Many organizations are interested in deploying role-based access control (RBAC) or attribute-based access control (ABAC) as their approach to access management. RBAC works well when groups of users require similar data and resource access, allowing policies to be established for access to a collection of data resources and platform resources. ABAC works well in cases where characteristics of the data align well with access permissions to be granted to the users. But what if the organization wants to use both approaches? What about the potential explosion in the number of groups? Who does the manual creation and maintenance of policies in Ranger, while others manually maintain the groups and membership in your directory service with access by Lightweight Directory Access Protocol (LDAP)?

The Group Distillery & Sync module of Daedalus is designed specifically to enable LDAP-driven access management. The module reads all the groups and users from LDAP and implements the CDP resources plus IAM or Ranger policies for data access control. As groups are changed, removed, or added the module automatically revises the underlying policies. As users move between groups, are newly added, or even deleted in LDAP, those changes are quickly reflected in the CDP platform.

Cloudera CDP uses a number of AWS services, including EC2, EKS, VPC, and RDS. The fine grain access control uses advanced features of the AWS S3 service.