Cloudera Docs

User Roles

Users in Cloudera AI are assigned one or more of the following roles.

There are two categories of roles: environment resource roles, which apply to a given Cloudera Data Platform environment, and workbench resource roles, which apply to a single workbench. To use workbench resource roles, you may need to upgrade the workbench or create a new workbench.

If a user has more than one role, then the role with the highest level of permissions takes precedence. If a user is a member of a group, it may gain additional roles through that membership.

Environment resource roles

  • MLAdmin: Grants a Cloudera Data Platform user the ability to create and delete Cloudera AI Workbenches within a given Cloudera Data Platform environment. MLAdmins also have Administrator level access to all the workbenches provisioned within this environment. They can run workloads, monitor, and manage all user activity on these workbenches. They can also add the MLUser and MLBusinessUser roles to their assigned environment. This user also needs the account-level role of IAMViewer, in order to access the environment Manage Access page. To create or delete workbenches, this user also needs the EnvironmentAdmin role.
  • MLUser: Grants a Cloudera Data Platform user the ability to view Cloudera AI Workbenches provisioned within a given Cloudera Data Platform environment. MLUsers are also able to run workloads on all the workbenches provisioned within this environment.
  • MLBusinessUser: Grants permission to list Cloudera AI Workbench for a given Cloudera Data Platform environment. MLBusinessUsers are able to only view applications deployed under the projects that they have been added to as a Business User.

Workbench resource roles

Workbench roles are for users who are granted access to only a single workbench.

  • MLWorkspaceAdmin: Grants permission to manage all Cloudera AI workloads and settings inside a specific workbench. To perform resource role assignment, the IAMViewer role is also needed. A user with this role can administer the workbench, but is not able to utilize Cloudera Data Platform APIs that modify a workbench (for example, creating or upgrading workbenches).
  • MLWorkspaceBusinessUser: Grants permission to view shared Cloudera AI applications inside a specific workbench.
  • MLWorkspaceUser: Grants permission to run Cloudera AI workloads inside a specific workbench.

Using the workbench resource roles

A power user or account administrator must assign the first MLWorkspaceAdmin to a workbench. Subsequently, if the MLWorkspaceAdmin also has the IAMViewer role, they can assign resource roles to the workbench.

An MLAdmin (an environment resource role) is not automatically able assign workbench resource roles on the Manage access page. A role such as MLWorkspaceAdmin is needed to do this.

You can check the permissions for a given resource role by clicking the Information icon by each resource role shown in User Management, on the Resources tab for a user, or in a Cloudera Data Platform user profile.