Example Policies

Example policies for Lenses IAM.

These are the recommended default role templates. Use them as-is or as a starting point for custom roles tailored to your organization's needs.

For a full list of available actions and resources, see the IAM Reference.

Administrator

Full system access with all permissions. Administrators can manage all resources, users, and system configuration. This role should be granted sparingly and only to trusted personnel.

Role

name: administrator
policy:
  - action: "*"
    resource: "*"
    effect: allow

The admin role grants unrestricted access. Consider creating more granular roles for day-to-day operations.

Developer

Create and manage data infrastructure including topics, connectors, processors, and schemas. Developers can build and deploy data pipelines but cannot manage users or system configuration.

Role

name: developer
policy:
  # Kafka topics - full management except delete
  - action:
      - kafka:CreateTopic
      - kafka:ListTopics
      - kafka:GetTopicDetails
      - kafka:UpdateTopicDetails
      - kafka:ReadTopicData
      - kafka:WriteTopicData
      - kafka:ListTopicDependants
    resource: kafka:topic:*
    effect: allow
  # Consumer groups - view and manage
  - action:
      - kafka:ListConsumerGroups
      - kafka:GetConsumerGroupDetails
      - kafka:ListConsumerGroupDependants
    resource: kafka:consumer-group:*
    effect: allow
  # Schemas - full management except delete
  - action:
      - schemas:CreateSchema
      - schemas:ListSchemas
      - schemas:GetSchemaDetails
      - schemas:UpdateSchema
      - schemas:GetRegistryConfiguration
    resource: schemas:*
    effect: allow
  # Kafka Connect - create and manage connectors
  - action:
      - kafka-connect:CreateConnector
      - kafka-connect:ListConnectors
      - kafka-connect:GetConnectorDetails
      - kafka-connect:GetConnectorConfiguration
      - kafka-connect:UpdateConnectorConfiguration
      - kafka-connect:StartConnector
      - kafka-connect:StopConnector
      - kafka-connect:ListConnectorDependants
      - kafka-connect:ListClusters
      - kafka-connect:GetClusterDetails
      - kafka-connect:DeployConnector
    resource: kafka-connect:*
    effect: allow
  # SQL Streaming - create and manage processors
  - action:
      - sql-streaming:CreateProcessor
      - sql-streaming:ListProcessors
      - sql-streaming:GetProcessorDetails
      - sql-streaming:GetProcessorSql
      - sql-streaming:UpdateProcessorSql
      - sql-streaming:StartProcessor
      - sql-streaming:StopProcessor
      - sql-streaming:GetProcessorLogs
      - sql-streaming:ListProcessorDependants
    resource: sql-streaming:*
    effect: allow
  # Kubernetes - view and deploy
  - action:
      - kubernetes:ListClusters
      - kubernetes:GetClusterDetails
      - kubernetes:ListNamespaces
      - kubernetes:DeployApps
    resource: kubernetes:*
    effect: allow
  # Applications - register and manage
  - action:
      - applications:RegisterApplication
      - applications:ListApplications
      - applications:GetApplicationDetails
      - applications:ListApplicationDependants
    resource: applications:*
    effect: allow
  # K2K - create and manage
  - action:
      - k2k:CreateApp
      - k2k:UpdateApp
      - k2k:UpsertApp
      - k2k:GetApp
      - k2k:ListApps
    resource: k2k:*
    effect: allow
  # Governance - submit requests
  - action:
      - governance:CreateRequest
      - governance:ListRequests
      - governance:GetRequestDetails
    resource: governance:request:*
    effect: allow
  # Environments - view and access
  - action:
      - environments:ListEnvironments
      - environments:GetEnvironmentDetails
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow
  # Alerts - view
  - action:
      - alerts:ListAlertRules
      - alerts:GetAlertRuleDetails
      - alerts:ListAlertEvents
      - alerts:ListChannels
    resource: alerts:*
    effect: allow
  # Data policies - view
  - action:
      - data-policies:ListPolicies
      - data-policies:GetPolicyDetails
    resource: data-policies:*
    effect: allow

Developers can create infrastructure but cannot delete topics/schemas or manage ACLs. Consider adding kafka:DeleteTopic for non-production environments.

Data Engineer

Read and write topic data, manage schemas, and create SQL processors. Data engineers focus on data transformation and pipeline development but have limited infrastructure management capabilities.

Role

name: data-engineer
policy:
  # Kafka topics - read/write data, view metadata
  - action:
      - kafka:ListTopics
      - kafka:GetTopicDetails
      - kafka:ReadTopicData
      - kafka:WriteTopicData
      - kafka:ListTopicDependants
    resource: kafka:topic:*
    effect: allow
  # Consumer groups - view
  - action:
      - kafka:ListConsumerGroups
      - kafka:GetConsumerGroupDetails
      - kafka:ListConsumerGroupDependants
    resource: kafka:consumer-group:*
    effect: allow
  # Schemas - full management
  - action:
      - schemas:CreateSchema
      - schemas:ListSchemas
      - schemas:GetSchemaDetails
      - schemas:UpdateSchema
      - schemas:GetRegistryConfiguration
    resource: schemas:*
    effect: allow
  # Kafka Connect - view and manage connectors
  - action:
      - kafka-connect:CreateConnector
      - kafka-connect:ListConnectors
      - kafka-connect:GetConnectorDetails
      - kafka-connect:GetConnectorConfiguration
      - kafka-connect:UpdateConnectorConfiguration
      - kafka-connect:StartConnector
      - kafka-connect:StopConnector
      - kafka-connect:ListConnectorDependants
      - kafka-connect:ListClusters
      - kafka-connect:GetClusterDetails
    resource: kafka-connect:*
    effect: allow
  # SQL Streaming - full management
  - action:
      - sql-streaming:CreateProcessor
      - sql-streaming:ListProcessors
      - sql-streaming:GetProcessorDetails
      - sql-streaming:GetProcessorSql
      - sql-streaming:UpdateProcessorSql
      - sql-streaming:StartProcessor
      - sql-streaming:StopProcessor
      - sql-streaming:GetProcessorLogs
      - sql-streaming:ListProcessorDependants
    resource: sql-streaming:*
    effect: allow
  # Kubernetes - view and deploy
  - action:
      - kubernetes:ListClusters
      - kubernetes:GetClusterDetails
      - kubernetes:ListNamespaces
      - kubernetes:DeployApps
    resource: kubernetes:*
    effect: allow
  # Environments - view and access
  - action:
      - environments:ListEnvironments
      - environments:GetEnvironmentDetails
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow
  # Data policies - view
  - action:
      - data-policies:ListPolicies
      - data-policies:GetPolicyDetails
    resource: data-policies:*
    effect: allow

Data engineers can work with data but cannot create topics or manage ACLs. They need the developer role for topic creation.

Viewer

Read-only access across all resources. Viewers can browse topics, view configurations, and monitor status but cannot make any changes. Ideal for stakeholders who need visibility without modification rights.

Role

name: viewer
policy:
  # Kafka - view only
  - action:
      - kafka:ListTopics
      - kafka:GetTopicDetails
      - kafka:ListTopicDependants
      - kafka:ListConsumerGroups
      - kafka:GetConsumerGroupDetails
      - kafka:ListConsumerGroupDependants
      - kafka:ListAcls
      - kafka:GetAclDetails
      - kafka:ListQuotas
      - kafka:GetQuotaDetails
    resource: kafka:*
    effect: allow
  # Schemas - view only
  - action:
      - schemas:ListSchemas
      - schemas:GetSchemaDetails
      - schemas:GetRegistryConfiguration
    resource: schemas:*
    effect: allow
  # Kafka Connect - view only
  - action:
      - kafka-connect:ListConnectors
      - kafka-connect:GetConnectorDetails
      - kafka-connect:ListConnectorDependants
      - kafka-connect:ListClusters
      - kafka-connect:GetClusterDetails
    resource: kafka-connect:*
    effect: allow
  # SQL Streaming - view only
  - action:
      - sql-streaming:ListProcessors
      - sql-streaming:GetProcessorDetails
      - sql-streaming:GetProcessorSql
      - sql-streaming:ListProcessorDependants
    resource: sql-streaming:*
    effect: allow
  # Kubernetes - view only
  - action:
      - kubernetes:ListClusters
      - kubernetes:GetClusterDetails
      - kubernetes:ListNamespaces
    resource: kubernetes:*
    effect: allow
  # Applications - view only
  - action:
      - applications:ListApplications
      - applications:GetApplicationDetails
      - applications:ListApplicationDependants
    resource: applications:*
    effect: allow
  # K2K - view only
  - action:
      - k2k:GetApp
      - k2k:ListApps
    resource: k2k:*
    effect: allow
  # Alerts - view only
  - action:
      - alerts:ListAlertRules
      - alerts:GetAlertRuleDetails
      - alerts:ListAlertEvents
      - alerts:ListChannels
      - alerts:GetChannelRoutes
    resource: alerts:*
    effect: allow
  # Data policies - view only
  - action:
      - data-policies:ListPolicies
      - data-policies:GetPolicyDetails
    resource: data-policies:*
    effect: allow
  # Governance - view requests
  - action:
      - governance:ListRequests
      - governance:GetRequestDetails
    resource: governance:request:*
    effect: allow
  # Environments - view and access
  - action:
      - environments:ListEnvironments
      - environments:GetEnvironmentDetails
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow
  # IAM - view users/roles/groups
  - action:
      - iam:ListRoles
      - iam:GetRoleDetails
      - iam:ListGroups
      - iam:GetGroupDetails
      - iam:ListUsers
      - iam:GetUserDetails
    resource: iam:*
    effect: allow

Viewers cannot read topic data (kafka:ReadTopicData). Add that permission explicitly if data browsing is needed.

Operator

Operational management without create/delete permissions. Operators can start, stop, scale, and monitor resources but cannot create new infrastructure or delete existing resources.

Role

name: operator
policy:
  # Kafka - view and manage consumer groups/quotas
  - action:
      - kafka:ListTopics
      - kafka:GetTopicDetails
      - kafka:ListTopicDependants
      - kafka:ListConsumerGroups
      - kafka:GetConsumerGroupDetails
      - kafka:UpdateConsumerGroup
      - kafka:ListConsumerGroupDependants
      - kafka:ListQuotas
      - kafka:GetQuotaDetails
      - kafka:CreateQuota
      - kafka:UpdateQuota
    resource: kafka:*
    effect: allow
  # Kafka Connect - start/stop connectors
  - action:
      - kafka-connect:ListConnectors
      - kafka-connect:GetConnectorDetails
      - kafka-connect:GetConnectorConfiguration
      - kafka-connect:StartConnector
      - kafka-connect:StopConnector
      - kafka-connect:ListConnectorDependants
      - kafka-connect:ListClusters
      - kafka-connect:GetClusterDetails
    resource: kafka-connect:*
    effect: allow
  # SQL Streaming - start/stop/scale processors
  - action:
      - sql-streaming:ListProcessors
      - sql-streaming:GetProcessorDetails
      - sql-streaming:GetProcessorSql
      - sql-streaming:StartProcessor
      - sql-streaming:StopProcessor
      - sql-streaming:ScaleProcessor
      - sql-streaming:GetProcessorLogs
      - sql-streaming:ListProcessorDependants
    resource: sql-streaming:*
    effect: allow
  # Kubernetes - view
  - action:
      - kubernetes:ListClusters
      - kubernetes:GetClusterDetails
      - kubernetes:ListNamespaces
    resource: kubernetes:*
    effect: allow
  # K2K - manage offsets
  - action:
      - k2k:GetApp
      - k2k:ListApps
      - k2k:ManageOffsets
    resource: k2k:*
    effect: allow
  # Alerts - full management
  - action:
      - alerts:CreateAlertRule
      - alerts:UpdateAlertRule
      - alerts:ListAlertRules
      - alerts:GetAlertRuleDetails
      - alerts:ToggleAlertRule
      - alerts:GetChannelRoutes
      - alerts:UpdateChannelRoutes
      - alerts:ListAlertEvents
      - alerts:ListChannels
      - alerts:GetChannelDetails
      - alerts:ToggleChannel
    resource: alerts:*
    effect: allow
  # Environments - view and access
  - action:
      - environments:ListEnvironments
      - environments:GetEnvironmentDetails
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow

Operators focus on keeping systems running. They cannot create or delete infrastructure, only manage operational state.

Security Administrator

IAM and security management without data access. Security admins manage users, roles, groups, service accounts, ACLs, and audit logs but cannot read or write topic data.

Role

name: security-admin
policy:
  # IAM - full management
  - action:
      - iam:CreateRole
      - iam:DeleteRole
      - iam:UpdateRole
      - iam:ListRoles
      - iam:GetRoleDetails
      - iam:CreateGroup
      - iam:DeleteGroup
      - iam:UpdateGroup
      - iam:ListGroups
      - iam:GetGroupDetails
      - iam:CreateUser
      - iam:DeleteUser
      - iam:UpdateUser
      - iam:ListUsers
      - iam:GetUserDetails
      - iam:CreateServiceAccount
      - iam:DeleteServiceAccount
      - iam:UpdateServiceAccount
      - iam:ListServiceAccounts
      - iam:GetServiceAccountDetails
    resource: iam:*
    effect: allow
  # Kafka ACLs - full management
  - action:
      - kafka:CreateAcl
      - kafka:ListAcls
      - kafka:GetAclDetails
      - kafka:UpdateAcl
      - kafka:DeleteAcl
    resource: kafka:acl:*
    effect: allow
  # Kafka - view only (no data access)
  - action:
      - kafka:ListTopics
      - kafka:GetTopicDetails
      - kafka:ListConsumerGroups
      - kafka:GetConsumerGroupDetails
    resource: kafka:*
    effect: allow
  # Audit - full management
  - action:
      - audit:ListLogs
      - audit:CreateChannel
      - audit:ListChannels
      - audit:GetChannelDetails
      - audit:UpdateChannel
      - audit:ToggleChannel
    resource: audit:*
    effect: allow
  # Data policies - full management
  - action:
      - data-policies:CreatePolicy
      - data-policies:ListPolicies
      - data-policies:GetPolicyDetails
      - data-policies:UpdatePolicy
      - data-policies:DeletePolicy
    resource: data-policies:*
    effect: allow
  # Environments - view and access
  - action:
      - environments:ListEnvironments
      - environments:GetEnvironmentDetails
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow

Security admins cannot read topic data, ensuring separation between security management and data access.

Governance Administrator

Approve governance requests and manage data policies. Governance admins review and approve/deny self-service requests and configure governance rules and data protection policies.

Role

name: governance-admin
policy:
  # Governance - full management
  - action:
      - governance:ListRequests
      - governance:GetRequestDetails
      - governance:ApproveRequest
      - governance:DenyRequest
      - governance:GetRuleDetails
      - governance:UpdateRule
    resource: governance:*
    effect: allow
  # Data policies - full management
  - action:
      - data-policies:CreatePolicy
      - data-policies:ListPolicies
      - data-policies:GetPolicyDetails
      - data-policies:UpdatePolicy
      - data-policies:DeletePolicy
    resource: data-policies:*
    effect: allow
  # Kafka - view for context when approving
  - action:
      - kafka:ListTopics
      - kafka:GetTopicDetails
      - kafka:ListAcls
      - kafka:GetAclDetails
    resource: kafka:*
    effect: allow
  # Environments - view and access
  - action:
      - environments:ListEnvironments
      - environments:GetEnvironmentDetails
      - environments:AccessEnvironment
    resource: environments:*
    effect: allow

Governance admins need underlying permissions (e.g., kafka:CreateTopic) to approve requests that create resources.

Environment-Scoped Roles

The roles above grant access across all environments. To restrict access to specific environments, modify the resource patterns.

Developer for specific environment

Restrict developer access to only the us-dev environment:

Role

name: us-dev-developer
policy:
  - action:
      - kafka:CreateTopic
      - kafka:ListTopics
      - kafka:GetTopicDetails
      - kafka:UpdateTopicDetails
      - kafka:ReadTopicData
      - kafka:WriteTopicData
      - kafka:ListTopicDependants
    resource: kafka:topic:us-dev/kafka/*
    effect: allow
  - action:
      - kafka:ListConsumerGroups
      - kafka:GetConsumerGroupDetails
      - kafka:ListConsumerGroupDependants
    resource: kafka:consumer-group:us-dev/kafka/*
    effect: allow
  - action:
      - schemas:CreateSchema
      - schemas:ListSchemas
      - schemas:GetSchemaDetails
      - schemas:UpdateSchema
      - schemas:GetRegistryConfiguration
    resource: schemas:*:us-dev/*/*
    effect: allow
  - action:
      - kafka-connect:*
    resource:
      - kafka-connect:cluster:us-dev/*
      - kafka-connect:connector:us-dev/*/*
    effect: allow
  - action:
      - sql-streaming:*
    resource: sql-streaming:sql-processor:us-dev/*/*/*
    effect: allow
  - action:
      - environments:ListEnvironments
      - environments:GetEnvironmentDetails
    resource: environments:*
    effect: allow
  - action: environments:AccessEnvironment
    resource: environments:environment:us-dev
    effect: allow

Deny production access

Explicitly deny access to production environments:

Role

name: no-production-access
policy:
  - action: environments:AccessEnvironment
    resource: environments:environment:prod-*
    effect: deny

Deny rules take precedence over allow rules. Use this pattern to create guardrails that prevent accidental production access.

PreviousOAuth 2.1 NextGovernance

Was this helpful?

Good evening

hashtagAdministrator

hashtagDeveloper

hashtagData Engineer

hashtagViewer

hashtagOperator

hashtagSecurity Administrator

hashtagGovernance Administrator

hashtagEnvironment-Scoped Roles

hashtagDeveloper for specific environment

hashtagDeny production access

Administrator

Developer

Data Engineer

Viewer

Operator

Security Administrator

Governance Administrator

Environment-Scoped Roles

Developer for specific environment

Deny production access