Grant Role-Based Access for Tableflow in Confluent Cloud

Tableflow supports Role-based Access Control (RBAC) for managing access to Tableflow resources. There are no Tableflow-specific roles to configure, and access to Tableflow typically mirrors access to Apache Kafka® resources.

Access to Tableflow resources

The following table shows the roles, scope, and permitted management operations of Tableflow.

Roles	Scope	Enable/Disable/Update Tableflow with Confluent storage	Enable/Disable/Update Tableflow with custom storage	List table	Data plane read
OrganizationAdmin	Organization	Yes	Yes	Yes	Yes
EnvironmentAdmin	Environment	Yes	Yes	Yes	Yes
CloudClusterAdmin	Cloud cluster	Yes [1]	Yes [2]	Yes	Yes
ResourceOwner	Topic	Yes [1]	Yes [2]	Yes	Yes
OrganizationOperator	Organization	No	No	Yes	No
EnvironmentOperator	Environment	No	No	Yes	No
CloudClusterOperator	Cloud cluster	No	No	Yes	No
DeveloperManage	Cluster	No	No	Yes	No
DeveloperRead	Cluster	No	No	No	Yes
Others	No	No	No	No	No

TableflowTopics APIs

TableflowTopics APIs enable managing Tableflow for a topic. These management operations include:

CREATE: Enable Tableflow for a topic and set the configurations.
UPDATE: Update the Tableflow configurations for a topic.
DELETE: Disable Tableflow for a topic.
GET: Get the current Tableflow status for a topic along with the configurations.
LIST: Get the Tableflow status and configurations for all topics in a cluster.

Catalog Integration APIs

Catalog Integration APIs enable managing the external catalog integrations, like AWS Glue Data Catalog and Snowflake Polaris. The following table shows the roles, scopes, and permitted catalog integration management operations for RBAC roles.

Roles	Scope	Create/Update/Delete Catalog Integration	View Catalog Integration
CloudClusterAdmin	Cloud cluster	Yes [3]	Yes
EnvironmentAdmin	Environment	Yes	Yes
OrganizationAdmin	Organization	Yes	Yes
Others		No	No