Account roles

A CDP role grants permissions to perform tasks in CDP that are not associated with a specific resource. You explicitly assign a role to a user, machine user, or a group.

When assigning roles to users and groups, consider the following:

  • Only PowerUser can assign account roles.
  • A user needs the following two types of roles in order to assign access to resources to other users:
    • One of the roles that allow role assignment: EnvironmentCreator, EnvironmentAdmin, DataSteward, DatahubAdmin or another admin role for a CDP service.
    • One of the roles that allow listing users within the organization: IamUser or IamViewer.
  • All users who need to access CDP CLI need the IamUser role.
Each role is identified by a CRN, which uses the following format:
crn:altus:iam:<CONTROL_PLANE_REGION>:altus:role:<ROLE_NAME>
For example, the following is the IamViewer role CRN:
crn:altus:iam:us-west-1:altus:role:IamViewer

You can view all available roles and their CRNs by using the cdp iam list-roles command.

Account roles can be assigned from the Management Console > User Management > Roles tab or from CDP CLI by using the cdp iam assign-user-role or cdp iam assign-group-role commands.

The predefined account roles available in CDP are as follows:

Table 1. Account roles
Account role Description Important considerations
PowerUser Grants permission to perform all tasks on all resources. By default, Power Users don’t not have full access to all resources but can assign themselves a resource role that grants them access to these resources.

Note that unlike other shared resources, proxies can only be registered and managed by a PowerUser.

EnvironmentCreator Grants permission to create environments and shared resources (cluster templates, cluster definitions, recipes, image catalogs, credentials), and sync users.

Grants permission to list all environments, but not access them unless created by the same user.

Since shared resources are managed separately from environments, in order for a user with the EnvironmentCreator role to be able to use a provisioning credential for creating an environment, that user needs to be Owner or SharedResourceUser for that credential.
IamUser Grants permission to create access keys and upload SSH keys for the user (but not for other users).

Moreover, this role includes all permissions of the IamViewer role. It grants permission to view all users in the account and their assigned roles and access keys.

Either the IamUser or IamViewer role is required to list other users, therefore any user who needs to assign roles, such as EnvironmentCreator, EnvironmentAdmin, DataHubAdmin, and so on, should be assigned either IamUser or IamViewer.
IamViewer Grants permission to view all users in the account and their assigned roles and access keys. Either the IamUser or IamViewer role is required to list other users, therefore any user who needs to assign roles, such as EnvironmentCreator, EnvironmentAdmin, DataHubAdmin, and so on, should be assigned either IamUser or IamViewer.
DataCatalogCspRuleManager Grants permission to perform all tasks on CSP rules in Data Catalog.
DataCatalogCspRuleViewer Grants permission to list and view CSP rules in Data Catalog.
DFCatalogAdmin Grants permission to perform all tasks on objects stored in the DataFlow Catalog. This includes importing and deleting flow definitions, as well as uploading new versions of existing flow definitions.
DFCatalogViewer Grants permission to browse the DataFlow Catalog and view flow definitions.