) role
over collections they create. This role allows them to
- Manage the collection
- Edit users and groups assigned to the collection
- Delete the collection
DFCollectionMember
A user with the DFCollectionMember role can perform the following tasks in a Catalog collection:
- View flow definitions in the collection
- Publish flow definitions to the collection
- Import flow definitions to the collection
- Delete flow definitions from the collection
- Reassign flow definitions between collections (This requires DFCollectionMember or DFCollectionAdmin role both in the source and target collections) or move a flow definition out of the collection, rendering it 'unassigned'.
DFCollectionViewer
A user with the DFCollectionViewer role can perform the following tasks in a Catalog collection.
- View flow definitions in the collection
A user with the DFFlowAdmin role and the DFCatalogViewer role can perform the following additional task:
- Deploy flow definitions
DFFlowAdmin
This role allows a user to manage flow deployments in a Cloudera Data Flow environment. In addition, this role together with either the DFCatalogViewer or DFCatalogAdmin role allows the user to deploy flows.
A user with the DFFlowAdmin role alone can perform the following tasks:
- View a deployment on the dashboard
- View deployment details and settings
- View a deployment in NiFi
- Stop a deployment in NiFi
- Suspend a deployment in NiFi
- Terminate a deployment in NiFi
- Change NiFi version
- Assign the DFFlowAdmin and DFFlowUser roles to other users
- Revoke the DFFlowAdmin and DFFlowUser roles from other users
A user with the DFFlowAdmin role and either the DFCatalogViewer or DFCatalogAdmin role can perform the following additional task:
- Deploy flow definitions
DFFlowDeveloper
This role allows a user to view, search, create, and manage drafts in Flow Designer on environment level.
A user with the DFDeveloper role can perform the following tasks:
- Create a new draft
- View all drafts in an environment
- View all draft details and settings in an environment
- Update all drafts in an environment
- Start and end Test Sessions for any draft in an environment
- Delete any draft in an environment
A user with the DFDeveloper and the DFCatalogViewer, DFCatalogPublisher, or DFCatalogAdmin roles can perform the following additional tasks:
- Create drafts from flow definitions in the Cloudera Data Flow Catalog
- Create drafts from ReadyFlows in the ReadyFlow Gallery
- Publish drafts as flow definitions to the Catalog (DFCatalogPublisher or DFCatalogAdmin only)
DFFlowUser
This role allows a user to view, search, and monitor flow deployments in a Cloudera Data Flow environment.
A user with the DFFlowUser role can perform the following tasks:
- View a deployment on the dashboard
- View deployment details and settings
- View a deployment in NiFi
DFProjectAdmin
This role is automatically assigned to users with DFProjectCreator role upon creating a Project.
A user with the DFProjectAdmin role can perform the following tasks:
- Add/remove users and group
- Change user and group roles (DFProjectAdmin or DFProjectMember)
- Modify the Project name and description
- Delete the Project.
DFProjectCreator
This role allows a user to create and manage Projects on environment level.
- Create a Project.
- Edit a Project.
- Manage users and groups assigned to a Project.
DFProjectMember
This role enables users to access resources assigned to a Project and perform actions on them that are allowed by their other user roles.
DFProjectsAdmin
This role allows a user to centrally manage Projects.
- View and create Projects.
- Edit users and groups assigned to Projects.
- Delete Projects.