Description
At present, principals granted the Operator role in Confluent Cloud have the following access permissions:
- Describe resources within the organization. This role can view basic information, or metadata, about the resources in the organization, including environments, clusters, connectors, topics, and consumer groups, but not including ksqlDB.
- Cannot list schema subjects. Subject names and associated metadata are available through the GraphQL APIs or searches on the Confluent Cloud Console. To learn more about RBAC and Schema Registry, see Access control (RBAC) for Confluent Cloud Schema Registry.
- Describe topics and consumer groups, but not cannot read the messages in the topics.
- Describe API keys (for Kafka, Schema Registry, Flink, and ksqlDB) that are not owned by the principal.
- Describe, Create, Alter, or Delete API keys (for Kafka, Schema Registry, Flink, and ksqlDB) that are owned by the principal.
- Describe, Pause, and Resume managed connectors.
- Describe and view pipelines.
- View Stream Lineage.
- View metrics for clusters (Kafka, Schema Registry, and KSQL) and connectors. Monitor the health of applications and clusters, including monitoring uptime.
Applies To
Confluent Cloud
RBAC
Managed Connectors
Cause
On April 11, 2025, Confluent removes permissions to pause and resume connectors from the Operator role in Confluent Cloud, aligning with broad customer feedback. This change restores to administrators a read-only Operator role that can view metadata and monitor resources without the right to modify resources.
Resolution
Starting immediately, you can grant users the new ConnectManager role to monitor, pause, and resume connectors in your clusters. For details, refer to the Operator and ConnectManager role descriptions in the Confluent Cloud documentation.
Should you have any questions or concerns regarding this change, we invite you to reach out to our support team by submitting a ticket via our support portal at support.confluent.io.