Cloudera Docs

Adding or removing a user from a group

You can add or remove a CDP user or a machine user account from a group.

Note that:
  • SAML login is required to propagate group membership changes from your IdP to CDP. That is, the user who was added or removed from a group must log in to CDP in order for the group membership change to take effect in CDP.
  • You cannot add a group to another group.
  • All members of the group inherit the roles and resources assigned to the group.
  • Cloudera has default limits in place with regard to how many users, machine users, and groups can be added per account. Review User and group limits and make sure that you do not exceed these limits.

Required roles: IamGroupAdmin is the minimum role required for adding or removing users from a group. In addition, in order for a user with the IamGroupAdmin to add or remove users from a group via CDP web interface, the user must have either the IamUser or the IamViewer role that allows listing IAM users and groups. This is not required when adding or removing users from a group via CDP CLI, as long as the admin has the CRN of the user that needs to be added or removed.

Steps

To add a user to a group:

  1. Sign in to the CDP console.

  2. From the CDP home page, click Management Console.

  3. In the User Management section of the side navigation panel, click Groups.

    The Groups page displays the list of all CDP groups.

  4. Click the name of the group to which you want to add a user.

    The group details page displays information about the group.

  5. Click the Members tab.

  6. To add a user:

    • If the group does not yet have members, click Add Member. Select the name of the user that you want to add to the group.
    • If the group already has a list of members, click in the Add a member dropdown box. Select the name of the user that you want to add to the group.
    To remove a user from a group, click Remove from Group next to the user that you want to remove. Click OK to confirm that you want to remove the user from the group.

The user-id parameter requires the CRN of the CDP user or machine user.

You can use the following command to add a user to a group:

cdp iam add-user-to-group \
--group-name <value> \
--user-id <value>

To remove a user from a group:

cdp iam remove-user-from-group \
--group-name <value> \
--user-id <value>

You can use the following command to add a machine user to a group:

cdp iam add-machine-user-to-group \
--group-name <value> \
--user-id <value>

To remove a machine user from a group:

cdp iam remove-machine-user-from-group \
--group-name <value> \
--machine-user-name <value>

To get a list of the users in a group:

cdp iam list-group-members \
--group-name <value>

To get the list of groups that a user or machine user is a member of:

cdp iam list-groups-for-user \
--user-id <value>   
cdp iam list-groups-for-machine-user \
--machine-user-name <value>

What to do next

You need to perform user sync for the change to take effect. See Performing user sync.