A CDP role grants permissions to perform tasks in CDP that are not associated with a specific resource. You explicitly assign a role to a user, machine user, or a group.
When assigning roles to users and groups, consider the following:
- Only PowerUser can assign account roles.
- A user needs the following two types of roles in order to assign access to
resources to other users:
- One of the roles that allow role assignment: EnvironmentCreator, EnvironmentAdmin, DataSteward, DatahubAdmin or another admin role for a CDP service.
- One of the roles that allow listing users within the organization: IamUser or IamViewer.
- All users who need to access CDP CLI need the IamUser role.
You can view all available roles and their CRNs by using the
Account roles can be assigned from the Management Console > User Management >
Roles tab or from CDP CLI by using the
cdp iam assign-user-role or
cdp iam assign-group-role commands.
The predefined account roles available in CDP are as follows:
|Account role||Description||Important considerations|
|PowerUser||Grants permission to perform all tasks on all resources.||By default, Power Users don’t not have full access to all resources but can
assign themselves a resource role that grants them access to these resources.
Note that unlike other shared resources, proxies can only be registered and managed by a PowerUser.
|EnvironmentCreator||Grants permission to create environments and shared resources (cluster templates,
cluster definitions, recipes, image catalogs, credentials), and sync users.
Grants permission to list all environments, but not access them unless created by the same user.
|Since shared resources are managed separately from environments, in order for a user with the EnvironmentCreator role to be able to use a provisioning credential for creating an environment, that user needs to be Owner or SharedResourceUser for that credential.|
|IamUser|| Grants permission to create access keys and upload SSH keys for the user (but not for
Moreover, this role includes all permissions of the IamViewer role. It grants permission to view all users in the account and their assigned roles and access keys.
|Either the IamUser or IamViewer role is required to list other users, therefore any user who needs to assign roles, such as EnvironmentCreator, EnvironmentAdmin, DataHubAdmin, and so on, should be assigned either IamUser or IamViewer.|
|IamViewer||Grants permission to view all users in the account and their assigned roles and access keys.||Either the IamUser or IamViewer role is required to list other users, therefore any user who needs to assign roles, such as EnvironmentCreator, EnvironmentAdmin, DataHubAdmin, and so on, should be assigned either IamUser or IamViewer.|
|DataCatalogCspRuleManager||Grants permission to perform all tasks on CSP rules in Data Catalog.|
|DataCatalogCspRuleViewer||Grants permission to list and view CSP rules in Data Catalog.|
|DFCatalogAdmin||Grants permission to perform all tasks on objects stored in the DataFlow Catalog. This includes importing and deleting flow definitions, as well as uploading new versions of existing flow definitions.|
|DFCatalogViewer||Grants permission to browse the DataFlow Catalog and view flow definitions.|