This page provides the list of the available permissions by type.
Namespace permissions are applicable to the namespace. A namespace consists of:
Application permissions are scoped by the namespaces in terms of what resources each group can view and manage. For example, if a user needs to create a SQL processor for a topic, he can only do so if the topic is available to his namespace with the “view data” permission.
On top of that, you can control “view” or “manage” access to those resources. “Manage” permission allows write operations which may vary based on the resource type but typically includes create, edit and deletes. When “view” permissions are not added to the group, the reflected feature won’t be available to the end user (also hidden from the UI).
The application permissions
When using Kafka Connect clusters you can authorise clusters per group. The group will list the
available configured clusters and you can select by the alias name you’ve given. This will affect
both Kafka Connectors and SQL Processors running in connect execution mode.
It allows the user to view Kafka consumer groups.
A consumer group is visible if the data namespace rules allow the current user to see all the topics involved.
If one of the topics a consumer group uses is not visible given the namespace permissions, then the entire consumer group is not visible.
It allows the user to update the topic-partition offsets for a given consumer group.
The permission controls the user access to the SQL processors. A SQL processor is displayed to the user
only if the appropriate permissions are in place for the data involved. To view a processor data namespace
rules need to be present, and they need to identify the input and output topics involved.
To create, delete or scale a SQL processor, the user needs to have Manage permission, and:
It allows the user to view running Kafka Connect sinks or sources. Similar to SQL processors, only those
sinks and sources are visible where the data namespaces rules grants permission to see the topics involved.
Grants the user the action to create a new Kafka Connect sink or source. Namespace rules also restrict the action.
In the case of a Connect source, it requires the user to have Insert Data permission for the target topics.
For a Connect sink, it requires the user to have View Data permissions for the source topics.
Updating an existing connector follows the same permission restrictions as seen earlier.
To delete an existing connector, all that is required is for it to be visible.
It allows the user to see and use Kafka Connect Clusters (eg in Connectors, SQL Processors and Topology).
Grants permission to view the entries present in Schema Registry.
A schema entry is visible only if for the corresponding topic the user has, via data namespace rules, View Schema permission.
Controls the permission to manage your Schema Registry entries.
The namespace rules constrain the actions. The user can make amendments to a schema only
if for the corresponding topic, Update Schema permission.
It allows the user, to View both the Landscape of the Data Flow and Apps Listing:
Data namespace permissions determines which nodes are rendered for the user.
It allows the user to “Remove from Lenses” Apps from the app listing page. You need the proper namespace permission in order to be able to view the topology node/listing entry.
Admin permissions are not scoped to the namespace. They resources under this category are managed with global governance.
Similarly to the application permissions, you can control “view” or “manage” access to those resources. “Manage” permission allows write operations which may vary based on the resource type but typically includes create, edit and deletes. When “view” permissions are not added to the group, the reflected feature won’t be available to the end user (also hidden from the UI).
Data policies are rules protecting sensitive information your data might contain. They are available across all topics and therefore are not subject to data namespace permissions.
Groups, Users and Service Accounts are governed by the User Management permission. If you are authorized with User Management manage permission you can create or amend groups but also add users to this group.
Connections are resources that contain information to communicate/connect to other systems. They are treated as sensitive information, so you need Manage permissions to see them.
To create audit channels the connection to the relevant system must exists. Connections are governed by the Connections permission and can be reused to multiple channels.
Kafka settings refers to Kafka ACLs and Quotas but also the Broker decommission. If you want to remove a known broker from Lenses you need this permission.
Approval requests permission is only to view and approve/reject the requests. To create requests for new Topics you need to authorize the relevant namespace permission.
On this page