Account roles
A Cloudera role grants permissions to perform tasks in Cloudera that are not associated with a specific resource. You explicitly assign a role to a user, machine user, or a group.
When assigning roles to users and groups, consider the following:
- Only PowerUser can assign account roles.
- A user needs the following two types of roles in order to assign access to
resources to other users:
- One of the roles that allow role assignment: EnvironmentCreator, EnvironmentAdmin, DataSteward, DatahubAdmin or another admin role for a Cloudera service.
- One of the roles that allow listing users within the organization: IamUser or IamViewer.
- All users who need to access CDP CLI need the IamUser role.
crn:altus:iam:<CONTROL_PLANE_REGION>:altus:role:<ROLE_NAME>
crn:altus:iam:us-west-1
:altus:role:IamViewer
You can view all available roles and their CRNs by using the cdp iam
list-roles
command.
Account roles can be assigned from the Cloudera Management Console>
User Management > Roles tab or from CDP CLI by using the cdp iam
assign-user-role
or cdp iam assign-group-role
commands.
The predefined account roles available in Cloudera are as follows:
Account role | Description | Important considerations |
---|---|---|
PowerUser | Grants permission to perform all tasks on all resources. |
Unlike other users (who only see the resources that they are authorized to list), Power Users can list all resources. By default, Power Users don’t not have full access to all resources but can assign themselves a resource role that grants them access to these resources. |
EnvironmentCreator | Grants permission to create environments and shared resources (cluster templates, recipes, image catalogs, credentials, proxies), and sync users. | Since shared resources are managed separately from environments, in order for a user
with the EnvironmentCreator role to be able to use a provisioning credential
for creating an environment, that user needs to be Owner or
SharedResourceUser for that credential. EnvironmentCreator is the only role that allows you to manage access to proxies that have been registered in Cloudera. |
IamUser | Grants permission to create access keys and upload SSH keys for the user (but not for
other users). Moreover, this role includes all permissions of the IamViewer role. It grants permission to view all users in the account and their assigned roles and access keys. |
Either the IamUser or IamViewer role is required to list other users, therefore any user who needs to assign roles, such as EnvironmentCreator, EnvironmentAdmin, DataHubAdmin, and so on, should be assigned either IamUser or IamViewer. |
IamViewer | Grants permission to view all users in the account and their assigned roles and access keys. | Either the IamUser or IamViewer role is required to list other users, therefore any user who needs to assign roles, such as EnvironmentCreator, EnvironmentAdmin, DataHubAdmin, and so on, should be assigned either IamUser or IamViewer. |
ClassicClustersCreator | This role is required to register a new cluster. If this role is not present then the “Add Cluster” button is not visible to the user. | |
DataCatalogCspRuleManager | Grants permission to perform all tasks on CSP rules in Cloudera Data Catalog. | |
DataCatalogCspRuleViewer | Grants permission to list and view CSP rules in Cloudera Data Catalog. | |
DFCatalogAdmin | Grants permission to perform all tasks on objects stored in the Cloudera DataFlow Catalog. This includes importing and deleting flow definitions, as well as uploading new versions of existing flow definitions. | |
DFCatalogViewer | Grants permission to browse the Cloudera DataFlow Catalog and view flow definitions. | |
BillingAdmin | Grants permission to monitor Cloudera credit consumption. |