Roles

Control Hub provides several types of roles that allow you to customize the tasks that users can perform.

To enable groups and users to perform cross-functional tasks, you must assign them multiple roles. For example, to enable a group to create a job for a pipeline and start the job, the group requires the Job Editor role and either the Pipeline User or Pipeline Editor role.

Important: Default role assignments for new users and new groups permit most tasks to encourage development and testing. Change those role assignments as needed to secure the integrity of your organization and data.
Control Hub provides the following types of roles:
  • Connection roles - Enables creating and using connections in pipelines and pipeline fragments.
  • Data SLA roles - Enables viewing and working with data SLAs for topologies.
  • Engine roles - Enables performing tasks in a registered execution engine, including Data Collector and Transformer. Each role provides the same access as the corresponding Data Collector or Transformer role.
    For example, if you have the Control Hub Engine Administrator role, when you log in to a registered Data Collector, you can perform all tasks like a Data Collector user with the Data Collector Admin role.
    Note: After you register a Data Collector or Transformer with Control Hub, all users must use a Control Hub login to access and work with that Data Collector or Transformer.
  • Job roles - Enables working with jobs in Control Hub.
  • Notification roles - Enables viewing and working with alerts in the Alerts view and with subscriptions in the Subscriptions view.
  • Organization roles - Enables access to Control Hub. The Organization Administrator role can also perform additional administrative tasks. Each user must have one of the Organization roles.
  • Pipeline roles - Enables viewing and working with pipelines and fragments in Control Hub.
  • Provisioning roles - Enables working with Provisioning Agents and deployments to automatically provision Data Collectors.
  • Time Series roles - Enables viewing working with job and topology metrics.
  • Topology roles - Enables viewing and working with topologies.

To perform Control Hub tasks, you must have the appropriate object permissions as well as the role associated with the task. For example, if you have the Pipeline Editor role, you can create and remove tags for a pipeline only when granted write permission on the pipeline.

Role Descriptions

The following table describes the tasks that each role can perform.

Role Description
Auth Token Administrator

Register, unregister, and deactivate execution engines using Control Hub. Regenerate authentication tokens and delete unregistered authentication tokens.

Provides full access to all registered execution engines in the organization.

Connection Editor Manage connections, including creating, editing, and deleting connections.
Connection User View connection names and descriptions. Use connections when configuring pipelines and pipeline fragments. Start jobs for pipelines that use connections.

Requires the Pipeline Editor role to use connections when configuring pipelines and fragments. Requires the Job Operator role to start jobs.

Control Hub Authentication Use Control Hub credentials to log in when SAML authentication is enabled.

Assign to user accounts that must complete tasks that require Control Hub credentials.

Available only when SAML authentication is enabled for the organization.

Data SLA Editor Manage data SLAs, including creating and modifying data SLAs.

Requires one of the topology roles, one of the pipeline roles, the Job Operator role, and the Time Series Reader role.

Data SLA User View and monitor data SLAs.

Requires one of the topology roles, one of the pipeline roles, the Job Operator role, and the Time Series Reader role.

Engine Administrator

Perform all tasks in registered Data Collectors and Transformers, including installing external libraries and additional Data Collector libraries for the selected authoring engine.

Equivalent to the Data Collector or Transformer Admin role.

Engine Creator

Configure pipelines in registered Data Collectors and Transformers, including configuring alerts, previewing data, and monitoring pipelines.

Equivalent to the Data Collector or Transformer Creator role.

Engine Manager

Manage pipelines in registered Data Collectors and Transformers, including starting and stopping pipelines, monitoring pipelines, configuring and resetting alerts, and reviewing snapshots.

Equivalent to the Data Collector or Transformer Manager role.

Engine Guest

View pipeline and alert configuration, and view general monitoring and log information in registered Data Collectors and Transformers.

Equivalent to the Data Collector or Transformer Guest role.

Job Operator Manage jobs, including creating, editing, importing, exporting, uploading initial offset files, and starting jobs, but not monitoring jobs. Select an authoring engine when designing a pipeline or pipeline fragment.

Requires one of the pipeline roles.

Notification User View and acknowledge data SLA alerts in the Alerts view. Manage subscriptions in the Subscriptions view.
Organization Administrator

Access Control Hub. Register, unregister, and deactivate Data Collectors using Control Hub. Regenerate authentication tokens and delete unregistered authentication tokens. Configure users and groups for the organization. View active sessions and audit entries for the organization. View connections, pipelines, jobs, and topologies for the organization. Upload initial offset files for jobs. Configure the organization.

Provides full access to all objects in the organization. Grant other users and groups permission to access the objects.

Organization User Access Control Hub, view user account details, reset the personal password.
Pipeline Editor Design, publish, and manage pipelines and pipeline fragments. Includes importing and exporting pipelines and fragments, and configuring tags.

Requires the Engine Creator or Engine Administrator role. Requires the Job Operator role to select an authoring engine.

Pipeline User View information about existing pipelines and fragments. Export pipelines and fragments.
Provisioning Operator Manage Provisioning Agents and deployments.
Reporting Operator Manage reports, including creating, editing, generating, and viewing reports.
Rules Editor Not used at this time.
Scheduler Operator Manage scheduled tasks, including creating, editing, and monitoring scheduled tasks.
Time Series Reader Monitor jobs and view pipeline metrics.
Time Series Writer Work with metrics using the REST API.
Topology Editor Manage topologies, including creating, monitoring, importing, and exporting topologies.

Requires the Job Operator and Pipeline Editor role.

Topology User View topologies.

Requires the Job Operator role and one of the pipeline roles.

Common Role Assignments

Here are some sample real-world roles and the Control Hub roles needed to perform daily tasks:
Data Architect
To create, view, and monitor topologies and view all metrics, you need the following roles:
  • Organization User
  • Data SLA Editor
  • Notification User
  • Reporting Operator
  • Time Series Reader
  • Topology Editor - Working with topologies also requires the following roles:
    • Job Operator
    • Pipeline Editor
Data Engineer
To develop and test pipelines and fragments in Control Hub, use connections when configuring pipelines and fragments, and to publish and import pipelines to Control Hub, you need the following roles:
  • Organization User
  • Connection User
  • Engine Administrator or Engine Creator
  • Job Operator
  • Pipeline Editor
DevOps or Site Reliability Engineer
To manage registered execution engines - including manually administering and provisioning them - to create, start, and schedule jobs, and to create connections you need the following roles:
  • Organization User
  • Auth Token Administrator
  • Connection Editor
  • Data SLA Editor
  • Engine Administrator
  • Job Operator
  • Notification User
  • Pipeline Editor or Pipeline User
  • Provisioning Operator
  • Reporting Operator
  • Scheduler Operator
  • Time Series Reader
  • Topology Editor
Full Access - development only
To encourage development and testing, each new user and new group can perform most tasks in Control Hub and all registered Data Collectors and Transformers. Use these role assignments in development only.
The following set of roles allow you to perform most tasks in Control Hub and registered execution engines:
  • Organization User
  • Connection User
  • Data SLA Editor
  • Engine Creator
  • Engine Manager
  • Job Operator
  • Notification User
  • Pipeline Editor
  • Provisioning Operator
  • Time Series Reader
  • Topology Editor