> ## Documentation Index
> Fetch the complete documentation index at: https://docs.conduktor.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Kafka RBAC — role-based access control

> Set up Kafka RBAC in Conduktor Console to control access to topics, consumer groups, and resources.

The Conduktor RBAC (Role Based Access Control) system enables you to restrict access to resources and enforce permissions at **User** and **Group** granularity. This is a critical step in ensuring that you have control over your Apache Kafka data.

With Conduktor RBAC, you can:

* configure access to Conduktor services
* configure global permissions across **multiple clusters**
* administer permissions for Kafka resources (topics, consumer groups, clusters, subjects, connectors)

## Assign permissions

You can assign two types of permissions:

* [services](#manage-services-permissions): view/manage Console services
* [resources](#manage-resources-permissions): interact with Kafka resources

And you can assign those permissions to **users** or **groups**.

To assign user/group permissions, open Console and go to **Settings** > **Users** or **Groups**, as required. Click **...** next to the user/group you want to modify. Here's an example for a user:

<img src="https://mintcdn.com/conduktor/QbWqOoz71x3C-Q82/images/assign-permissions.png?fit=max&auto=format&n=QbWqOoz71x3C-Q82&q=85&s=16f0544b5914c8634b819e632b8f4c8f" alt="Assign user permissions" width="2966" height="1438" data-path="images/assign-permissions.png" />

<Info>
  If a user belongs to multiple groups, they will **inherit all the permissions** assigned to these groups. If they have restricted access to a topic but belong to a group that has full access, they will have full access to the topic.
</Info>

## Manage services permissions

You can restrict access to Conduktor Console services such as settings or left menu items (like certificates). For example, you may want to limit the number of users who can generate API keys. By default, you all users can:

* access data masking policies
* view Self-service

## Manage resources permissions

The RBAC model is very granular and allows you to customize the permissions to Kafka resources based on your requirements:

| Resource         | Permissions           |
| ---------------- | --------------------- |
| Topics           | View config           |
| Topics           | Consume               |
| Topics           | Produce               |
| Topics           | Create                |
| Topics           | Delete                |
| Topics           | Empty                 |
| Topics           | Add partitions        |
| Consumer groups  | Viewer                |
| Consumer groups  | Reset                 |
| Consumer groups  | Create                |
| Consumer groups  | Delete                |
| Subjects         | View                  |
| Subjects         | Edit compatibility    |
| Subjects         | Create / Update       |
| Subjects         | Delete                |
| Kafka connectors | View task and status  |
| Kafka connectors | View config           |
| Kafka connectors | Edit config           |
| Kafka connectors | Deploy                |
| Kafka connectors | Delete                |
| Kafka connectors | Restart               |
| Kafka connectors | Pause / Resume        |
| Clusters         | View ACL              |
| Clusters         | Manage ACL            |
| Clusters         | View broker           |
| Clusters         | Edit broker           |
| Clusters         | Edit SR compatibility |

All these permissions can be applied on one specific cluster, or all your clusters.

## Prefixes

When you define a permission, you might want it to be applied to:

* a specific topic, by typing `my-topic` for instance
* all the topics, by using a wildcard `*`
* a subset that starts with a certain prefix, by typing `my-prefix-*`

Here's an example of those three cases in Console:

<img src="https://mintcdn.com/conduktor/23R4f9CHmZAh-xV6/images/prefixes-example.png?fit=max&auto=format&n=23R4f9CHmZAh-xV6&q=85&s=0ded563f60c86cc099a08433f43294f6" alt="Prefixes examples" width="2432" height="816" data-path="images/prefixes-example.png" />

## Quick select

To save time during the permissions creation, you can use the `Quick select` to give a default set of permissions or set this up using the CLI, API or Terraform.

<img src="https://mintcdn.com/conduktor/23R4f9CHmZAh-xV6/images/quick-select.png?fit=max&auto=format&n=23R4f9CHmZAh-xV6&q=85&s=9e31c0f3a18224fa94be8ebbce375b9f" alt="Quick select" width="2456" height="1042" data-path="images/quick-select.png" />

## User permissions example

Here's an example of a set of permissions given to Alice:

<img src="https://mintcdn.com/conduktor/QbWqOoz71x3C-Q82/images/alice-example.png?fit=max&auto=format&n=QbWqOoz71x3C-Q82&q=85&s=ee0fb92661ef8d1df913fc1c5aeefc24" alt="Alice example" width="1525" height="796" data-path="images/alice-example.png" />

We can see that this is a recap of all the permissions this user has. In grey, we have the permissions Alice inherits from the group `Project A`, from the application `support-for-tracker` and in white the ones that are assigned to her directly.

This set of permissions gives her:

* Full access to the topic `alice-private-topic` on the cluster `test`
* Full access on all topics, that start with the prefix `app-a-`, across all clusters and that she inherits this from the group `Project A`
* Partial access to the topic `tracker-click-1` and `tracker-click-2` on the cluster `Cluster-A` and that she inherits this from the application `support-for-tracker`

## Related resources

* [Map external groups](/guide/conduktor-in-production/admin/user-access/map-external-groups)
* [Configure SSO](/guide/conduktor-in-production/admin/user-access/configure-sso)
* [Create data masking policies](/guide/conduktor-in-production/admin/data-masking)
* [Give us feedback/request a feature](https://conduktor.io/roadmap) <Icon icon="up-right-from-square" />
