Cloudera Docs

Assigning a group membership administrator

As a CDP administrator, you can create a CDP group and manage the users, roles, and resources assigned to the group. You can also assign other users and groups the IamGroupAdmin role to allow them to manage the users in the group.

Note that:
  • The IamGroupAdmin role grants a user or a group the permission to add users to or remove users from a group. The role does not grant permission to manage roles and resources for the group.
  • In order for a user with the IamGroupAdmin to add or remove users from a group via CDP web interface, the user must have either the IamUser or the IamViewer role that allows listing IAM users and groups. This is not required when adding or removing users from a group via CDP CLI, as long as the admin has the CRN of the user that needs to be added or removed.

Required role: PowerUser

Steps

To assign a group membership administrator:

  1. Sign in to the Cloudera CDP console.

  2. From the CDP home page, click Management Console.

  3. In the User Management section of the side navigation panel, click Groups.

    The Groups page displays the list of all CDP groups.

  4. Click the name of the group to which you want to assign a group membership administrator.

    The group details page displays information about the group.

  5. Click the Admins tab.

  6. Click in the Select group or user dropdown box.

    CDP displays the list of CDP groups and users that you can give group membership administrator permissions.

  7. Select the name of a group or user.

    The name of the group or user you select displays in the list of group membership administrators.

    To remove group membership administrator permissions from a user or group, click Remove Resource Role next to the user or group for whom you want to revoke membership administrator permissions.

You assign the IamGroupAdmin resource role to users and groups to allow them to manage the users in a specified group.

You can use the following command to assign the IamGroupAdmin role to a user:

cdp iam assign-user-resource-role \
--user <value> \
--resource-role-crn <value> \
--resource-crn <value>

The user parameter requires the CRN of the user to whom you want to assign the IamGroupAdmin resource role.

The resource-role-crn parameter requires the CRN of the IamGroupAdmin role.

The resource-crn parameter requires the CRN of the group on which the user will have administrator permission.

To assign the IamGroupAdmin role to a group:

cdp iam assign-group-resource-role \
--group-name <value>e \
--resource-role-crn <value> \
--resource-crn <value>

The group-name parameter requires the name of the group to which you want to assign the IamGroupAdmin resource role.

The resource-role-crn parameter requires the CRN of the IamGroupAdmin role.

The resource-crn parameter requires the CRN of the group on which the group specified in the group-name parameter will have administrator permission.

For example, to assign the IamGroupAdmin to GroupABC so that GroupABC can manage the users in GroupXYZ, run a command similar to the following command:

cdp iam assign-group-resource-role \
--group-name groupABC \
--resource-role-crn crn:cdp:iam:us-west-1:cdp:resourceRole:IamGroupAdmin \
--resource-crn crn:cdp:iam:us-west-1:4e9d74e5-1cad-47d8-b645-7ccf9edbb73d:group:GroupXYZ/54218ac1-187b-40f7-aadb-5ghm96c35xy4

To assign the users in a group to be the administrators of their own group, set the values of the group-name parameter and the resource-crn parameter to refer to the same group.

What to do next

You need to perform user sync for the change to take effect. See Performing user sync.