Understanding account roles and resource roles

To access resources and perform tasks in CDP, each user requires permissions. As a CDP administrator, you can assign a role to a user or a machine user to give the user permission to perform the tasks either on the whole account or on a specific resource.

Each role has an attached policy that defines the permissions associated with the role. The policy attached to a role determines the operations that the role allows the user to perform. When users attempt to perform operations that are not permitted in their assigned role, they get a permission denied error message.

CDP has predefined roles for your use. You can assign a role or a combination of roles to give the user the appropriate permissions to complete tasks in CDP. You cannot modify the predefined CDP roles or the policies associated with the predefined roles.

The scope of predefined roles and resource roles can vary. For example, a role might grant view access only to Data Hub clusters but not to environments in which these clusters are running. You might need to assign multiple roles to ensure that a user can perform all required tasks in CDP.

CDP provides the following types of roles:

  • Account roles - An account role grants a user, machine user, or group permissions to access or perform tasks on all resources within the CDP tenant.
  • Resource roles - A resource role grants a user, machine user, or group permissions to access or perform tasks on a specific resource (such as a specific environment or a specific Data Hub cluster).
  • Group membership administration roles - The IamGroupAdmin role can be assigned to a user to manage group membership for a specific group.

Review the following documentation to learn more about these role types: