Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Ranger Auditor Role

Labels:
avatar
author-rank adamn4
New Contributor

Created ‎10-13-2025 09:04 AM

In Ranger, if a user is both an admin and an auditor then the auditor role is chosen.  I would prefer that the highest privilege is chosen so the user should be an admin.

Is there a way to make Ranger pick Admin over Auditor?

110 Views
0 Kudos
3 REPLIES 3

avatar
author-rank upadhyayk04 author-rank
Master Collaborator

Created ‎10-13-2025 09:23 AM

Hello @adamn4 

Thank you for reaching to the Cloudera community

How are you assigning roles to users? I would to understand why two roles to a user? I thing what you are observing a default behaviour i am not sure how to over ride that

Instead, you can use the following way

https://docs.cloudera.com/cdp-private-cloud-base/7.3.1/security-ranger-user-management/topics/securi...

104 Views
0 Kudos

avatar
author-rank adamn4
New Contributor

Created ‎10-14-2025 04:25 AM

Hi @upadhyayk04,

I'm assigning the roles through this -
<name>ranger.usersync.group.based.role.assignment.rules</name>
<value>ROLE_SYS_ADMIN:g:ranger_admin_group&amp;ROLE_ADMIN_AUDITOR:g:ranger_support_group</value>
</property>

A user would be part of the ranger_support group day-to-day but when a change to a policy is required they would get added to the ranger_admin group but as it stands they they would then need to get themselves taken out of the support group in order to get the admin access to make the change and then added back in after.

Is this the expected behaviour?

75 Views
0 Kudos

avatar
author-rank upadhyayk04 author-rank
Master Collaborator

Created ‎10-18-2025 09:09 PM

Hello Adam,

Thank you for reaching back

 

The ideal behaviour is below

 

A user can have only one role, and that role is determined by the last role assigned, depending in part on group membership.

For example, if the role assignment rules are configured as follows:

ROLE_SYS_ADMIN:u:User1, User2&ROLE_SYS_ADMIN:g:Group1, Group2&ROLE_AUDITOR:g:Group3, Group4&ROLE_USER:g:Group5

and if a user belongs to Group1 & Group5, then the role assigned to that user is ROLE_USER.

Similarly, if a user belongs to Group2 & Group3, then the role assigned to that user is ROLE_AUDITOR.

If the user does not belong to any of these groups (Group1, Group2, Group3, Group4, or Group5), then the default role assigned to the user is ROLE_USER.

If the user belongs to only Group1, then the role assigned to the user is ROLE_SYS_ADMIN.
15 Views
0 Kudos
Announcements
Community Announcements
September 2025 Community Highlights
What's New @ Cloudera
Upgrade Your Spark Experience: Introducing CDS 3.5 for Cloud...
Community Announcements
August 2025 Community Highlights
Community Announcements
July 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
View More Announcements