Use ACLs with RBAC¶
You can use RBAC role bindings together with ACLs. Principals in Confluent Cloud can be granted ACLs, RBAC role bindings, or a combination of the two. All of these grants are considered when deciding whether to allow access. For details on the interactions between ACL rules and RBAC roles, see Order of precedence below.
With RBAC available in the data plane for Kafka resources (topics, consumer groups, and transactional IDs):
- Users no longer have
super.useraccess to Kafka clusters and only have permissions that have been explicitly granted.
- Grant granular access to resources using ACLs and RBAC role bindings for principals.
- Both ACLs and RBAC role bindings that grant granular access to resources can now be used with service accounts.
Order of precedence¶
In Confluent Cloud, ACLs and RBAC role bindings work together based on the following order of precedence:
ACL DENYrules are applied first. If an
ACL DENYis applied, then access is denied regardless of any
ACL ALLOWrules and RBAC role bindings.
ACL ALLOWand RBAC roles are applied. All RBAC roles are
When there are no
ACL DENY rules that apply:
- If you only have an RBAC permission for a given resource, but not the ACL, then you have permissions for that resource.
- If you have only an ACL permission, you have permissions on the resource.
- If you have both an RBAC and ACL permission, then you have permissions on the resource.