Description
The Confluent Cloud Schema Registry is being updated (Feb 23rd, 2026) to strictly enforce permissions at the Schema Context level. Access will be strictly scoped, requiring explicit authorization for the specific context being accessed.
Applies To
Confluent Cloud Schema Registry
Cause
This occurs under the following conditions:
- The subject exists in both the 'default' and 'custom' contexts.
- The principal has access to the subject within the 'default' context.
- The subject in the 'default' context is no longer present (e.g., it is deleted).
With this change, permissions are enforced at the context level. The user must have explicit authorization for that specific context to successfully retrieve the subject.
Resolution
You must explicitly define the scope for the principal using the :.context:subject syntax. If only the subject name is specified, the principal's access to that subject will be restricted to the default context.
Example Command for Resolution:
confluent iam rbac role-binding create \
--principal User:Alice \
--role DeveloperRead \
--resource Subject::.context_b:orders-value \
--schema-registry-cluster <sr-cluster-id>