Access to resources and functionality in Tamr Cloud is determined by the combination of a user’s:

• Tenant role. This role determines the functionality and resources a user can access by default.
• Project roles. These roles determine the functionality and resources a user can access and manage within a specific project. A user’s tenant role determines their default (inherited) roles in all projects. Users can be granted additional roles for specific projects.
• Data product roles. These roles determine the actions a user can perform on a specific data product. A user’s project role determines their default (inherited) roles in each data product. Users can be granted additional roles for specific data products.

Roles can be assigned to users individually, or assigned to user groups.

Applying Principle of Least Privilege for Users

Tamr Cloud roles enable you to follow the principle of least privilege in your tenant, ensuring that users have the minimum access necessary to perform their jobs. To do so:

1. Assign all non-admin users the "No Role" tenant role.
2. If the user should have access only to specific data products within a project, do not grant the user a project role. Instead, grant them them the appropriate role in the data products. The user can then see the project name in the Project menu, but can access only those data products.
3. If the user requires access to all resources in specific projects, assign that user a project role only in those projects.

See these topics for more information:

• Tenant User Roles
• Project Roles
• Data Product Roles
• Legacy Data Product Roles

Using Groups to Assign Roles

In Tamr Cloud, you can choose to organize users into groups. You can then assign tenant, project, and data product roles to individual users or to an entire groups. See Managing Groups for more information.