Get Started Free
‹ Back to courses
Wade Waldron

Wade Waldron

Staff Software Practice Lead



Security is arguably the most important aspect of Data Governance. A breach can have far-reaching effects. It's so important that we've built entire courses just to cover security. However, there are a few details specific to Stream Governance that you should be aware of. In this video, we'll introduce you to the specific roles in Confluent Cloud that can be used to control access to your Stream Governance tools and data.


  • Role-Based Access Control (RBAC)
  • Principle of Least Privilege
  • Stream Governance and RBAC


Use the promo code GOVERNINGSTREAMS101 to get $25 of free Confluent Cloud usage

Be the first to get updates and new content

We will only share developer content and updates, including notifications when new content is added. We will never send you sales emails. 🙂 By subscribing, you understand we will process your personal information in accordance with our Privacy Statement.

Stream Security

Security is a critical aspect of data governance. A breach in our security can have far-reaching effects. It can result in extended downtime, loss of customer trust, and even outside interventions from regulators. All of these can have a significant impact on our bottom line. In fact, security is so critical, that we created an entire course on it that steps into other parts of Confluent's platform. As a result, we won't go into extensive detail here. Instead, we'll be discussing some of the specific details that relate to Confluent's Stream Governance. If you want additional details on Confluent Cloud Security, please check out our other course. The Stream Governance features in Confluent Cloud are protected by Role-Based Access Control or RBAC. It allows us to customize user access based on specific roles assigned to that user. For example, someone in the role of Administrator will have very different access needs compared to a developer working on a single microservice. As a result, we'd assign different roles to each user to restrict what they have access to. When assigning roles to users, it's always good to think about the principle of least privilege. This principle states that you should only grant access to the feature a user needs to perform their duties. Anything beyond that is creating a security risk. In the hands-on exercises, we've been operating with the OrganizationAdmin role. This is a far more powerful role than we would want to give to most users. It works for us in this limited educational environment because we want to learn all of the features but we would want to be more restrictive in a production system. Each role defined in Confluent Cloud will have different access to the various data governance features, depending on what that role might require. For example, a user with the DeveloperRead role would be able to see the tags on a schema but wouldn't be able to modify them. To modify the tags, they would need the DeveloperWrite role. These roles can be scoped to individual topics, connectors, schemas, et cetera, which allows a high degree of customization. The DataDiscovery and DataSteward roles are of particular interest for Stream Governance. These roles are designed for users who need the kind of access we've been discussing in this course. The DataDiscovery role is for users who need the discoverability provided by tools such as the Stream Catalog. The DataSteward role is for users who need to actively manage the data streams. For a detailed look at each of the roles and what permissions they have, make sure to check out the Confluent Cloud documentation. If you aren't already on Confluent Developer, head there now using the link in the video description to access the rest of this course and its hands on exercises.