Account roles

A Cloudera role grants permissions to perform tasks in Cloudera that are not associated with a specific resource. You explicitly assign a role to a user, machine user, or a group.

When assigning roles to users and groups, consider the following:

  • Only PowerUser can assign account roles.
  • A user needs the following two types of roles in order to assign access to resources to other users:
    • One of the roles that allow role assignment: EnvironmentCreator, EnvironmentAdmin, DataSteward, DatahubAdmin or another admin role for a Cloudera service.
    • One of the roles that allow listing users within the organization: IamUser or IamViewer.
  • All users who need to access CDP CLI need the IamUser role.
Each role is identified by a CRN, which uses the following format:
crn:altus:iam:<CONTROL_PLANE_REGION>:altus:role:<ROLE_NAME>
For example, the following is the IamViewer role CRN:
crn:altus:iam:us-west-1:altus:role:IamViewer

You can view all available roles and their CRNs by using the cdp iam list-roles command.

Account roles can be assigned from the Cloudera Management Console> User Management > Roles tab or from CDP CLI by using the cdp iam assign-user-role or cdp iam assign-group-role commands.

The predefined account roles available in Cloudera are as follows:

Table 1. Account roles
Account role Description Important considerations
PowerUser Grants permission to perform all tasks on all resources.

Unlike other users (who only see the resources that they are authorized to list), Power Users can list all resources. By default, Power Users don’t not have full access to all resources but can assign themselves a resource role that grants them access to these resources.

EnvironmentCreator Grants permission to create environments and shared resources (cluster templates, recipes, image catalogs, credentials, proxies), and sync users. Since shared resources are managed separately from environments, in order for a user with the EnvironmentCreator role to be able to use a provisioning credential for creating an environment, that user needs to be Owner or SharedResourceUser for that credential.

EnvironmentCreator is the only role that allows you to manage access to proxies that have been registered in Cloudera.

IamUser Grants permission to create access keys and upload SSH keys for the user (but not for other users).

Moreover, this role includes all permissions of the IamViewer role. It grants permission to view all users in the account and their assigned roles and access keys.

Either the IamUser or IamViewer role is required to list other users, therefore any user who needs to assign roles, such as EnvironmentCreator, EnvironmentAdmin, DataHubAdmin, and so on, should be assigned either IamUser or IamViewer.
IamViewer Grants permission to view all users in the account and their assigned roles and access keys. Either the IamUser or IamViewer role is required to list other users, therefore any user who needs to assign roles, such as EnvironmentCreator, EnvironmentAdmin, DataHubAdmin, and so on, should be assigned either IamUser or IamViewer.
ClassicClustersCreatorThis role is required to register a new cluster. If this role is not present then the “Add Cluster” button is not visible to the user.
DataCatalogCspRuleManager Grants permission to perform all tasks on CSP rules in Cloudera Data Catalog.
DataCatalogCspRuleViewer Grants permission to list and view CSP rules in Cloudera Data Catalog.
DFCatalogAdmin Grants permission to perform all tasks on objects stored in the Cloudera DataFlow Catalog. This includes importing and deleting flow definitions, as well as uploading new versions of existing flow definitions.
DFCatalogViewer Grants permission to browse the Cloudera DataFlow Catalog and view flow definitions.
BillingAdmin Grants permission to monitor Cloudera credit consumption.