Roles

Control Hub provides several types of roles that allow you to customize the tasks that users can perform.

To enable groups and users to perform cross-functional tasks, you must assign them multiple roles. For example, to enable a group to create a job for a pipeline and start the job, the group requires the Job Editor role and either the Pipeline User or Pipeline Editor role.

Important: To encourage development and testing, each new user and new group can perform most tasks in Control Hub and all registered Data Collectors. Change those role assignments as needed to secure the integrity of your organization and data.
Control Hub provides the following types of roles:
  • Data Collector roles - Enables performing tasks in a registered Data Collector. Each role provides the same access as the corresponding Data Collector role.
    For example, if you have the Control Hub Data Collector Administrator role, when you log in to a registered Data Collector, you can perform all tasks like a Data Collector user with the Data Collector Admin role.
    Note: After you register a Data Collector with Control Hub, all users must use a Control Hub login to access and work with the Data Collector.
  • Data Protector roles - Enables viewing and working with Data Protector classification rules and protection policies.
  • Data SLA roles - Enables viewing and working with data SLAs for topologies.
  • Job roles - Enables working with jobs in Control Hub.
  • Notification roles - Enables viewing and working with alerts in the Alerts view and with subscriptions in the Subscriptions view.
  • Organization roles - Enables access to Control Hub. The Organization Administrator role can also perform additional administrative tasks. Each user must have one of the Organization roles.
  • Pipeline roles - Enables viewing and working with pipelines and fragments in Control Hub.
  • Provisioning roles - Enables working with Provisioning Agents and deployments to automatically provision Data Collectors.
  • Time Series roles - Enables viewing working with job and topology metrics.
  • Topology roles - Enables viewing and working with topologies.

To perform Control Hub tasks, you must have the appropriate object permissions as well as the role associated with the task. For example, if you have the Pipeline Editor role, you can create and remove tags for a pipeline only when granted write permission on the pipeline.

Role Descriptions

The following table describes the tasks that each role can perform:

Role Description
Auth Token Administrator Register, unregister, and deactivate Data Collectors using Control Hub. Regenerate authentication tokens and delete unregistered authentication tokens.

Provides full access to all Data Collectors in the organization.

Classification Administrator View and manage custom classification rules, including creating, editing, and deleting rules and classifiers.

Provides full access to all custom rules in the organization.

Available with Data Protector only.

Control Hub Authentication Use Control Hub credentials to log in when SAML authentication is enabled.

Assign to user accounts that must complete tasks that require Control Hub credentials.

Available only when SAML authentication is enabled for the organization.

Data Collector Administrator Perform all tasks in registered Data Collectors.

Equivalent to the Data Collector Admin role.

Data Collector Creator Configure pipelines in registered Data Collectors, including configuring alerts, previewing data, and monitoring pipelines.

Equivalent to the Data Collector Creator role.

Data Collector Manager Manage pipelines in registered Data Collectors, including starting and stopping pipelines, monitoring pipelines, configuring and resetting alerts, and reviewing snapshots.

Equivalent to the Data Collector Manager role.

Data Collector Guest

View pipeline and alert configuration, and view general monitoring and log information in registered Data Collectors.

Equivalent to the Data Collector Guest role.

Data SLA Editor Manage data SLAs, including creating and modifying data SLAs.

Requires one of the topology roles, one of the pipeline roles, the Job Operator role, and the Time Series Reader role.

Data SLA User View and monitor data SLAs.

Requires one of the topology roles, one of the pipeline roles, the Job Operator role, and the Time Series Reader role.

Job Operator Manage jobs, including creating, editing, importing, exporting, uploading initial offset files, and starting jobs, but not monitoring jobs.

Creating a job requires one of the pipeline roles as well.

Notification User View and acknowledge data SLA alerts in the Alerts view. Manage subscriptions in the Subscriptions view.
Organization Administrator Access Control Hub. Register, unregister, and deactivate Data Collectors using Control Hub. Regenerate authentication tokens and delete unregistered authentication tokens. Configure users and groups for the organization. View active sessions, login audit entries, action audit entries, and subscription audit entries for the organization. View pipelines, jobs, and topologies for the organization. Upload initial offset files for jobs. Configure the organization.

Provides full access to all objects in the organization. Grant other users and groups permission to access the objects.

Organization User Access Control Hub, view user account details, reset the personal password.
Pipeline Editor Design, publish, and manage pipelines and pipeline fragments. Includes importing and exporting pipelines and fragments, and configuring tags.
Pipeline User View information about the pipelines and fragments in the pipeline repository. Export pipelines and fragments.
Policy Manager View and manage protection policies, including creating, editing, and deleting policies and procedures.

Provides full access to all policies in the organization.

Available with Data Protector only.

Provisioning Operator Manage Provisioning Agents and deployments.
Reporting Operator Manage reports, including creating, editing, generating, and viewing reports.
Rules Editor Not used at this time.
Scheduler Operator Manage scheduled tasks, including creating, editing, and monitoring scheduled tasks.
Time Series Reader Monitor jobs and view pipeline metrics.
Time Series Writer Work with metrics using the REST API.
Topology Editor Manage topologies, including creating, monitoring, importing, and exporting topologies.

Requires the Job Operator and Pipeline Editor role.

Topology User View topologies.

Requires the Job Operator role and one of the pipeline roles.

Common Role Assignments

Here are some sample real-world roles and the Control Hub roles needed to perform daily tasks:
Data Architect
To create, view, and monitor topologies and view all metrics, you need the following roles:
  • Organization User
  • Topology Editor - Working with topologies also requires the following roles:
    • Job Operator
    • Pipeline Editor
  • Time Series Reader
  • Data SLA Editor
  • Notification User
  • Reporting Operator
Data Engineer
To develop and test pipelines and fragments in the Control Hub Pipeline Designer or an authoring Data Collector, and to publish and import pipelines to Control Hub, you need the following roles:
  • Organization User
  • Pipeline Editor
  • Data Collector Administrator or Data Collector Creator
  • Job Operator when working in Pipeline Designer
Data Security Administrator
To configure and manage Data Protector classification rules and protection policies for the organization, you need the following roles:
  • Organization User
  • Classification Administrator
  • Policy Manager
To create pipelines and jobs for testing, you also need the following roles:
  • Pipeline Editor
  • Data Collector Administrator or Data Collector Creator
  • Job Operator
DevOps or Site Reliability Engineer
To manage Data Collectors - including manually administering and provisioning them - and to create, start, and schedule jobs, you need the following roles:
  • Organization User
  • Auth Token Administrator
  • Data Collector Administrator
  • Job Operator
  • Pipeline Editor or Pipeline User
  • Provisioning Operator
  • Reporting Operator
  • Scheduler Operator
  • Time Series Reader
  • Topology Editor
  • Data SLA Editor
  • Notification User
Full Access - development only
To encourage development and testing, each new user and new group can perform most tasks in Control Hub and all registered Data Collectors. Use those role assignments in development only.
The following set of roles allow you to perform most tasks in Control Hub and registered Data Collectors:
  • Organization User
  • Data Collector Manager
  • Data Collector Creator
  • Provisioning Operator
  • Pipeline Editor
  • Job Operator
  • Time Series Reader
  • Topology Editor
  • Data SLA Editor
  • Notification User