User Roles
Users in Cloudera Machine Learning are assigned one or more of the following roles.
There are two categories of roles: environment resource roles, which apply to a given Cloudera environment, and workspace resource roles, which apply to a single workspace. To use workspace resource roles, you may need to upgrade the workspace or create a new workspace.
If a user has more than one role, then the role with the highest level of permissions takes precedence. If a user is a member of a group, it may gain additional roles through that membership.
Environment resource roles
- MLAdmin: Grants a Cloudera user the ability to create and delete Cloudera Machine Learning Workspaces within a given Cloudera environment. MLAdmins also have Administrator level access to all the workspaces provisioned within this environment. They can run workloads, monitor, and manage all user activity on these workspaces. This user also needs the account-level role of IAMViewer, in order to access the environment Manage Access page. To create or delete workspaces, this user also needs the EnvironmentAdmin role.
- MLUser: Grants a Cloudera user the ability to view Cloudera Machine Learning Workspaces provisioned within a given Cloudera environment. MLUsers are also able to run workloads on all the workspaces provisioned within this environment.
Workspace resource roles
Workspace roles are for users who are granted access to only a single workspace.
- MLWorkspaceAdmin: Grants permission to manage all Cloudera Machine Learning workloads and settings inside a specific workspace. To perform resource role assignment, the IAMViewer role is also needed. A user with this role can administer the workspace, but is not able to utilize Cloudera APIs that modify a workspace (for example, creating or upgrading workspaces).
- MLWorkspaceBusinessUser: Grants permission to view shared Cloudera Machine Learning applications inside a specific workspace.
- MLWorkspaceUser: Grants permission to run Cloudera Machine Learning workloads inside a specific workspace.
Using the workspace resource roles
A power user or account administrator must assign the first MLWorkspaceAdmin to a workspace. Subsequently, if the MLWorkspaceAdmin also has the IAMViewer role, they can assign resource roles to the workspace.
An MLAdmin (an environment resource role) is not automatically able assign workspace resource roles on the Manage access page. A role such as MLWorkspaceAdmin is needed to do this.
You can check the permissions for a given resource role by clicking the Information icon by each resource role shown in User Management, on the Resources tab for a user, or in a Cloudera user profile.