.. _connect-rbac-getting-started:

.. |br| raw:: html

   <br />

Get Started With |rbac| and |kconnect-long|
------------------------------------------------

|rbac| uses roles and role mappings to provide different levels of access for a
principal (user or |rbac-sa|) to authenticate with |kconnect| and |ak|.

.. include:: ../../includes/rbac-demo.rst

.. _connect-role-mappings:

-------------------------
|kconnect| Role Mappings
-------------------------

The table below shows the permitted |kconnect| operations for each RBAC role.

.. csv-table::
   :header: "Roles [1]", "Register Connect Cluster", "Create Connector", "Read Connector Configuration", "Read Status", "Pause/ Restart Connector", "Scale Connector", "Configure Connector", "Manage Access", "Delete"
   :widths: 20, 20, 20, 20, 20, 20, 20, 20, 20, 20
   
   "**SystemAdmin**", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes"
   "**UserAdmin**", "No", "No", "No", "No", "No", "No", "No", "Yes", "No"
   "**ClusterAdmin**", "Yes", "Yes", "Yes", "Yes", "[2]", "[2]", "No", "Yes", "Yes"
   "**Operator**", "No", "No", "No", "Yes", "Yes", "Yes", "Yes", "No", "No"
   "**SecurityAdmin**", "No", "No", "No", "No", "No", "No", "No", "No", "No"
   "**ResourceOwner**", "No", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes", "Yes"
   "**DeveloperRead**", "No", "No", "Yes", "Yes", "No", "No", "No", "No", "No"
   "**DeveloperWrite**", "No", "No", "No", "Yes", "No", "No", "Yes", "No", "No"
   "**DeveloperManage**", "No", "Yes", "No", "Yes", "Yes", "Yes", "No", "No", "No"
   
   
**Table Notes:**

**[1]** Review the following additional information about roles:

- Each role has either a Cluster-level scope or a Resource-level scope. *Yes* means that the operation is permitted, but restricted to the role scope. See :ref:`predefined roles <rbac-predefined-roles>` for more information about role scoping.

  - Cluster-level roles: ``SystemAdmin``, ``UserAdmin``, ``ClusterAdmin``, ``Operator``, ``SecurityAdmin``
  - Resource-level roles: ``ResourceOwner``, ``DeveloperRead``, ``DeveloperWrite``, ``DeveloperManage``

- Read Connector Configuration: Yes means that read-access to both the connector and task configurations is allowed.
- Read Status: Yes means that read-access is allowed for the task status.
- Scale Connector: Yes means that the role can change the number of tasks.
- Configure Connector: Yes means that the role can change any of the connector configuration parameters, *except* for ``tasks.max``.
- Delete: Yes means that the role can stop and delete connectors and the |kconnect| cluster.

**[2]** Yes; but typically this is delegated to the Operator role. |br|
   
.. _connect-rbac-workflow:

---------------------------
|kconnect| |rbac| workflow
---------------------------

The following is a high-level workflow for configuring |rbac| for a |kconnect|
cluster and connectors.

#. Verify that you have a role that can complete the required operations. See :confluent-cli:`confluent iam|command-reference/iam/index.html` for information about using the CLI to list and describe roles and permissions for your environment.

#. Configure RBAC for a :ref:`Connect cluster <connect-rbac-connect-cluster>`.

#. Configure RBAC for a :ref:`Connect worker <connect-rbac-workers>`.

#. Configure RBAC for a :ref:`connector <connect-rbac-connectors>`.

* See the :ref:`role binding sequence <connect-rbac-example-scenario>` for additional details.

* To use the |kconnect| REST API to set up role bindings, see :ref:`Configure RBAC using the REST API <rbac-config-connect-using-rest-api>`.