.. _connect-rbac-getting-started:
.. |br| raw:: html
Get Started With |rbac| and |kconnect-long|
------------------------------------------------
|rbac| uses roles and role mappings to provide different levels of access for a
principal (user or |rbac-sa|) to authenticate with |kconnect| and |ak|.
.. include:: ../../includes/rbac-demo.rst
.. _connect-role-mappings:
-------------------------
|kconnect| Role Mappings
-------------------------
The table below shows the permitted |kconnect| operations for each RBAC role.
.. csv-table::
:header: "Roles [1]", "Register Connect Cluster", "Create Connector", "Read Connector Configuration", "Read Status", "Pause/ Restart Connector", "Scale Connector", "Configure Connector", "Manage Access", "Delete"
:widths: 20, 20, 20, 20, 20, 20, 20, 20, 20, 20
"**SystemAdmin**", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes"
"**UserAdmin**", "No", "No", "No", "No", "No", "No", "No", "Yes", "No"
"**ClusterAdmin**", "Yes", "Yes", "Yes", "Yes", "[2]", "[2]", "No", "Yes", "Yes"
"**Operator**", "No", "No", "No", "Yes", "Yes", "Yes", "Yes", "No", "No"
"**SecurityAdmin**", "No", "No", "No", "No", "No", "No", "No", "No", "No"
"**ResourceOwner**", "No", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes"
"**DeveloperRead**", "No", "No", "Yes", "Yes", "No", "No", "No", "No", "No"
"**DeveloperWrite**", "No", "No", "No", "Yes", "No", "No", "Yes", "No", "No"
"**DeveloperManage**", "No", "Yes", "No", "Yes", "Yes", "Yes", "No", "No", "No"
**Table Notes:**
**[1]** Review the following additional information about roles:
- Each role has either a Cluster-level scope or a Resource-level scope. *Yes* means that the operation is permitted, but restricted to the role scope. See :ref:`predefined roles ` for more information about role scoping.
- Cluster-level roles: ``SystemAdmin``, ``UserAdmin``, ``ClusterAdmin``, ``Operator``, ``SecurityAdmin``
- Resource-level roles: ``ResourceOwner``, ``DeveloperRead``, ``DeveloperWrite``, ``DeveloperManage``
- Read Connector Configuration: Yes means that read-access to both the connector and task configurations is allowed.
- Read Status: Yes means that read-access is allowed for the task status.
- Scale Connector: Yes means that the role can change the number of tasks.
- Configure Connector: Yes means that the role can change any of the connector configuration parameters, *except* for ``tasks.max``.
- Delete: Yes means that the role can stop and delete connectors and the |kconnect| cluster.
**[2]** Yes; but typically this is delegated to the Operator role. |br|
.. _connect-rbac-workflow:
---------------------------
|kconnect| |rbac| workflow
---------------------------
The following is a high-level workflow for configuring |rbac| for a |kconnect|
cluster and connectors.
#. Verify that you have a role that can complete the required operations. See :confluent-cli:`confluent iam|command-reference/iam/index.html` for information about using the CLI to list and describe roles and permissions for your environment.
#. Configure RBAC for a :ref:`Connect cluster `.
#. Configure RBAC for a :ref:`Connect worker `.
#. Configure RBAC for a :ref:`connector `.
* See the :ref:`role binding sequence ` for additional details.
* To use the |kconnect| REST API to set up role bindings, see :ref:`Configure RBAC using the REST API `.