Kafka RBAC Groups management

Users in Lenses have different abilities depending on the access level they have in a particular group. Users may belong to multiple groups. In this guide you'll see how to create groups and authorize user access.


In Lenses, a permission allows a user to view a type of information or perform an action to a specific resource.

Group is a collection of permission defines the level of access for users belong to it. You can define multiple groups based on your License to define roles or projects.

By default Lenses does not provide any group. You need to define them. There is a default admin user to login for the first time. Group permissions are cumulative. That means that the higher permission takes priority.

Learn more about the permission types and the detailed permission matrix

Required permission 

User Management / ViewAdminEnables user management view for Groups, Users & Service Accounts
User Management / ManageAdminEnables to manage Groups, Users & Service Accounts such as to create, edit, delete, change passwords

To be able to view, create or modify Groups you need to be authorized with the User Management permission.

Access management permission matrix

Create Groups 

To create a new Group, navigate to the Admin and select Groups and New Group. For every Group you have to set the data namespaces for Kafka or other available connections to data sources.

Groups overview

Add namespaces 

Name your Group and add data namespaces to view data to a source. By default, Kafka is available. Namespace is a collection of expressions based on the dataset name. You can add multiple expressions in the same entry and also have multiple namespace entries.

Group namespaces

Add Users & Service Accounts 

While creating a User or Service Account you can select one or multiple Groups.

If mutliple groups are selected, permissions work inclusive:

  • group A has permissions to customer_details Topic.
  • group B has permissions to frauds_detection Topic.

User assigned to group A and group B will have permissions for both customer_details and frauds_detection topics.

Group add users

Clone Groups 

You can clone an existing Group. This will copy the permissions of the original group but not the Users or Service Accounts belonging to this Group.

Group detail clone

Manage groups 

You can Edit. Clone or Delete a Group by navigating to the Group details and select the actions menu at the right top of the page.

Manage groups

Groups with IdPs 

Lenses supports 3rd party identity providers for authentication. Based on the provider, you can configure your service by following the configuration instructions during your setup.


Groups are also supported by the CLI to enable automation scenarios.


More resources