Understanding roles

To access resources and perform tasks in CDP, each user requires permissions. As a CDP administrator, you can assign a role to a user to give the user permission to perform the tasks.

A policy defines the permissions associated with a role. It consists of policy statements that grant permissions to resources. The policy attached to a role determines the operations that the role allows the user to perform. When users attempt to perform operations that are not permitted in their assigned role, they get a permission denied error message.

CDP has pre-defined roles for your use. You can assign a role or a combination of roles to give the user the appropriate permissions to complete tasks in CDP. You cannot modify the pre-defined CDP roles or the policies associated with the pre-defined roles.

The scope of pre-defined roles can vary. For example, a role might grant view access only to CDP ML clusters but not CDP Data Warehouse clusters. You might need to assign multiple roles to ensure that a user can perform all required tasks in CDP.

CDP roles

A CDP role grants permissions to perform tasks in CDP that are not associated with a specific resource. You explicitly assign a role to a user account.

The pre-defined CDP roles available in CDP that you can assign to CDP users and machine users are as follows:

  • PowerUser - Grants permission to perform all tasks on all resources.
  • IamUser - Grants permission to create access keys for the user, view assigned roles, and view all users in the account.
  • IamViewer - Grants permission to view assigned roles and view all users in the account.
  • EnvironmentAdmin - Grants a CDP user all the rights to an environment and Data Hub clusters. The EnvironmentAdmin role is assigned the Limited Cluster Administrator role in Cloudera Manager. Environment Admins can manage the cluster lifecycle, change configurations, and manage parcels.
  • EnvironmentUser - Grants a CDP user the ability to view Data Hub clusters and set the password for the environment. The EnvironmentUser role is assigned the Read-Only role in Cloudera Manager.

CDP roles can be assigned from the Management Console > User Management > Roles tab.