Assign an environment resource role to a user

To assign an environment to a user or a machine user, assign a specific resource role on the scope of the specific environment.

Required roles:
  • Owner or a role that allows administering the environment AND
  • One of the following: IamViewer or IamUser (required for listing users).
In order to assign a role, a user must have all rights from the role that they are planning to assign to another user; That is, a user can only assign a role higher than his own.
  1. Sign in to the Cloudera console.
  2. From the Cloudera home page, click Cloudera Management Console.
  3. Navigate to the Environments page.
  4. In the list of environments that appear, select an environment by clicking on it.
  5. From the Actions menu select Manage Access.
  6. In the Access tab, enter the name of the user in the text box.
  7. In the Update Resource Roles window, select the required resource role.
  8. Click Update Roles.

Use the following commands to assign a resource to a user or a machine user:

cdp iam assign-user-resource-role \
--user-name <value> \
--resource-role-crn <value> \
--resource-crn <value> 
cdp iam assign-machine-user-resource-role \
--machine-user-name <value> \
--resource-role-crn <value> \
--resource-crn <value>

To remove a resource role from a user or a machine user:

cdp iam unassign-user-resource-role \
--user-name <value> \
--resource-role-crn <value> \
--resource-crn <value>
cdp iam unassign-machine-user-resource-role \
--machine-user-name <value> \
--resource-role-crn <value> \
--resource-crn <value>
  • The resource-role-crn parameter requires the CRN of the resource role you want to assign to the user. You can use the cdp iam list-resource-roles command to list resource roles with role CRNs.
  • The resource-crn parameter requires the CRN of the resource on which you want to grant the resource role permissions. You can obtain it from the details of the resource.

To get a list of the resource roles assigned to a user or a machine user:

cdp iam list-user-assigned-resource-role \
--user-name <value>
cdp iam list-machine-user-assigned-resource-role \
--machine-user-name <value>

What to do next

You need to perform user sync for the change to take effect. See Performing user sync.