Account roles
A CDP role grants permissions to perform tasks in CDP that are not associated with a specific resource. You explicitly assign a role to a user, machine user, or a group.
When assigning roles to users and groups, consider the following:
- Only PowerUser can assign account roles.
- A user needs the following two types of roles in order to assign access to
resources to other users:
- One of the roles that allow role assignment: EnvironmentCreator, EnvironmentAdmin, DataSteward, DatahubAdmin or another admin role for a CDP service.
- One of the roles that allow listing users within the organization: IamUser or IamViewer.
- All users who need to access CDP CLI need the IamUser role.
crn:altus:iam:<CONTROL_PLANE_REGION>:altus:role:<ROLE_NAME>crn:altus:iam:us-west-1:altus:role:IamViewerYou can view all available roles and their CRNs by using the cdp iam
list-roles command.
Account roles can be assigned from the Management Console > User Management >
Roles tab or from CDP CLI by using the cdp iam assign-user-role or
cdp iam assign-group-role commands.
The predefined account roles available in CDP are as follows:
| Account role | Description | Important considerations |
|---|---|---|
| PowerUser | Grants permission to perform all tasks on all resources. |
Unlike other users (who only see the resources that they are authorized to list), Power Users can list all resources. By default, Power Users don’t not have full access to all resources but can assign themselves a resource role that grants them access to these resources. |
| EnvironmentCreator | Grants permission to create environments and shared resources (cluster templates, recipes, image catalogs, credentials, proxies), and sync users. | Since shared resources are managed separately from environments, in order for a user
with the EnvironmentCreator role to be able to use a provisioning credential for
creating an environment, that user needs to be Owner or SharedResourceUser for
that credential. EnvironmentCreator is the only role that allows you to manage access to proxies that have been registered in CDP. |
| IamUser | Grants permission to create access keys and upload SSH keys for the user (but not for
other users). Moreover, this role includes all permissions of the IamViewer role. It grants permission to view all users in the account and their assigned roles and access keys. |
Either the IamUser or IamViewer role is required to list other users, therefore any user who needs to assign roles, such as EnvironmentCreator, EnvironmentAdmin, DataHubAdmin, and so on, should be assigned either IamUser or IamViewer. |
| IamViewer | Grants permission to view all users in the account and their assigned roles and access keys. | Either the IamUser or IamViewer role is required to list other users, therefore any user who needs to assign roles, such as EnvironmentCreator, EnvironmentAdmin, DataHubAdmin, and so on, should be assigned either IamUser or IamViewer. |
| ClassicClustersCreator | This role is required to register a new cluster. If this role is not present then the “Add Cluster” button is not visible to the user. | |
| DataCatalogCspRuleManager | Grants permission to perform all tasks on CSP rules in Data Catalog. | |
| DataCatalogCspRuleViewer | Grants permission to list and view CSP rules in Data Catalog. | |
| DFCatalogAdmin | Grants permission to perform all tasks on objects stored in the DataFlow Catalog. This includes importing and deleting flow definitions, as well as uploading new versions of existing flow definitions. | |
| DFCatalogViewer | Grants permission to browse the DataFlow Catalog and view flow definitions. | |
| BillingAdmin | Grants permission to monitor CDP credit consumption. |
