Description
Principals granted the Operator role in Confluent Cloud now have the following access permissions:
-
Describe resources within the organization. This role can view basic information, or metadata, about the resources in the organization, including environments, clusters, connectors, topics, and consumer groups, but not ksqlDB.
- Cannot list schema subjects. Schema subject names and associated metadata are available through the GraphQL APIs or searches on the Confluent Cloud Console. To learn more about RBAC and Schema Registry, see Access control (RBAC) for Confluent Cloud Schema Registry.
- Describe topics and consumer groups, but cannot read the messages in the topics.
- Describe API keys (for Kafka, Schema Registry, Flink, and ksqlDB) that the principal does not own.
- Describe, Create, Alter, or Delete API keys (for Kafka, Schema Registry, Flink, and ksqlDB) owned by the principal.
- Describe managed connectors.
- Describe and view pipelines.
- View Stream Lineage.
- View metrics for clusters (Kafka, Schema Registry, and KSQL) and connectors. Monitor the health of applications and clusters, including monitoring uptime.
The permission to Pause and Resume managed connectors has been removed from this role.
Applies To
Confluent Cloud
RBAC
Managed Connectors
Cause
As previously announced, on April 11, 2025 Confluent removed permissions to pause and resume connectors from the Operator role in Confluent Cloud, aligning with broad customer feedback. This change restored to administrators a read-only Operator role that can view metadata and monitor resources without the right to modify resources.
Resolution
Users can be granted the ConnectManager role to monitor, pause, and resume connectors in your clusters. For details, refer to the Operator and ConnectManager role descriptions in the Confluent Cloud documentation.
If you have any questions or concerns regarding this change, contact our support team by submitting a ticket on the Confluent Support portal at support.confluent.io.