Understanding roles
To access resources and perform tasks in CDP, each user requires permissions. As a CDP administrator, you can assign a role to a user to give the user permission to perform the tasks.
A policy defines the permissions associated with a role. It consists of policy statements that grant permissions to resources. The policies attached to a role determine the operations that the role allows the user to perform. When users attempt to perform operations that are not permitted in their assigned role, they get a permission denied error message.
CDP provides the following types of roles:
- Account-level roles: These are global roles not associated with any specific resource. CDP has certain predefined account-level roles that you can assign to users.
- Resource roles: These are resource-specific roles that provide permissions to perform tasks on a specific resource, such as a CDW virtual warehouse.
The scope of predefined roles and resource roles can vary. For example, a role might grant view access only to CML clusters but not CDW clusters. You might need to assign multiple roles to ensure that a user can perform all the required tasks in CDP.
Account-level roles
An account-level role grants permissions to perform tasks in CDP that are not associated with a specific resource. You explicitly assign a role to a user account.
The predefined account-level roles available in CDP that you can assign to CDP users, machine users, and groups are as follows:
CDP role | Description |
---|---|
PowerUser | Grants permission to perform all tasks on all resources. |
IamUser | Grants permission to create access keys for the user, view assigned roles, and view all users in the account. |
IamViewer | Grants permission to view assigned roles and view all users in the account. |
EnvironmentAdmin | Grants a CDP user all the rights to an environment and a data lake. The EnvironmentAdmin role is assigned the Limited Cluster Administrator role in Cloudera Manager. Environment Admins can manage the cluster lifecycle, change configurations, and manage parcels. |
EnvironmentUser | Grants a CDP user the ability to view data lakes and set the password for the environment. The EnvironmentUser role is assigned the Read-Only role in Cloudera Manager. |
Resource roles
A resource role grants permission to access and perform tasks using specific resources.
When you assign a resource role, you must specify the resource on which to grant the resource role permissions. For example, you can assign a user a resource role that grants permission on a virtual warehouse. The user assigned the resource role can access and perform tasks on only the resources associated with the virtual warehouse.
The resource role determines the tasks that the user can perform using the resources associated with the role. For example, the MLUser resource role assigned to a user allows the user to view the Cloudera Machine Learning workspaces provisioned within an environment.
You cannot modify the pre-defined resource roles or the policies associated with the pre-defined resource roles.
The pre-defined resource roles available in CDP that you can assign to CDP users, machine users, and groups are as follows:
-
Table 2. Resource roles Resource role Description DWAdmin Grants a CDP user/group the ability to activate/terminate or launch/stop/update services in Virtual Warehouses. DWUser Grants a CDP user/group the ability to view and use Cloudera Data Warehouse clusters within a given CDP environment. MLAdmin Grants a CDP user/group the ability to create and delete Cloudera Machine Learning workspaces within a given CDP environment. MLAdmins also have Administrator level access to all the workspaces provisioned within this environment. They can run workloads, monitor, and manage all user activity on these workspaces. MLUser Grants a CDP user/group the ability to view Cloudera Machine Learning workspaces provisioned within a given CDP environment. MLUsers will also be able to run workloads on all the workspaces provisioned within this environment. DEAdmin Grants a CDP user/group the permissions to create, delete, and administer Data Engineering services for a given CDP environment. DEUser Grants a CDP user/group the permissions to list and use Data Engineering services for a given CDP environment.