Cloudera Docs

Projects

Projects provide fine grained role-based access control over resources within an environment.

Projects are a layer of role-based access control in CDF. You may consider them as logical containers that you can use to govern access to resources within an environment.

Resources (flow deployments, flow drafts, Inbound Connections, and custom NARs) can have one of two states within an environment:

  • Unassigned - the resource is not assigned to a particular Project, it is freely accessible for every user or group with the appropriate user role for that environment.

  • Assigned to a Project - the resource is only accessible to users or groups with access to that particular Project. This assignment is exclusive, you cannot assign the same resource to more than one Project at a time.

The roles associated with projects are additive, they work in conjunction with user permissions controlling the types of actions a user or group is allowed to perform in a CDP environment.

Projects introduces the following user roles:

DFProjectsAdmin
This role enables users to manage all Projects in all environments within an tenant.
DFProjectCreator
This role enables users to create Projects in an Environment. When creating a Project, they automatically become the DFProjectAdmin in that Project.
DFProjectAdmin
This role is automatically assigned to users with DFProjectCreator role upon creating a Project. DFProjectAdmins can add/remove users and groups, changing user and group roles (DFProjectAdmin or DFProjectMember), modify the Project name and description, and delete the Project.
DFProjectMember
This role enables users to access resources assigned to a Project and perform actions on them that are allowed by their other user roles.

For example, users with DFFlowUser role in ‘Environment_A’, and DFProjectMember role in ‘Project_Alpha’ are able to view flow deployments ‘Deployment-1’ that is assigned to ‘Project_Alpha’ and ‘Deployment-2’ that is currently unassigned. They cannot view ‘Deployment-3’ that is assigned to Project_Beta, just as they do not see other resource types (in this example draft flows ‘Draft-1’, ‘Draft-2’, and ‘Draft-3’) regardless of their assignment status. That is, the DFFlowUser role defines the types of actions they can perform in the environment, and the ‘DFProjectMember’ role defines the resources within that environment they can perform those actions on.