As a security administrator, understand the out-of-the box security features as well as the tasks that you need to perform to authorize CDP users.
CDP provides the following security features:
- User authentication
- Role-based user authorization
- Data encryption
Users are automatically authenticated through the CDP identity provider. For more information, see CDP Security Overview.
Role-based user authorization
DataFlow roles allow you to set user permissions. Assign one or more of the following roles to a CDP user:
- To enable a user to view and search flow definitions and ReadyFlows, assign the DFCatalogViewer role.
- To enable a user to import and manage flow definitions in the DataFlow Catalog and add ReadyFlows to the DataFlow Catalog, assign the DFCatalogAdmin role.
- To enable a user to manage the lifecycle of a DataFlow environment, assign the DFAdmin role.
- To enable a user to manage flow deployments such as view a flow deployment in NiFi, suspend or terminate a flow deployment, or change the NiFi version, assign the DFFlowAdmin role.
- To enable a user to manage flow deployments and deploy flow definitions, assign the DFFlowAdmin role and either the DFCatalogViewer or DFCatalogAdmin role.
- To enable a user to view, search, and monitor deployed flows, assign the DFFlowUser role.
For more information on the DataFlow roles, see DataFlow Authorization.
CDP encrypts data at rest and in motion.
- Data at rest
- When you import a flow definition, the flow definition is encrypted and stored in the DataFlow Catalog. DataFlow Catalog is a service that enables you to manage flow definitions centrally.
- Data in transit
- When you deploy a flow, the encrypted flow definition is transferred to your cloud account where it is decrypted and deployed. During a flow deployment, data can be transferred between servers, systems, applications, and users. Every transfer is a secure and trusted exchange through TLS. Through cryptographic protocols, TLS encrypts and authenticates:
- The flow definition from the DataFlow Catalog to a DataFlow environment.
- The connections from the user's browser to the DataFlow service.
- The communication between the DataFlow service and other services in the CDP Control Plane.
- The communication between the CDP Control Plane services and environment services.
- The communication between the DataFlow service, flows, and shared services within an environment.