User Roles

Users in Cloudera Machine Learning are assigned one or more of the following roles.

There are two categories of roles: environment resource roles, which apply to a given CDP environment, and workspace resource roles, which apply to a single workspace. To use workspace resource roles, you may need to upgrade the workspace or create a new workspace.

If a user has more than one role, then the role with the highest level of permissions takes precedence. If a user is a member of a group, it may gain additional roles through that membership.

Environment resource roles

  • MLAdmin: Grants a CDP user the ability to create and delete Cloudera Machine Learning workspaces within a given CDP environment. MLAdmins also have Administrator level access to all the workspaces provisioned within this environment. They can run workloads, monitor, and manage all user activity on these workspaces. They can also add the MLUser and MLBusinessUser roles to their assigned environment. This user also needs the account-level role of IAMViewer, in order to access the environment Manage Access page. To create or delete workspaces, this user also needs the EnvironmentAdmin role.
  • MLUser: Grants a CDP user the ability to view Cloudera Machine Learning workspaces provisioned within a given CDP environment. MLUsers will also be able to run workloads on all the workspaces provisioned within this environment.
  • MLBusinessUser: Grants permission to list Cloudera Machine Learning workspaces for a given CDP environment. MLBusinessUsers are able to only view applications deployed under the projects that they have been added to as a Business User.

Workspace resource roles

Workspace roles are for users who are granted access to just a single workspace.

  • MLWorkspaceAdmin: Grants permission to manage all machine learning workloads and settings inside a specific workspace. To perform resource role assignment, the IAMViewer role is also needed. A user with this role can administer the workspace, but is not able to utilize CDP APIs that modify a workspace (for example, creating or upgrading workspaces).
  • MLWorkspaceBusinessUser: Grants permission to view shared machine learning applications inside a specific workspace.
  • MLWorkspaceUser: Grants permission to run machine learning workloads inside a specific workspace.

Using the workspace resource roles

A power user or account administrator must assign the first MLWorkspaceAdmin to a workspace. Subsequently, if the MLWorkspaceAdmin also has the IAMViewer role, they can assign resource roles to the workspace.

An MLAdmin (an environment resource role) is not automatically able assign workspace resource roles on the Manage access page. A role such as MLWorkspaceAdmin is needed to do this.

You can check the permissions for a given resource role by clicking the Information icon by each resource role shown in User Management, on the Resources tab for a user, or in a CDP user profile.