Understanding roles
To access resources and perform tasks in Cloudera, each user requires permissions. As a Cloudera administrator, you can assign a role to a user to give the user permission to perform the tasks.
A policy defines the permissions associated with a role. It consists of policy statements that grant permissions to resources. The policies attached to a role determine the operations that the role allows the user to perform. When users attempt to perform operations that are not permitted in their assigned role, they get a permission denied error message.
Cloudera provides the following types of roles:
- Account-level roles: These are global roles not associated with any specific resource. Cloudera has certain predefined account-level roles that you can assign to users.
- Resource roles: These are resource-specific roles that provide permissions to perform tasks on a specific resource, such as a Cloudera Data Warehouse virtual warehouse.
The scope of predefined roles and resource roles can vary. For example, a role might grant view access only to Cloudera AI clusters but not Cloudera Data Warehouse clusters. You might need to assign multiple roles to ensure that a user can perform all the required tasks in Cloudera.
Account-level roles
An account-level role grants permissions to perform tasks in Cloudera that are not associated with a specific resource. You explicitly assign a role to a user account.
The predefined account-level roles available in Cloudera that you can assign to Cloudera users, machine users, and groups are as follows:
| Cloudera role | Description |
|---|---|
| PowerUser | Grants permission to perform all tasks on all resources. |
| IamUser | Grants permission to create access keys for the user, view assigned roles, and view all users in the account. |
| IamViewer | Grants permission to view assigned roles and view all users in the account. |
| EnvironmentAdmin | Grants a Cloudera user all the rights to an environment and a data lake. The EnvironmentAdmin role is assigned the Limited Cluster Administrator role in Cloudera Manager. Environment Admins can manage the cluster lifecycle, change configurations, and manage parcels. |
| EnvironmentUser | Grants a Cloudera user the ability to view data lakes and set the password for the environment. The EnvironmentUser role is assigned the Read-Only role in Cloudera Manager. |
Resource roles
A resource role grants permission to access and perform tasks using specific resources.
When you assign a resource role, you must specify the resource on which to grant the resource role permissions. For example, you can assign a user a resource role that grants permission on a virtual warehouse. The user assigned the resource role can access and perform tasks on only the resources associated with the virtual warehouse.
The resource role determines the tasks that the user can perform using the resources associated with the role. For example, the MLUser resource role assigned to a user allows the user to view the Cloudera AI Workbench provisioned within an environment.
You cannot modify the pre-defined resource roles or the policies associated with the pre-defined resource roles.
The pre-defined resource roles available in Cloudera that you can assign to Cloudera users, machine users, and groups are as follows:
-
Table 2. Resource roles Resource role Description DWAdmin Grants a Cloudera user/group the ability to activate/terminate or launch/stop/update services in Virtual Warehouses. DWUser Grants a Cloudera user/group the ability to view and use Cloudera Data Warehouse clusters within a given Cloudera environment. MLAdmin Grants a Cloudera user/group the ability to create and delete Cloudera Machine Learning workspaces within a given Cloudera environment. MLAdmins also have Administrator level access to all the workspaces provisioned within this environment. They can run workloads, monitor, and manage all user activity on these workspaces. MLUser Grants a Cloudera user/group the ability to view Cloudera Machine Learning workspaces provisioned within a given Cloudera environment. MLUsers will also be able to run workloads on all the workspaces provisioned within this environment. DEAdmin Grants a Cloudera user/group the permissions to create, delete, and administer Data Engineering services for a given Cloudera environment. DEUser Grants a Cloudera user/group the permissions to list and use Data Engineering services for a given Cloudera environment.
