# Example Policies
These are the recommended default role templates. Use them as-is or as a starting point for custom roles tailored to your organization's needs.
{% hint style="info" %}
For a full list of available actions and resources, see the [IAM Reference](/latest/devx/6.1/user-guide/iam/iam-reference.md).
{% endhint %}
## Administrator
Full system access with all permissions. Administrators can manage all resources, users, and system configuration. This role should be granted sparingly and only to trusted personnel.
role
```yaml
name: administrator
policy:
- action: "*"
resource: "*"
effect: allow
```
{% hint style="warning" %}
The admin role grants unrestricted access. Consider creating more granular roles for day-to-day operations.
{% endhint %}
## Developer
Create and manage data infrastructure including topics, connectors, processors, and schemas. Developers can build and deploy data pipelines but cannot manage users or system configuration.
role
```yaml
name: developer
policy:
# Kafka topics - full management except delete
- action:
- kafka:CreateTopic
- kafka:ListTopics
- kafka:GetTopicDetails
- kafka:UpdateTopicDetails
- kafka:ReadTopicData
- kafka:WriteTopicData
- kafka:ListTopicDependants
resource: kafka:topic:*
effect: allow
# Consumer groups - view and manage
- action:
- kafka:ListConsumerGroups
- kafka:GetConsumerGroupDetails
- kafka:ListConsumerGroupDependants
resource: kafka:consumer-group:*
effect: allow
# Schemas - full management except delete
- action:
- schemas:CreateSchema
- schemas:ListSchemas
- schemas:GetSchemaDetails
- schemas:UpdateSchema
- schemas:GetRegistryConfiguration
resource: schemas:*
effect: allow
# Kafka Connect - create and manage connectors
- action:
- kafka-connect:CreateConnector
- kafka-connect:ListConnectors
- kafka-connect:GetConnectorDetails
- kafka-connect:GetConnectorConfiguration
- kafka-connect:UpdateConnectorConfiguration
- kafka-connect:StartConnector
- kafka-connect:StopConnector
- kafka-connect:ListConnectorDependants
- kafka-connect:ListClusters
- kafka-connect:GetClusterDetails
- kafka-connect:DeployConnector
resource: kafka-connect:*
effect: allow
# SQL Streaming - create and manage processors
- action:
- sql-streaming:CreateProcessor
- sql-streaming:ListProcessors
- sql-streaming:GetProcessorDetails
- sql-streaming:GetProcessorSql
- sql-streaming:UpdateProcessorSql
- sql-streaming:StartProcessor
- sql-streaming:StopProcessor
- sql-streaming:GetProcessorLogs
- sql-streaming:ListProcessorDependants
resource: sql-streaming:*
effect: allow
# Kubernetes - view and deploy
- action:
- kubernetes:ListClusters
- kubernetes:GetClusterDetails
- kubernetes:ListNamespaces
- kubernetes:DeployApps
resource: kubernetes:*
effect: allow
# Applications - register and manage
- action:
- applications:RegisterApplication
- applications:ListApplications
- applications:GetApplicationDetails
- applications:ListApplicationDependants
resource: applications:*
effect: allow
# K2K - create and manage
- action:
- k2k:CreateApp
- k2k:UpdateApp
- k2k:UpsertApp
- k2k:GetApp
- k2k:ListApps
resource: k2k:*
effect: allow
# Governance - submit requests
- action:
- governance:CreateRequest
- governance:ListRequests
- governance:GetRequestDetails
resource: governance:request:*
effect: allow
# Environments - view and access
- action:
- environments:ListEnvironments
- environments:GetEnvironmentDetails
- environments:AccessEnvironment
resource: environments:*
effect: allow
# Alerts - view
- action:
- alerts:ListAlertRules
- alerts:GetAlertRuleDetails
- alerts:ListAlertEvents
- alerts:ListChannels
resource: alerts:*
effect: allow
# Data policies - view
- action:
- data-policies:ListPolicies
- data-policies:GetPolicyDetails
resource: data-policies:*
effect: allow
```
{% hint style="info" %}
Developers can create infrastructure but cannot delete topics/schemas or manage ACLs. Consider adding `kafka:DeleteTopic` for non-production environments.
{% endhint %}
## Data Engineer
Read and write topic data, manage schemas, and create SQL processors. Data engineers focus on data transformation and pipeline development but have limited infrastructure management capabilities.
role
```yaml
name: data-engineer
policy:
# Kafka topics - read/write data, view metadata
- action:
- kafka:ListTopics
- kafka:GetTopicDetails
- kafka:ReadTopicData
- kafka:WriteTopicData
- kafka:ListTopicDependants
resource: kafka:topic:*
effect: allow
# Consumer groups - view
- action:
- kafka:ListConsumerGroups
- kafka:GetConsumerGroupDetails
- kafka:ListConsumerGroupDependants
resource: kafka:consumer-group:*
effect: allow
# Schemas - full management
- action:
- schemas:CreateSchema
- schemas:ListSchemas
- schemas:GetSchemaDetails
- schemas:UpdateSchema
- schemas:GetRegistryConfiguration
resource: schemas:*
effect: allow
# Kafka Connect - view and manage connectors
- action:
- kafka-connect:CreateConnector
- kafka-connect:ListConnectors
- kafka-connect:GetConnectorDetails
- kafka-connect:GetConnectorConfiguration
- kafka-connect:UpdateConnectorConfiguration
- kafka-connect:StartConnector
- kafka-connect:StopConnector
- kafka-connect:ListConnectorDependants
- kafka-connect:ListClusters
- kafka-connect:GetClusterDetails
resource: kafka-connect:*
effect: allow
# SQL Streaming - full management
- action:
- sql-streaming:CreateProcessor
- sql-streaming:ListProcessors
- sql-streaming:GetProcessorDetails
- sql-streaming:GetProcessorSql
- sql-streaming:UpdateProcessorSql
- sql-streaming:StartProcessor
- sql-streaming:StopProcessor
- sql-streaming:GetProcessorLogs
- sql-streaming:ListProcessorDependants
resource: sql-streaming:*
effect: allow
# Kubernetes - view and deploy
- action:
- kubernetes:ListClusters
- kubernetes:GetClusterDetails
- kubernetes:ListNamespaces
- kubernetes:DeployApps
resource: kubernetes:*
effect: allow
# Environments - view and access
- action:
- environments:ListEnvironments
- environments:GetEnvironmentDetails
- environments:AccessEnvironment
resource: environments:*
effect: allow
# Data policies - view
- action:
- data-policies:ListPolicies
- data-policies:GetPolicyDetails
resource: data-policies:*
effect: allow
```
{% hint style="info" %}
Data engineers can work with data but cannot create topics or manage ACLs. They need the developer role for topic creation.
{% endhint %}
## Viewer
Read-only access across all resources. Viewers can browse topics, view configurations, and monitor status but cannot make any changes. Ideal for stakeholders who need visibility without modification rights.
role
```yaml
name: viewer
policy:
# Kafka - view only
- action:
- kafka:ListTopics
- kafka:GetTopicDetails
- kafka:ListTopicDependants
- kafka:ListConsumerGroups
- kafka:GetConsumerGroupDetails
- kafka:ListConsumerGroupDependants
- kafka:ListAcls
- kafka:GetAclDetails
- kafka:ListQuotas
- kafka:GetQuotaDetails
resource: kafka:*
effect: allow
# Schemas - view only
- action:
- schemas:ListSchemas
- schemas:GetSchemaDetails
- schemas:GetRegistryConfiguration
resource: schemas:*
effect: allow
# Kafka Connect - view only
- action:
- kafka-connect:ListConnectors
- kafka-connect:GetConnectorDetails
- kafka-connect:ListConnectorDependants
- kafka-connect:ListClusters
- kafka-connect:GetClusterDetails
resource: kafka-connect:*
effect: allow
# SQL Streaming - view only
- action:
- sql-streaming:ListProcessors
- sql-streaming:GetProcessorDetails
- sql-streaming:GetProcessorSql
- sql-streaming:ListProcessorDependants
resource: sql-streaming:*
effect: allow
# Kubernetes - view only
- action:
- kubernetes:ListClusters
- kubernetes:GetClusterDetails
- kubernetes:ListNamespaces
resource: kubernetes:*
effect: allow
# Applications - view only
- action:
- applications:ListApplications
- applications:GetApplicationDetails
- applications:ListApplicationDependants
resource: applications:*
effect: allow
# K2K - view only
- action:
- k2k:GetApp
- k2k:ListApps
resource: k2k:*
effect: allow
# Alerts - view only
- action:
- alerts:ListAlertRules
- alerts:GetAlertRuleDetails
- alerts:ListAlertEvents
- alerts:ListChannels
- alerts:GetChannelRoutes
resource: alerts:*
effect: allow
# Data policies - view only
- action:
- data-policies:ListPolicies
- data-policies:GetPolicyDetails
resource: data-policies:*
effect: allow
# Governance - view requests
- action:
- governance:ListRequests
- governance:GetRequestDetails
resource: governance:request:*
effect: allow
# Environments - view and access
- action:
- environments:ListEnvironments
- environments:GetEnvironmentDetails
- environments:AccessEnvironment
resource: environments:*
effect: allow
# IAM - view users/roles/groups
- action:
- iam:ListRoles
- iam:GetRoleDetails
- iam:ListGroups
- iam:GetGroupDetails
- iam:ListUsers
- iam:GetUserDetails
resource: iam:*
effect: allow
```
{% hint style="warning" %}
Viewers cannot read topic data (`kafka:ReadTopicData`). Add that permission explicitly if data browsing is needed.
{% endhint %}
## Operator
Operational management without create/delete permissions. Operators can start, stop, scale, and monitor resources but cannot create new infrastructure or delete existing resources.
role
```yaml
name: operator
policy:
# Kafka - view and manage consumer groups/quotas
- action:
- kafka:ListTopics
- kafka:GetTopicDetails
- kafka:ListTopicDependants
- kafka:ListConsumerGroups
- kafka:GetConsumerGroupDetails
- kafka:UpdateConsumerGroup
- kafka:ListConsumerGroupDependants
- kafka:ListQuotas
- kafka:GetQuotaDetails
- kafka:CreateQuota
- kafka:UpdateQuota
resource: kafka:*
effect: allow
# Kafka Connect - start/stop connectors
- action:
- kafka-connect:ListConnectors
- kafka-connect:GetConnectorDetails
- kafka-connect:GetConnectorConfiguration
- kafka-connect:StartConnector
- kafka-connect:StopConnector
- kafka-connect:ListConnectorDependants
- kafka-connect:ListClusters
- kafka-connect:GetClusterDetails
resource: kafka-connect:*
effect: allow
# SQL Streaming - start/stop/scale processors
- action:
- sql-streaming:ListProcessors
- sql-streaming:GetProcessorDetails
- sql-streaming:GetProcessorSql
- sql-streaming:StartProcessor
- sql-streaming:StopProcessor
- sql-streaming:ScaleProcessor
- sql-streaming:GetProcessorLogs
- sql-streaming:ListProcessorDependants
resource: sql-streaming:*
effect: allow
# Kubernetes - view
- action:
- kubernetes:ListClusters
- kubernetes:GetClusterDetails
- kubernetes:ListNamespaces
resource: kubernetes:*
effect: allow
# K2K - manage offsets
- action:
- k2k:GetApp
- k2k:ListApps
- k2k:ManageOffsets
resource: k2k:*
effect: allow
# Alerts - full management
- action:
- alerts:CreateAlertRule
- alerts:UpdateAlertRule
- alerts:ListAlertRules
- alerts:GetAlertRuleDetails
- alerts:ToggleAlertRule
- alerts:GetChannelRoutes
- alerts:UpdateChannelRoutes
- alerts:ListAlertEvents
- alerts:ListChannels
- alerts:GetChannelDetails
- alerts:ToggleChannel
resource: alerts:*
effect: allow
# Environments - view and access
- action:
- environments:ListEnvironments
- environments:GetEnvironmentDetails
- environments:AccessEnvironment
resource: environments:*
effect: allow
```
{% hint style="info" %}
Operators focus on keeping systems running. They cannot create or delete infrastructure, only manage operational state.
{% endhint %}
## Security Administrator
IAM and security management without data access. Security admins manage users, roles, groups, service accounts, ACLs, and audit logs but cannot read or write topic data.
role
```yaml
name: security-admin
policy:
# IAM - full management
- action:
- iam:CreateRole
- iam:DeleteRole
- iam:UpdateRole
- iam:ListRoles
- iam:GetRoleDetails
- iam:CreateGroup
- iam:DeleteGroup
- iam:UpdateGroup
- iam:ListGroups
- iam:GetGroupDetails
- iam:CreateUser
- iam:DeleteUser
- iam:UpdateUser
- iam:ListUsers
- iam:GetUserDetails
- iam:CreateServiceAccount
- iam:DeleteServiceAccount
- iam:UpdateServiceAccount
- iam:ListServiceAccounts
- iam:GetServiceAccountDetails
resource: iam:*
effect: allow
# Kafka ACLs - full management
- action:
- kafka:CreateAcl
- kafka:ListAcls
- kafka:GetAclDetails
- kafka:UpdateAcl
- kafka:DeleteAcl
resource: kafka:acl:*
effect: allow
# Kafka - view only (no data access)
- action:
- kafka:ListTopics
- kafka:GetTopicDetails
- kafka:ListConsumerGroups
- kafka:GetConsumerGroupDetails
resource: kafka:*
effect: allow
# Audit - full management
- action:
- audit:ListLogs
- audit:CreateChannel
- audit:ListChannels
- audit:GetChannelDetails
- audit:UpdateChannel
- audit:ToggleChannel
resource: audit:*
effect: allow
# Data policies - full management
- action:
- data-policies:CreatePolicy
- data-policies:ListPolicies
- data-policies:GetPolicyDetails
- data-policies:UpdatePolicy
- data-policies:DeletePolicy
resource: data-policies:*
effect: allow
# Environments - view and access
- action:
- environments:ListEnvironments
- environments:GetEnvironmentDetails
- environments:AccessEnvironment
resource: environments:*
effect: allow
```
{% hint style="info" %}
Security admins cannot read topic data, ensuring separation between security management and data access.
{% endhint %}
## Governance Administrator
Approve governance requests and manage data policies. Governance admins review and approve/deny self-service requests and configure governance rules and data protection policies.
role
```yaml
name: governance-admin
policy:
# Governance - full management
- action:
- governance:ListRequests
- governance:GetRequestDetails
- governance:ApproveRequest
- governance:DenyRequest
- governance:GetRuleDetails
- governance:UpdateRule
resource: governance:*
effect: allow
# Data policies - full management
- action:
- data-policies:CreatePolicy
- data-policies:ListPolicies
- data-policies:GetPolicyDetails
- data-policies:UpdatePolicy
- data-policies:DeletePolicy
resource: data-policies:*
effect: allow
# Kafka - view for context when approving
- action:
- kafka:ListTopics
- kafka:GetTopicDetails
- kafka:ListAcls
- kafka:GetAclDetails
resource: kafka:*
effect: allow
# Environments - view and access
- action:
- environments:ListEnvironments
- environments:GetEnvironmentDetails
- environments:AccessEnvironment
resource: environments:*
effect: allow
```
{% hint style="warning" %}
Governance admins need underlying permissions (e.g., `kafka:CreateTopic`) to approve requests that create resources.
{% endhint %}
***
## Environment-Scoped Roles
The roles above grant access across all environments. To restrict access to specific environments, modify the resource patterns.
### Developer for specific environment
Restrict developer access to only the `us-dev` environment:
role
```yaml
name: us-dev-developer
policy:
- action:
- kafka:CreateTopic
- kafka:ListTopics
- kafka:GetTopicDetails
- kafka:UpdateTopicDetails
- kafka:ReadTopicData
- kafka:WriteTopicData
- kafka:ListTopicDependants
resource: kafka:topic:us-dev/kafka/*
effect: allow
- action:
- kafka:ListConsumerGroups
- kafka:GetConsumerGroupDetails
- kafka:ListConsumerGroupDependants
resource: kafka:consumer-group:us-dev/kafka/*
effect: allow
- action:
- schemas:CreateSchema
- schemas:ListSchemas
- schemas:GetSchemaDetails
- schemas:UpdateSchema
- schemas:GetRegistryConfiguration
resource: schemas:*:us-dev/*/*
effect: allow
- action:
- kafka-connect:*
resource:
- kafka-connect:cluster:us-dev/*
- kafka-connect:connector:us-dev/*/*
effect: allow
- action:
- sql-streaming:*
resource: sql-streaming:sql-processor:us-dev/*/*/*
effect: allow
- action:
- environments:ListEnvironments
- environments:GetEnvironmentDetails
resource: environments:*
effect: allow
- action: environments:AccessEnvironment
resource: environments:environment:us-dev
effect: allow
```
### Deny production access
Explicitly deny access to production environments:
role
```yaml
name: no-production-access
policy:
- action: environments:AccessEnvironment
resource: environments:environment:prod-*
effect: deny
```
{% hint style="info" %}
Deny rules take precedence over allow rules. Use this pattern to create guardrails that prevent accidental production access.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.lenses.io/latest/devx/6.1/user-guide/iam/example-policies.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.