question Re: Ranger Auditor Role in Support Questions

Ranger Auditor Role

adamn4 — Mon, 13 Oct 2025 16:04:43 GMT

In Ranger, if a user is both an admin and an auditor then the auditor role is chosen. I would prefer that the highest privilege is chosen so the user should be an admin.

Is there a way to make Ranger pick Admin over Auditor?

Re: Ranger Auditor Role

upadhyayk04 — Mon, 13 Oct 2025 16:23:07 GMT

Hello @adamn4

Thank you for reaching to the Cloudera community

How are you assigning roles to users? I would to understand why two roles to a user? I thing what you are observing a default behaviour i am not sure how to over ride that

Instead, you can use the following way

https://docs.cloudera.com/cdp-private-cloud-base/7.3.1/security-ranger-user-management/topics/security-ranger-configure-adv-usersync-settings.html

Re: Ranger Auditor Role

adamn4 — Tue, 14 Oct 2025 11:25:25 GMT

Hi @upadhyayk04,

I'm assigning the roles through this -
<name>ranger.usersync.group.based.role.assignment.rules</name>
<value>ROLE_SYS_ADMIN:g:ranger_admin_group&ROLE_ADMIN_AUDITOR:g:ranger_support_group</value>
</property>

A user would be part of the ranger_support group day-to-day but when a change to a policy is required they would get added to the ranger_admin group but as it stands they they would then need to get themselves taken out of the support group in order to get the admin access to make the change and then added back in after.

Is this the expected behaviour?

Re: Ranger Auditor Role

upadhyayk04 — Sun, 19 Oct 2025 04:09:52 GMT

Hello Adam,

Thank you for reaching back

The ideal behaviour is below

A user can have only one role, and that role is determined by the last role assigned, depending in part on group membership. For example, if the role assignment rules are configured as follows: ROLE_SYS_ADMIN:u:User1, User2&ROLE_SYS_ADMIN:g:Group1, Group2&ROLE_AUDITOR:g:Group3, Group4&ROLE_USER:g:Group5 and if a user belongs to Group1 & Group5, then the role assigned to that user is ROLE_USER. Similarly, if a user belongs to Group2 & Group3, then the role assigned to that user is ROLE_AUDITOR. If the user does not belong to any of these groups (Group1, Group2, Group3, Group4, or Group5), then the default role assigned to the user is ROLE_USER. If the user belongs to only Group1, then the role assigned to the user is ROLE_SYS_ADMIN.

Re: Ranger Auditor Role

adamn4 — Mon, 20 Oct 2025 16:29:01 GMT

Hi @upadhyayk04,

So that has worked on my 2.6.1 version but not on my 2.2.0 version.

Do you know why it would be different?

Re: Ranger Auditor Role

upadhyayk04 — Mon, 20 Oct 2025 16:31:23 GMT

Hello @adamn4

Thank you for your response

May I know the current CDP version you are using?

Also the example that I shared is from an official document and holds true for current CDP version 7.3.1

https://docs.cloudera.com/cdp-private-cloud-base/7.3.1/security-ranger-user-management/topics/security-ranger-configure-adv-usersync-settings.html

Re: Ranger Auditor Role

DianaTorres — Fri, 24 Oct 2025 21:02:19 GMT

@adamn4 Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. If you are still experiencing the issue, can you provide the information @upadhyayk04 has requested? Thanks.