Understanding roles

To access resources and perform tasks in CDP, each user requires permissions. As a CDP administrator, you can assign a role to a user to give the user permission to perform the tasks.

A policy defines the permissions associated with a role. It consists of policy statements that grant permissions to resources. The policy attached to a role determines the operations that the role allows the user to perform. When users attempt to perform operations that are not permitted in their assigned role, they get a permission denied error message.

CDP has pre-defined roles for your use. You can assign a role or a combination of roles to give the user the appropriate permissions to complete tasks in CDP. You cannot modify the pre-defined CDP roles or the policies associated with the pre-defined roles.

The scope of pre-defined roles can vary. For example, a role might grant view access only to CDP ML clusters but not CDP Data Warehouse clusters. You might need to assign multiple roles to ensure that a user can perform all required tasks in CDP.

CDP roles

A CDP role grants permissions to perform tasks in CDP that are not associated with a specific resource. You explicitly assign a role to a user account.

The pre-defined CDP roles available in CDP that you can assign to CDP users and machine users are as follows:

  • PowerUser - Grants permission to perform all tasks on all resources.
  • IamUser - Grants permission to create access keys for the user, view assigned roles, and view all users in the account.
  • IamViewer - Grants permission to view assigned roles and view all users in the account.
  • EnvironmentAdmin - Grants a CDP user all the rights to an environment and a data lake. The EnvironmentAdmin role is assigned the Limited Cluster Administrator role in Cloudera Manager. Environment Admins can manage the cluster lifecycle, change configurations, and manage parcels.
  • EnvironmentUser - Grants a CDP user the ability to view data lakes and set the password for the environment. The EnvironmentUser role is assigned the Read-Only role in Cloudera Manager.

CDP roles can be assigned from the Management Console > User Management > Roles tab.