Roles
Control Hub provides several types of roles that allow you to customize the tasks that users can perform.
To enable groups and users to perform cross-functional tasks, you must assign them multiple roles. For example, to enable a group to create a job for a pipeline and start the job, the group requires the Job Editor role and either the Pipeline User or Pipeline Editor role.
To perform Control Hub tasks, you must have the appropriate object permissions as well as the role associated with the task. For example, if you have the Pipeline Editor role, you can create and remove tags for a pipeline only when granted write permission on the pipeline.
Role Descriptions
The following table describes the tasks that each role can perform.
| Role | Description |
|---|---|
| Connection Editor | Manage connections, including creating, editing, and deleting connections. |
| Connection User | View connection names and descriptions. Use connections when
configuring pipelines and pipeline fragments. Start jobs for pipelines
that use connections. Requires the Pipeline Editor role to use connections when configuring pipelines and fragments. Requires the Job Operator role to start jobs. |
| Data SLA Editor | Manage data SLAs, including creating and modifying data SLAs.
Requires one of the topology roles, one of the pipeline roles, the Job Operator role, and the Metrics Reader role. |
| Data SLA User | View and monitor data SLAs. Requires one of the topology roles, one of the pipeline roles, the Job Operator role, and the Metrics Reader role. |
| Deployment Manager | Manage deployments, including creating, starting, stopping, editing, and deleting deployments. |
| Engine Administrator |
Perform all tasks in the pipeline canvas, including installing external libraries and additional stage libraries for the selected authoring engine. Monitor engines in the Engines view, including accessing the External Resources, Logs, Thread Dump, Support Bundle, Directories, and Health tabs. Requires the Pipeline Editor role for the pipeline canvas tasks. Requires the Job Operator role to access the Engines view. |
| Engine Creator |
Design pipelines in the pipeline canvas, including configuring alerts and previewing data. Requires the Pipeline Editor role. |
| Engine Manager |
Manage pipeline draft runs in the pipeline canvas, including monitoring draft runs, configuring and resetting alerts for draft runs, and reviewing snapshots for draft runs. Requires the Pipeline Editor role. |
| Environment Manager | Manage environments, including creating, activating, deactivating, editing, and deleting environments. |
| Job Operator | Manage job instances and
job templates, including creating, editing, importing,
exporting, uploading initial offset files, and starting jobs, but not
monitoring jobs. Select an authoring engine when designing a pipeline or
pipeline fragment. Start and stop draft runs from the
pipeline canvas. Access the Draft Runs view and manage draft runs.
Access the Engines view and manage the engine
details. Requires one of the pipeline roles. |
| Notification User | View and acknowledge data SLA alerts in the Alerts view. Manage subscriptions in the Subscriptions view. |
| Organization Administrator |
Configure organization details. Enable SAML authentication. Manage users and groups. View active sessions and audit entries. Perform all tasks granted by all other roles. Provides full access to all objects in the organization. Requires one of the engine roles to complete
the following tasks:
An organization can include multiple users assigned the Organization Administrator role, but only one primary organization administrator. |
| Pipeline Editor | Design, publish, and manage pipelines and pipeline fragments.
Includes importing and exporting pipelines and fragments, and
configuring tags. Requires the Engine Creator or Engine Administrator role. Requires the Job Operator role to select an authoring engine. |
| Pipeline User | View information about existing pipelines and fragments. Export pipelines and fragments. |
| Provisioning Operator | Manage Provisioning Agents and legacy Kubernetes deployments. |
| Scheduler Operator | Manage scheduled tasks, including creating, editing, and monitoring scheduled tasks. |
| Metrics Reader | Monitor jobs and view pipeline metrics. |
| Topology Editor | Manage topologies, including creating, monitoring, importing, and
exporting topologies. Requires the Job Operator and Pipeline Editor role. |
| Topology User | View topologies. Requires the Job Operator role and one of the pipeline roles. |
Common Role Assignments
- Data Architect
- To create, view, and monitor topologies and view all metrics, you need the
following roles:
- Data SLA Editor
- Notification User
- Metrics Reader
- Topology Editor - Working with topologies also requires the
following roles:
- Job Operator
- Pipeline Editor
- Data Engineer
- To develop and test pipelines and fragments in Control Hub, use connections when configuring pipelines and fragments, and to publish
and import pipelines to Control Hub, you need the following roles:
- Connection User
- Engine Administrator or Engine Creator
- Job Operator
- Pipeline Editor
- DevOps or Site Reliability Engineer
- To manage environments, deployments, and engines,
to create, start, and
schedule jobs, and to create connections you need the following roles:
- Connection Editor
- Data SLA Editor
- Deployment Manager
- Engine Administrator
- Environment Manager
- Job Operator
- Notification User
- Pipeline Editor or Pipeline User
- Provisioning Operator (when using legacy Kubernetes integration)
- Scheduler Operator
- Metrics Reader
- Topology Editor
- Full Access - development only
- To encourage development and testing, each new user and new group can perform most tasks in Control Hub. Use these role assignments in development only.