Grant Role-Based Access for Tableflow in Confluent Cloud
Tableflow supports Role-based Access Control (RBAC) for managing Tableflow resources. In general, there are no Tableflow-specific roles to configure, and access to Tableflow typically mirrors access to Apache Kafka® resources.
Tableflow supports two primary user access patterns: admin users and topic owner users.
Tableflow admin users
Users with administrative roles (OrganizationAdmin, EnvironmentAdmin, CloudClusterAdmin) have full control over Tableflow, including:
Managing catalog integrations (AWS Glue, Snowflake Polaris)
Enabling or disabling Tableflow on any topic
Accessing metrics and monitoring
Accessing all Tableflow features in the Confluent Cloud console
Managing Bring Your Own Bucket (BYOB) configurations
Minimum permissions required
To grant administrator access to a Tableflow user, assign the following permissions:
CloudClusterAdmin on the cluster
Assigner or ResourceOwner on all provider integrations (environment scope)
DeveloperRead on all schema subjects for schema validation
Tableflow topic owner users
Topic owner users have limited access to only those resources that they own. Users with ResourceOwner role on specific topics can enable Tableflow on the topics they own, but with limitations:
Can enable or disable Tableflow on topics they own
Can view Tableflow status for their topics
Minimum permissions required
To grant topic owner access to a Tableflow user, assign the following permissions:
ResourceOwner on specific topics
DeveloperRead on all schema subjects for schema validation
Assigner on provider integrations to access Tableflow Hub UI
Access to Tableflow resources
The following table shows the roles, scope, and permitted management operations of Tableflow.
Roles | Scope | Enable/Disable/Update Tableflow with Confluent storage | Enable/Disable/Update Tableflow with custom storage | List table | Data plane read |
|---|---|---|---|---|---|
OrganizationAdmin | Organization | Yes | Yes | Yes | Yes |
EnvironmentAdmin | Environment | Yes | Yes | Yes | Yes |
CloudClusterAdmin | Cloud cluster | Yes [1] | Yes [2] | Yes | Yes |
ResourceOwner | Topic | Yes [1] | Yes [2] | Yes | Yes |
OrganizationOperator | Organization | No | No | Yes | No |
EnvironmentOperator | Environment | No | No | Yes | No |
CloudClusterOperator | Cloud cluster | No | No | Yes | No |
DeveloperManage | Cluster | No | No | Yes | No |
DeveloperRead | Cluster | No | No | No | Yes |
Others | No | No | No | No | No |
TableflowTopics APIs
TableflowTopics APIs enable managing Tableflow for a topic. These management operations include:
CREATE: Enable Tableflow for a topic and set the configurations.
UPDATE: Update the Tableflow configurations for a topic.
DELETE: Disable Tableflow for a topic.
GET: Get the current Tableflow status for a topic along with the configurations.
LIST: Get the Tableflow status and configurations for all topics in a cluster.
Catalog Integration APIs
Catalog Integration APIs enable managing the external catalog integrations, like AWS Glue Data Catalog and Snowflake Polaris. The following table shows the roles, scopes, and permitted catalog integration management operations for RBAC roles.
Roles | Scope | Create/Update/Delete Catalog Integration | View Catalog Integration |
|---|---|---|---|
CloudClusterAdmin | Cloud cluster | Yes [3] | Yes |
EnvironmentAdmin | Environment | Yes | Yes |
OrganizationAdmin | Organization | Yes | Yes |
Others | No | No |