Assigning a group membership administrator

As a CDP administrator, you can create a CDP group and manage the users, roles, and resources assigned to the group. You can also assign other users and groups the IamGroupAdmin role to allow them to manage the users in the group.

Steps

Management Console UI

  1. Sign in to the Cloudera CDP console.
  2. From the CDP home page, click Management Console.
  3. In the User Management section of the side navigation panel, click Groups.

    The Groups page displays the list of the available CDP groups.

  4. Click the name of the group to which you want to assign a group membership administrator.

    The details page displays information about the particular group.

  5. Click the Admins tab.
  6. Click in the Select group or user dropdown box.

    CDP displays the list of groups and users to which you can give group membership administrator permissions.

  7. Select the name of a group or user.

    The name of the group or user you select displays in the list of group membership administrators.

CLI

You can assign the IamGroupAdmin resource role to users and groups to allow them to manage the users in a specified group.

You can use the following command to assign the IamGroupAdmin role to a user:
cdp iam assign-user-resource-role \
--user <value> \
--resource-role-crn <value> \
--resource-crn <value>
  • The user parameter requires the CRN of the user to whom you want to assign the IamGroupAdmin resource role.
  • The resource-role-crn parameter requires the CRN of the IamGroupAdmin role.
  • The resource-crn parameter requires the CRN of the group on which the user will have administrator permission.
To assign the IamGroupAdmin role to a group:
cdp iam assign-group-resource-role \
--group-name <value>e \
--resource-role-crn <value> \
--resource-crn <value> 
  • The group-name parameter requires the name of the group to which you want to assign the resource role.
  • The resource-role-crn parameter requires the CRN of the IamGroupAdmin role.
  • The resource-crn parameter requires the CRN of the group on which the group specified in the group-name parameter will have administrator permission.
    For example, to assign the IamGroupAdmin to GroupABC so that GroupABC can manage the users in GroupXYZ, run a command similar to the following command:
    cdp iam assign-group-resource-role \
    --group-name groupABC \
    --resource-role-crn crn:cdp:iam:us-west-1:cdp:resourceRole:IamGroupAdmin \
    --resource-crn crn:cdp:iam:us-west-1:4e9d74e5-1cad-47d8-b645-7ccf9edbb73d:group:GroupXYZ/54218ac1-187b-40f7-aadb-5ghm96c35xy4
  • To assign the users in a group to be the administrators of their own group, set the values of the group-name parameter and the resource-crn parameter to refer to the same group.