Roles
Control Hub provides several types of roles that allow you to customize the tasks that users can perform.
To enable groups and users to perform cross-functional tasks, you must assign them multiple roles. For example, to enable a group to create a job for a pipeline and start the job, the group requires the Job Editor role and either the Pipeline User or Pipeline Editor role.
- Connection roles - Enables creating and using connections in pipelines and pipeline fragments.
- Data SLA roles - Enables viewing and working with data SLAs for topologies.
- Engine roles - Enables performing tasks in a registered execution engine,
including Data Collector and Transformer. Each role provides the same access as the corresponding Data Collector or Transformer role. For example, if you have the Control Hub Engine Administrator role, when you log in to a registered Data Collector, you can perform all tasks like a Data Collector user with the Data Collector Admin role.Note: After you register a Data Collector or Transformer with Control Hub, all users must use a Control Hub login to access and work with that Data Collector or Transformer.
- Job roles - Enables working with jobs in Control Hub.
- Notification roles - Enables viewing and working with alerts in the Alerts view and with subscriptions in the Subscriptions view.
- Organization roles - Enables access to Control Hub. The Organization Administrator role can also perform additional administrative tasks. Each user must have one of the Organization roles.
- Pipeline roles - Enables viewing and working with pipelines and fragments in Control Hub.
- Provisioning roles - Enables working with Provisioning Agents and deployments to automatically provision Data Collectors.
- Time Series roles - Enables viewing working with job and topology metrics.
- Topology roles - Enables viewing and working with topologies.
To perform Control Hub tasks, you must have the appropriate object permissions as well as the role associated with the task. For example, if you have the Pipeline Editor role, you can create and remove tags for a pipeline only when granted write permission on the pipeline.
Role Descriptions
The following table describes the tasks that each role can perform.
| Role | Description |
|---|---|
| Auth Token Administrator |
Register, unregister, and deactivate execution engines using Control Hub. Regenerate authentication tokens and delete unregistered authentication tokens. Provides full access to all registered execution engines in the organization. |
| Connection Editor | Manage connections, including creating, editing, and deleting connections. |
| Connection User | View connection names and descriptions. Use connections when
configuring pipelines and pipeline fragments. Start jobs for pipelines
that use connections. Requires the Pipeline Editor role to use connections when configuring pipelines and fragments. Requires the Job Operator role to start jobs. |
| Control Hub Authentication | Use Control Hub credentials to log in when SAML authentication is enabled. Assign to user accounts that must complete tasks that require Control Hub credentials. Available only when SAML authentication is enabled for the organization. |
| Data SLA Editor | Manage data SLAs, including creating and modifying data SLAs.
Requires one of the topology roles, one of the pipeline roles, the Job Operator role, and the Time Series Reader role. |
| Data SLA User | View and monitor data SLAs. Requires one of the topology roles, one of the pipeline roles, the Job Operator role, and the Time Series Reader role. |
| Engine Administrator |
Perform all tasks in registered Data Collectors and Transformers, including installing external libraries and additional Data Collector libraries for the selected authoring engine. Equivalent to the Data Collector or Transformer Admin role. |
| Engine Creator |
Configure pipelines in registered Data Collectors and Transformers, including configuring alerts, previewing data, and monitoring pipelines. Equivalent to the Data Collector or Transformer Creator role. |
| Engine Manager |
Manage pipelines in registered Data Collectors and Transformers, including starting and stopping pipelines, monitoring pipelines, configuring and resetting alerts, and reviewing snapshots. Equivalent to the Data Collector or Transformer Manager role. |
| Engine Guest |
View pipeline and alert configuration, and view general monitoring and log information in registered Data Collectors and Transformers. Equivalent to the Data Collector or Transformer Guest role. |
| Job Operator | Manage jobs, including creating, editing, importing,
exporting, uploading initial offset files, and starting jobs, but not
monitoring jobs. Select an authoring engine when designing a pipeline or
pipeline fragment. Requires one of the pipeline roles. |
| Notification User | View and acknowledge data SLA alerts in the Alerts view. Manage subscriptions in the Subscriptions view. |
| Organization Administrator |
Access Control Hub. Register, unregister, and deactivate Data Collectors using Control Hub. Regenerate authentication tokens and delete unregistered authentication tokens. Configure users and groups for the organization. View active sessions and audit entries for the organization. View connections, pipelines, jobs, and topologies for the organization. Upload initial offset files for jobs. Configure the organization. Provides full access to all objects in the organization. Grant other users and groups permission to access the objects. |
| Organization User | Access Control Hub, view user account details, reset the personal password. |
| Pipeline Editor | Design, publish, and manage pipelines and pipeline fragments.
Includes importing and exporting pipelines and fragments, and
configuring tags. Requires the Engine Creator or Engine Administrator role. Requires the Job Operator role to select an authoring engine. |
| Pipeline User | View information about existing pipelines and fragments. Export pipelines and fragments. |
| Provisioning Operator | Manage Provisioning Agents and deployments. |
| Reporting Operator | Manage reports, including creating, editing, generating, and viewing reports. |
| Rules Editor | Not used at this time. |
| Scheduler Operator | Manage scheduled tasks, including creating, editing, and monitoring scheduled tasks. |
| Time Series Reader | Monitor jobs and view pipeline metrics. |
| Time Series Writer | Work with metrics using the REST API. |
| Topology Editor | Manage topologies, including creating, monitoring, importing, and
exporting topologies. Requires the Job Operator and Pipeline Editor role. |
| Topology User | View topologies. Requires the Job Operator role and one of the pipeline roles. |
Common Role Assignments
- Data Architect
- To create, view, and monitor topologies and view all metrics, you need the
following roles:
- Organization User
- Data SLA Editor
- Notification User
- Reporting Operator
- Time Series Reader
- Topology Editor - Working with topologies also requires the
following roles:
- Job Operator
- Pipeline Editor
- Data Engineer
- To develop and test pipelines and fragments in Control Hub, use connections when configuring pipelines and fragments, and to publish
and import pipelines to Control Hub, you need the following roles:
- Organization User
- Connection User
- Engine Administrator or Engine Creator
- Job Operator
- Pipeline Editor
- DevOps or Site Reliability Engineer
- To manage registered execution engines - including manually
administering and provisioning them - to create, start, and
schedule jobs, and to create connections you need the following roles:
- Organization User
- Auth Token Administrator
- Connection Editor
- Data SLA Editor
- Engine Administrator
- Job Operator
- Notification User
- Pipeline Editor or Pipeline User
- Provisioning Operator
- Reporting Operator
- Scheduler Operator
- Time Series Reader
- Topology Editor
- Full Access - development only
- To encourage development and testing, each new user and new group can perform most tasks in Control Hub and all registered Data Collectors and Transformers. Use these role assignments in development only.