Resource roles

A role that is associated with a specific resource is called a resource role. This type of role gives permission to perform tasks on a specific resource, such as a specific CDP environment, shared resource, or Data Hub cluster.

When you assign a resource role, you must specify the resource on which to grant the resource role permissions. For example, you can assign a user a resource role that grants permission on an environment. The user assigned the resource role can access and perform tasks only on that environment, but not on other environments.

A resource role determines a specific set of tasks that the user can perform on the resources. For example, the EnvironmentUser resource role assigned to a user allows the user the rights contained in the resource role only on that particular environment.

The predefined resource roles available in CDP that you can assign to CDP users, machine users, and groups are as follows:

  • Environment resource roles
  • Shared resource resource roles
  • Data Hub resource roles

  • The Owner resource role (available on all resources)
Each role is identified by a CRN, which uses the following format:
crn:altus:iam:<CONTROL_PLANE_REGION>:altus:resourceRole:<RESOURCE_ROLE_NAME>

For example, the following is the DataHubAdmin role CRN:

crn:altus:iam:us-west-1:altus:resourceRole:DataHubAdmin
You can view all available roles and their CRNs by using the cdp iam list-resource-roles command.

Environment resource roles

Environment resource roles can be assigned on the scope of a specific environment.

These resource roles can be assigned from the Management Console > Environments > navigate to a specific environment > Actions > Manage Access > Access or from CDP CLI using the cdp iam assign-user-resource-role command.
Table 1. Environment resource roles
Resource role Description Important considerations
EnvironmentAdmin Grants all rights to the environment and Data Hub clusters running in it, except the ability to delete the environment. The user who created the environment automatically gets the EnvironmentAdmin role on the scope of that environment.

The EnvironmentAdmin resource role is assigned the Limited Cluster Administrator role in Cloudera Manager. Users with this role can manage the cluster lifecycle, change configurations, and manage parcels. For more information on CM roles, see the topic Default User Roles.

The Cloudera Manager Limited Cluster Administrator role is assigned to the EnvironmentAdmin because the CDP Control Plane is responsible for certain tasks historically done in Cloudera Manager, for example: adding or removing hosts as part of up/down-scaling and repair operations, executing upgrades of clusters in coordination with upgrading the OS images used by clusters, and creating new clusters based on templates preconfigured to work in a CDP environment. In addition, only selected services and workload types are currently supported in Data Hub, represented by the built-in cluster definitions. Finally, certain CDP services like encryption-at-rest infrastructure are explicitly not designed for use in the public cloud, where the cloud provider's object store encryption capabilities should be used. Because of this, Data Hub is prescriptive in its choice of workload types and the CDP Control Plane is best suited to manage most cluster life cycle operations. Doing so directly in Cloudera Manager could lead to unexpected operational issues. Data Hub does, however, support fully customizable cluster templates.

EnvironmentUser Grants permission to view Data Hub clusters and set the workload password for the environment.

The EnvironmentUser resource role is assigned the Read-Only role in Cloudera Manager. For more information on CM roles, see the topic Default User Roles.

This role should be used in conjunction with service-specific roles such as DataHubAdmin, DWAdmin, DWUser, MLAdmin, MLUser, and so on. When assigning one of these service-specific roles to users, make sure to also assign the EnvironmentUser role.

DataSteward Grants permission to perform user/group management functions in Ranger and Atlas Admin, manage ID Broker mappings, and start user sync for the environment.

DataSteward can manage access to the environment by assigning a user DataSteward or EnvironmentUser role.

DataHubCreator Grants permission to create Data Hub clusters in the environment.
DEAdmin Grants permission to create, delete and administer Data Engineering services for the environment. When assigning this role, you should also assign the EnvironmentUser role.
DEUser Grants permission to list and use Data Engineering services for the environment. When assigning this role, you should also assign the EnvironmentUser role.
DFAdmin Grants permission to enable, disable and administer the CDP environment for DataFlow. This includes granting and revoking the ability to access the DataFlow Kubernetes API server. When assigning this role, you should also assign the EnvironmentUser role.
DFFlowAdmin Grants permission to create, terminate, administer and monitor running deployments for the environment. When assigning this role, you should also assign the EnvironmentUser role.
DFFlowUser Grants permission to view and monitor deployments for the environment. When assigning this role, you should also assign the EnvironmentUser role.
DWAdmin Grants permission to activate/terminate or launch/stop/update services in Database Catalogs and Virtual Warehouses. When assigning this role, you should also assign the EnvironmentUser role.
DWUser Grants permission to view and use Cloudera Data Warehouse clusters within the environment. When assigning this role, you should also assign the EnvironmentUser role.
MLAdmin Grants permission to create and delete Cloudera Machine Learning workspaces within the environment. MLAdmins will also have Site Administrator access to all the workspaces provisioned within this environment. They can run workloads, monitor, and manage all user activity on these workspaces. When assigning this role, you should also assign the EnvironmentUser role.

MLBusinessUser

Grants permission to view Cloudera Machine Learning workspaces for the environment. MLBusinessUsers are granted view-only access to applications that have been shared with them through projects inside a workspace. When assigning this role, you should also assign the EnvironmentUser role.
MLUser Grants permission to view Cloudera Machine Learning workspaces provisioned within the environment. MLUsers are also able to run workloads on all the workspaces provisioned within this environment. When assigning this role, you should also assign the EnvironmentUser role.

MLUsers currently require the SharedResourceUser role on the cloud credential used for the environment.

ODAdmin Grants permission to create, drop and administer the Cloudera Operational Databases for the environment. When assigning this role, also assign the DataSteward or EnvironmentAdmin role.
ODUser Grants permission to list and use Cloudera Operational Databases for the environment.
Owner Grants all permissions required to manage the environment in CDP including the ability to delete it. The user who created the environment automatically gets the Owner role on the scope of that environment.

The Owner role on the scope of an environment allows you to delete that environment, but to access the environment's clusters (Data Lakes, Data Hubs), you need EnvironmentAdmin or EnvironmentUser.

Shared resource resource roles

Shared resources resource roles can be assigned on the scope of a specific shared resource such as a credential, cluster template, image catalog, or recipe. This does not include default shared resources (such as default cluster definitions or cluster templates), which can be seen by everyone who is able to access the account, or proxies, which can only be managed by a PowerUser.

These resource roles can be assigned from the Management Console > Environments > Shared Resources > select a shared resource > navigate to a specific shared resource > Manage Access, or from CDP CLI using the cdp iam assign-user-resource-role command.

You can view all available resource roles and their CRNs by using the cdp iam list-resource-roles command.

Table 2. Shared resource resource roles
Resource role Description Important considerations
SharedResourceUser This role enables shared resource sharing with other users.

It grants permission to access and use the specific shared resource such as a specific cluster template, credential, image catalog, or recipe.

In order for a user to be able to use a provisioning credential for creating an environment, that user needs to be Owner or SharedResourceUser for that credential.

Owner Grants all permissions required to manage the shared resource in CDP including the ability to delete it. The user who created the shared resource automatically gets the Owner role on the scope of that shared resource.

In order for a user to be able to use a provisioning credential for creating an environment, that user needs to be Owner or SharedResourceUser for that credential.

Data Hub resource roles

Data Hub resource roles can be assigned on the scope of a specific Data hub cluster.

These resource roles can be assigned from the Management Console > Data Hub clusters > click on a cluster > Actions > Manage Access, or from CDP CLI using the cdp iam assign-user-resource-role command.

You can view all available roles and their CRNs by using the cdp iam list-resource-roles command.
Table 3. Data Hub resource roles
Resource role Description Important considerations
DataHubAdmin (Technical Preview) Grants administrative rights over the Data Hub cluster, such as start, stop, scale, repair and grant or revoke access. When assigning this role, you should also assign the EnvironmentUser role.

Granting DataHubAdmin role does not grant Cloudera Manager admin rights or Runtime service admin rights (for example NiFi Registry Admin).

Owner Grants all permissions required to manage the Data Hub in CDP including the ability to delete it. The user who created the Data Hub automatically gets the Owner role on the scope of that Data Hub.

The Owner role does not grant any cluster-level permissions such as the ability to access or manage a cluster via Cloudera Manager. In order to access Data Hubs running within an environment, you need EnvironmentAdmin or EnvironmentUser on the scope of that environment.

The Owner resource role

In addition to the aforementioned resource roles, CDP includes the Owner resource role.

The Owner role:

  • Grants full permissions on a specific resource in the Management Console, including the ability to delete the resource. It does not grant any cluster-level permissions such as the ability to access or manage a cluster via Cloudera Manager.
  • Is assigned automatically on a resource to the user who created the resource. For example, if a user creates an environment called “test”, the user is assigned the Owner role for that environment.
  • Allows a user to grant a set of rights (including the Owner role) on the resource to other users and groups. This is possible only if the user also has the IamUser or IamViewer role allowing to list users within the organization.
  • Can be assigned at the scope of the following resources: an environment, Data Lake, shared resource (cluster template, cluster definition, recipe, image catalog, credential), Data Hub cluster, or classic cluster).
  • Can be assigned using the same steps as other resource roles.