User roles in Yandex Managed Service for Apache Kafka®

A role is a set of permissions assigned to a user to manage Apache Kafka® cluster resources.

ACCESS_ROLE_SCHEMA_READERACCESS_ROLE_SCHEMA_READER

The ACCESS_ROLE_SCHEMA_READER role grants these resource management permissions:

• Data schema: Reading.
• Topic: Viewing info (only for topics related to schemas).
• Cluster: Viewing info.

You can assign the role for one or several subjects. Instead of specifying a topic or group of topics, list all the subjects you need, including the nested ones, separated by semicolons.

ACCESS_ROLE_SCHEMA_WRITERACCESS_ROLE_SCHEMA_WRITER

The ACCESS_ROLE_SCHEMA_WRITER role grants these resource management permissions:

• Data schema: Reading and writing.
• Topic: Viewing info (only for topics related to schemas).
• Cluster: Viewing info.

You can assign the role for one or several subjects. Instead of specifying a topic or group of topics, list all the subjects you need, including the nested ones, separated by semicolons.

ACCESS_ROLE_TOPIC_CONSUMERACCESS_ROLE_TOPIC_CONSUMER

The ACCESS_ROLE_TOPIC_CONSUMER role grants these resource management permissions:

• Topic: Viewing info and configuration, reading.
• Cluster: Viewing info.
• Consumer group: Reading.

You can issue the role for a specific topic or group of topics with names sharing the same prefix (<prefix>*) or for all topics at once (*).

ACCESS_ROLE_CONSUMERACCESS_ROLE_CONSUMER

The ACCESS_ROLE_CONSUMER role grants these resource management permissions:

• Data schema: Reading.
• Topic: Viewing info and configuration, reading.
• Cluster: Viewing info.
• Consumer group: Reading.

You can issue the role for a specific topic or group of topics with names sharing the same prefix (<prefix>*) or for all topics at once (*).

ACCESS_ROLE_TOPIC_PRODUCERACCESS_ROLE_TOPIC_PRODUCER

The ACCESS_ROLE_TOPIC_PRODUCER role grants these resource management permissions:

• Transaction ID: Writing.
• Topic: Viewing info and configuration, writing to a topic, and creating a topic.
• Cluster: Viewing info, idempotent writing.
• Consumer group: Viewing info, reading.

You can issue the role for a specific topic or group of topics with names sharing the same prefix (<prefix>*) or for all topics at once (*).

ACCESS_ROLE_PRODUCERACCESS_ROLE_PRODUCER

The ACCESS_ROLE_PRODUCER role grants these resource management permissions:

• Data schema: Reading and writing.
• Transaction ID: Writing.
• Topic: Viewing info and configuration, writing to a topic, and creating a topic.
• Cluster: Viewing info, idempotent writing.
• Consumer group: Viewing info, reading.

You can issue the role for a specific topic or group of topics with names sharing the same prefix (<prefix>*) or for all topics at once (*).

ACCESS_ROLE_TOPIC_ADMINACCESS_ROLE_TOPIC_ADMIN

The ACCESS_ROLE_TOPIC_ADMIN role grants these resource management permissions:

• Data schema: Reading and writing.
• Topic: Reading from a topic, writing to a topic, creating/deleting a topic.
• Consumer group: Viewing info, reading.

You can issue the role for a specific topic or group of topics with names sharing the same prefix (<prefix>*) or for all topics at once (*).

ACCESS_ROLE_ADMINACCESS_ROLE_ADMIN

The ACCESS_ROLE_ADMIN role grants these resource management permissions:

• Data schema: Reading and writing.
• Transaction ID: Writing.
• Topic: Viewing/editing info and configuration, reading from a topic, writing to a topic, creating/deleting a topic.
• Cluster: Viewing info and configuration, idempotent writing, creating a cluster.
• Consumer group: Viewing info, reading, deleting a group.

A role can be assigned only for all topics at once (*).