Understanding the Cloudera Observability On-Premises access roles

Describes the Cloudera Observability On-Premises access roles.

Cloudera Observability On-Premises supports cluster privilege roles that define Cloudera Observability On-Premises users as a:
  • System Admin
  • Cluster Admin
  • Cluster User
The following tables describe these cluster privilege roles, also known as access roles:

System Admin access role

An authentic Cloudera Observability On-Premises user who is assigned the System Admin access role has full access rights and system administrator privileges across all clusters within the Cloudera Observability On-Premises environment. Where they can view, edit, and create cost centers, view, edit, and create auto actions, and view all the jobs and queries in all the Workload clusters. These users have the least restrictive access permissions.

Table 1. System Admin
Resource Actions
Access Management page View and manage all the Cloudera Observability On-Premises cluster policies and user access from the Access Management page
Cluster
  • View all the workload clusters on the Clusters page
  • Rename a workload cluster
  • Delete a workload cluster
Workloads
  • Create workloads
  • View all the workloads in a cluster
  • Update all the workloads in a cluster
  • Delete all the workloads in a cluster
Queries View all the queries in all the clusters of the Cloudera Observability On-Premises environment
Jobs View all the jobs in all the clusters of the Cloudera Observability On-Premises environment
Chargeback
  • Create cost centers
  • Update cost centers
  • List cost centers
  • Delete cost centers
  • View all the Chargeback related dashboards
Auto Actions
  • Create auto actions
  • View auto actions
  • Update auto actions
  • Disable auto actions
  • Delete auto actions
  • Enable an auto action email

Cluster Admin access role

An authentic Cloudera Observability On-Premises user who is assigned the Cluster Admin access role has full access rights and cluster administrator privileges across an assigned cluster within the Cloudera Observability On-Premises environment. Where they can view all the jobs and queries in the assigned Workload cluster.

Table 2. Cluster Admin
Resource Actions
Cluster
  • View the assigned Workload cluster on the Clusters page
  • Rename the Workload cluster
  • Delete the Workload cluster
Workloads
  • Create workloads
  • View all workloads in the assigned cluster
  • Update all workloads in the assigned cluster
  • Delete all workloads in the assigned cluster
Queries View all the queries in the assigned cluster
Jobs View all the jobs in the assigned cluster

Cluster User access role

An authentic Cloudera Observability On-Premises user who is assigned the Cluster User access role has limited access rights across an assigned cluster within the Cloudera Observability On-Premises environment. Where they can view only those jobs and queries they created and executed in the assigned Workload cluster.

Table 3. Cluster User
Resource Actions
Cluster View their assigned cluster on the Clusters page.
Workloads View their assigned workloads on the Workloads page
Queries View their queries in the assigned cluster
Jobs View their jobs in the assigned cluster

The Cluster User access role type has the most restricted access permissions, where the user may only view their own jobs and queries.

This access role further restricts the Cluster User to one cluster per policy. For users who are responsible for jobs and queries in more than one cluster they must also be assigned access rights to those clusters. You can either add them to the Cluster Policy for that cluster or include the pool that contains those workloads in the Cluster Policy in which they are assigned.

Also, for users who require access to jobs and queries executed by other users, you can create a Custom Policy as part of the Cluster Policy. This policy includes the user names of the users who execute those jobs and queries and/or the pool names in which they are executed.

For example, though user A and user B have been granted the same Cluster User role type their access to jobs and queries is different. This is due to the conditions of the Cluster Policy in which they are assigned. Where:
  • The cluster policy that defines user A’s Cluster User role type does not permit the user to view workloads within a pool or view other user workloads. In this case, user A is restricted to only view their own jobs and queries within their policy’s assigned cluster.
  • The cluster policy that defines user B’s Cluster User role type contains a Custom Policy that permits the user to view workloads within a pool and view other user workloads. In this case, user B can view the jobs and queries executed by other users and the jobs and queries executed in the pool.