Roles

Control Hub provides several types of roles that allow you to customize the tasks that users can perform.

To enable groups and users to perform cross-functional tasks, you must assign them multiple roles. For example, to enable a group to create a job for a pipeline and start the job, the group requires the Job Editor role and either the Pipeline User or Pipeline Editor role.

Important: To encourage development and testing, default assignments for new users and new groups permit most tasks in Control Hub and any registered Data Collector or Transformer. Change those role assignments as needed to secure the integrity of your organization and data.
Control Hub provides the following types of roles:
  • Data SLA roles - Enables viewing and working with data SLAs for topologies.
  • Engine roles - Enables performing tasks in a registered execution engine, including Data Collector and Transformer. Each role provides the same access as the corresponding Data Collector or Transformer role.
    For example, if you have the Control Hub Engine Administrator role, when you log in to a registered Data Collector, you can perform all tasks like a Data Collector user with the Data Collector Admin role.
    Note: After you register a Data Collector or Transformer with Control Hub, all users must use a Control Hub login to access and work with that Data Collector or Transformer.
  • Job roles - Enables working with jobs in Control Hub.
  • Notification roles - Enables viewing and working with alerts in the Alerts view and with subscriptions in the Subscriptions view.
  • Organization roles - Enables access to Control Hub. The Organization Administrator role can also perform additional administrative tasks. Each user must have one of the Organization roles.
  • Pipeline roles - Enables viewing and working with pipelines and fragments in Control Hub.
  • Provisioning roles - Enables working with Provisioning Agents and deployments to automatically provision Data Collectors.
  • Time Series roles - Enables viewing working with job and topology metrics.
  • Topology roles - Enables viewing and working with topologies.

To perform Control Hub tasks, you must have the appropriate object permissions as well as the role associated with the task. For example, if you have the Pipeline Editor role, you can create and remove tags for a pipeline only when granted write permission on the pipeline.

Role Descriptions

The following table describes the tasks that each role can perform.

Role Description
Auth Token Administrator Register, unregister, and deactivate execution engines using Control Hub. Regenerate authentication tokens and delete unregistered authentication tokens.

Provides full access to all registered execution engines in the organization.

Control Hub Authentication Use Control Hub credentials to log in when SAML authentication is enabled.

Assign to user accounts that must complete tasks that require Control Hub credentials.

Available only when SAML authentication is enabled for the organization.

Data SLA Editor Manage data SLAs, including creating and modifying data SLAs.

Requires one of the topology roles, one of the pipeline roles, the Job Operator role, and the Time Series Reader role.

Data SLA User View and monitor data SLAs.

Requires one of the topology roles, one of the pipeline roles, the Job Operator role, and the Time Series Reader role.

Engine Administrator Perform all tasks in registered Data Collectors and Transformers.

Equivalent to the Data Collector or Transformer Admin role.

Engine Creator Configure pipelines in registered Data Collectors and Transformers, including configuring alerts, previewing data, and monitoring pipelines.

Equivalent to the Data Collector or Transformer Creator role.

Engine Manager Manage pipelines in registered Data Collectors and Transformers, including starting and stopping pipelines, monitoring pipelines, configuring and resetting alerts, and reviewing snapshots.

Equivalent to the Data Collector or Transformer Manager role.

Engine Guest

View pipeline and alert configuration, and view general monitoring and log information in registered Data Collectors and Transformers.

Equivalent to the Data Collector or Transformer Guest role.

Job Operator Manage jobs, including creating, editing, importing, exporting, uploading initial offset files, and starting jobs, but not monitoring jobs.

Creating a job requires one of the pipeline roles as well.

Notification User View and acknowledge data SLA alerts in the Alerts view. Manage subscriptions in the Subscriptions view.
Organization Administrator Access Control Hub. Register, unregister, and deactivate Data Collectors using Control Hub. Regenerate authentication tokens and delete unregistered authentication tokens. Configure users and groups for the organization. View active sessions, login audit entries, action audit entries, and subscription audit entries for the organization. View pipelines, jobs, and topologies for the organization. Upload initial offset files for jobs. Configure the organization.

Provides full access to all objects in the organization. Grant other users and groups permission to access the objects.

Organization User Access Control Hub, view user account details, reset the personal password.
Pipeline Editor Design, publish, and manage pipelines and pipeline fragments. Includes importing and exporting pipelines and fragments, and configuring tags.
Pipeline User View information about the pipelines and fragments in the pipeline repository. Export pipelines and fragments.
Provisioning Operator Manage Provisioning Agents and deployments.
Reporting Operator Manage reports, including creating, editing, generating, and viewing reports.
Rules Editor Not used at this time.
Scheduler Operator Manage scheduled tasks, including creating, editing, and monitoring scheduled tasks.
Time Series Reader Monitor jobs and view pipeline metrics.
Time Series Writer Work with metrics using the REST API.
Topology Editor Manage topologies, including creating, monitoring, importing, and exporting topologies.

Requires the Job Operator and Pipeline Editor role.

Topology User View topologies.

Requires the Job Operator role and one of the pipeline roles.

Common Role Assignments

Here are some sample real-world roles and the Control Hub roles needed to perform daily tasks:
Data Architect
To create, view, and monitor topologies and view all metrics, you need the following roles:
  • Organization User
  • Topology Editor - Working with topologies also requires the following roles:
    • Job Operator
    • Pipeline Editor
  • Time Series Reader
  • Data SLA Editor
  • Notification User
  • Reporting Operator
Data Engineer
To develop and test pipelines and fragments in the Control Hub Pipeline Designer, and to publish and import pipelines to Control Hub, you need the following roles:
  • Organization User
  • Pipeline Editor
  • Engine Administrator or Engine Creator
  • Job Operator when working in Pipeline Designer
Data Security Administrator
To create pipelines and jobs for testing, you also need the following roles:
  • Pipeline Editor
  • Engine Administrator or Engine Creator
  • Job Operator
DevOps or Site Reliability Engineer
To manage registered execution engines - including manually administering and provisioning them - and to create, start, and schedule jobs, you need the following roles:
  • Organization User
  • Auth Token Administrator
  • Engine Administrator
  • Job Operator
  • Pipeline Editor or Pipeline User
  • Provisioning Operator
  • Reporting Operator
  • Scheduler Operator
  • Time Series Reader
  • Topology Editor
  • Data SLA Editor
  • Notification User
Full Access - development only
To encourage development and testing, each new user and new group can perform most tasks in Control Hub and all registered Data Collectors and Transformers. Use those role assignments in development only.
The following set of roles allow you to perform most tasks in Control Hub and registered execution engines:
  • Organization User
  • Engine Manager
  • Engine Creator
  • Provisioning Operator
  • Pipeline Editor
  • Job Operator
  • Time Series Reader
  • Topology Editor
  • Data SLA Editor
  • Notification User