RBAC for Managed Connectors in Confluent Cloud


For self-managed connectors running in Confluent Platform, see RBAC for Self-Managed Connectors.

Role-based access control (RBAC) uses roles and role mappings to provide different levels of access for a principal (user or service) to authenticate with Apache Kafka® and managed connectors.


RBAC for managed connectors is available for Standard and Dedicated clusters only.

Connector RBAC role mappings

The table below shows the RBAC role mappings for managed connectors.

Role Create a Connector Create a Data Preview Instance View Data Preview Output Read Configuration Read Status View Logs Read Throughput Metrics Pause and Restart Configure Configure Kafka Credentials Manage Access Delete
OrganizationAdmin Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
EnvironmentAdmin Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes
CloudClusterAdmin Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes
Operator No No [1] No Yes No Yes Yes No No No No
DeveloperRead No No [1] Yes Yes No Yes No No No No No
DeveloperWrite No No [1] Yes Yes No Yes No Yes No No No
[1] The role can view the data preview output only if the role has READ access to the data preview topic.

Certain Confluent Cloud RBAC roles are currently unavailable for managed connectors. For the full list of RBAC roles and role mappings used for Confluent Cloud, see Confluent Cloud RBAC roles. For additional information, see Use Role-Based Access Control (RBAC) in Confluent Cloud.

Manage role assignments using the Cloud Console


You must have administrative permissions to work with role assignments.

Complete the following steps to configure a role assignment for a user or service principal.

  1. Open the Administration menu.

  2. Select Accounts & access.

  3. Select Access.

  4. Select the cluster where you want to configure connector permissions, then click Connectors. You may see one or more assigned roles.

    Connector permissions

    Connector permissions

    The following message may be displayed if you have no connector role assignments in the cluster.

    No Role Assignments

    No role assignments

Add a new role assignment

Complete the following steps to add a role assignment.

  1. Click the Add role assignment button.
  2. Select an existing connector name. You can enter a new connector name here. This allows you to create the role assignment prior to creating the connector.
  3. Select the account where you want to apply the role assignment.
  4. Select DeveloperRead or DeveloperWrite. For specific permissions and other details, see Connector RBAC role mappings.
  5. Click Save.

Delete a role assignment

To delete a role assignment, click a listed account name and then click the trash can icon. Only administrative roles can delete a role assignment.

Delete Role Assignment

Delete assignment

Manage role assignments using the Confluent CLI

The following are typical commands to use when managing role assignments for managed connectors.

To see the available command options:

confluent iam rbac role-binding help

To list the role assignments:

confluent iam rbac role-binding list --current-user
confluent iam rbac role-binding list --principal User:u-12ab34

To create a role assignment:

confluent iam rbac role-binding create --principal User:u-12ab34 \
--role DeveloperWrite --resource DatagenSourceConnector_0 \
--environment env-12345 --kafka-cluster-id lkc-123456

To delete a role assignment:

confluent iam rbac role-binding delete --principal User:u-12ab34

For additional Confluent CLI command examples, see Manage RBAC using the Confluent CLI.