Assigning a group membership administrator
As a CDP administrator, you can create a CDP group and manage the users, roles, and resources assigned to the group. You can also assign other users and groups the IamGroupAdmin role to allow them to manage the users in the group.
- The IamGroupAdmin role grants a user or a group the permission to add users to or remove users from a group. The role does not grant permission to manage roles and resources for the group.
- In order for a user with the IamGroupAdmin to add or remove users from a group via CDP web interface, the user must have either the IamUser or the IamViewer role that allows listing IAM users and groups. This is not required when adding or removing users from a group via CDP CLI, as long as the admin has the CRN of the user that needs to be added or removed.
Required role: PowerUser
Steps
To assign a group membership administrator:
-
Sign in to the Cloudera CDP console.
-
From the CDP home page, click Management Console.
-
In the User Management section of the side navigation panel, click Groups.
The Groups page displays the list of all CDP groups.
-
Click the name of the group to which you want to assign a group membership administrator.
The group details page displays information about the group.
-
Click the Admins tab.
-
Click in the Select group or user dropdown box.
CDP displays the list of CDP groups and users that you can give group membership administrator permissions.
-
Select the name of a group or user.
The name of the group or user you select displays in the list of group membership administrators.
To remove group membership administrator permissions from a user or group, click Remove Resource Role next to the user or group for whom you want to revoke membership administrator permissions.
You assign the IamGroupAdmin
resource
role to users and groups to allow them to manage the users in a specified group.
You can use the following command to assign the IamGroupAdmin role to a user:
cdp iam assign-user-resource-role \
--user <value> \
--resource-role-crn <value> \
--resource-crn <value>
The
user parameter requires the CRN of the user to whom you want to
assign the IamGroupAdmin
resource role.
The
resource-role-crn parameter requires the CRN of the
IamGroupAdmin
role.
The resource-crn parameter requires the CRN of the group on which the user will have administrator permission.
To assign the IamGroupAdmin role to a group:
cdp iam assign-group-resource-role \
--group-name <value>e \
--resource-role-crn <value> \
--resource-crn <value>
The
group-name parameter requires the name of the group to which you want
to assign the IamGroupAdmin
resource role.
The
resource-role-crn parameter requires the CRN of the
IamGroupAdmin
role.
The resource-crn parameter requires the CRN of the group on which the group specified in the group-name parameter will have administrator permission.
For
example, to assign the IamGroupAdmin
to GroupABC so that GroupABC can
manage the users in GroupXYZ, run a command similar to the following
command:
cdp iam assign-group-resource-role \
--group-name groupABC \
--resource-role-crn crn:cdp:iam:us-west-1:cdp:resourceRole:IamGroupAdmin \
--resource-crn crn:cdp:iam:us-west-1:4e9d74e5-1cad-47d8-b645-7ccf9edbb73d:group:GroupXYZ/54218ac1-187b-40f7-aadb-5ghm96c35xy4
To assign the users in a group to be the administrators of their own group, set the values of the group-name parameter and the resource-crn parameter to refer to the same group.
What to do next
You need to perform user sync for the change to take effect. See Performing user sync.