Use ACLs with RBAC on Confluent Cloud

You can use RBAC role bindings together with ACLs. Principals in Confluent Cloud can be granted ACLs, RBAC role bindings, or a combination of the two. All of these grants are considered when deciding whether to allow access. For details on the interactions between ACL rules and RBAC roles, see Order of precedence below.

With RBAC available in the data plane for Kafka resources (topics, consumer groups, and transactional IDs):

• Users no longer have super.user access to Kafka clusters and only have permissions that have been explicitly granted.
• Grant granular access to resources using ACLs and RBAC role bindings for principals.
• Both ACLs and RBAC role bindings that grant granular access to resources can now be used with service accounts.

Order of precedence

In Confluent Cloud, ACLs and RBAC role bindings work together based on the following order of precedence:

1. ACL DENY rules are applied first. If an ACL DENY is applied, then access is denied regardless of any ACL ALLOW rules and RBAC role bindings.
2. ACL ALLOW and RBAC roles are applied. All RBAC roles are ALLOW.

When there are no ACL DENY rules that apply:

• If you only have an RBAC permission for a given resource, but not the ACL, then you have permissions for that resource.
• If you have only an ACL permission, you have permissions on the resource.
• If you have both an RBAC and ACL permission, then you have permissions on the resource.

Related content

• Role-Based Access Control (overview)
• Predefined RBAC Roles
• Manage RBAC role bindings
• RBAC for components
• Confluent Cloud Security: RBAC and ACL module [Confluent Developer]