confluentinc · Varun PV (varunpv) · Jun 1, 2026 · Jun 1, 2026
@@ -363,6 +363,7 @@ var vocabWords = []string{
 	"uri",
 	"url",
 	"us",
+	"usm",
 	"v2",
 	"vertexai",
 	"vnet",

@@ -24,17 +24,19 @@
 )
 
 const (
-	httpStatusCodeErrorMsg         = "no error but received HTTP status code %d"
-	httpStatusCodeSuggestions      = "Please file a support ticket with details."
-	invalidResourceTypeErrorMsg    = `invalid resource type "%s"`
-	invalidResourceTypeSuggestions = "The available resource types are %s."
-	lookUpRoleSuggestions          = "To check for valid roles, use `confluent iam rbac role list`."
-	principalFormatErrorMsg        = "incorrect principal format specified"
-	principalFormatSuggestions     = "Principal must be specified in this format: \"<Principal Type>:<Principal Name>\".\nFor example, \"User:u-xxxxxx\" or \"User:sa-xxxxxx\"."
-	resourceFormatErrorMsg         = "incorrect resource format specified"
-	resourceFormatSuggestions      = "Resource must be specified in this format: `<Resource Type>:<Resource Name>`."
-	specifyCloudClusterErrorMsg    = "must specify `--cloud-cluster` to indicate role binding scope"
-	specifyEnvironmentErrorMsg     = "must specify `--environment` to indicate role binding scope"
+	httpStatusCodeErrorMsg           = "no error but received HTTP status code %d"
+	httpStatusCodeSuggestions        = "Please file a support ticket with details."
+	invalidResourceTypeErrorMsg      = `invalid resource type "%s"`
+	invalidResourceTypeSuggestions   = "The available resource types are %s."
+	lookUpRoleSuggestions            = "To check for valid roles, use `confluent iam rbac role list`."
+	principalFormatErrorMsg          = "incorrect principal format specified"
+	principalFormatSuggestions       = "Principal must be specified in this format: \"<Principal Type>:<Principal Name>\".\nFor example, \"User:u-xxxxxx\" or \"User:sa-xxxxxx\"."
+	resourceFormatErrorMsg           = "incorrect resource format specified"
+	resourceFormatSuggestions        = "Resource must be specified in this format: `<Resource Type>:<Resource Name>`."
+	specifyCloudClusterErrorMsg      = "must specify `--cloud-cluster` to indicate role binding scope"
+	specifyEnvironmentErrorMsg       = "must specify `--environment` to indicate role binding scope"
+	specifyUsmKafkaClusterErrorMsg   = "must specify `--usm-kafka-cluster` to indicate role binding scope"
+	specifyUsmConnectClusterErrorMsg = "must specify `--usm-connect-cluster` to indicate role binding scope"
 )
 
 var (
@@ -53,6 +55,11 @@
 	clusterScopedRolesV2   = types.NewSet("CloudClusterAdmin")
 	environmentScopedRoles = types.NewSet("EnvironmentAdmin")
 
+	// USM cluster-scoped roles bind at the "usm-kafka-cluster" or "usm-connect-cluster" scope,
+	// as siblings to "cloud-cluster" under "environment". The role name (not display name) is used.
+	usmKafkaClusterScopedRoles   = types.NewSet("UsmKafkaClusterAdmin", "UsmKafkaOperator", "UsmKafkaMetricsViewer")
+	usmConnectClusterScopedRoles = types.NewSet("UsmConnectClusterAdmin", "UsmConnectOperator", "UsmConnectMetricsViewer")
+
 	literalPatternType  = "LITERAL"
 	prefixedPatternType = "PREFIXED"
 )
@@ -180,12 +187,14 @@
 func addClusterFlags(cmd *cobra.Command, cfg *config.Config, cliCommand *pcmd.CLICommand) {
 	if cfg.IsCloudLogin() {
 		cmd.Flags().String("environment", "", "Environment ID for scope of role-binding operation.")
 		cmd.Flags().Bool("current-environment", false, "Use current environment ID for scope.")
 		cmd.Flags().String("cloud-cluster", "", "Cloud cluster ID for the role binding.")
 		cmd.Flags().String("kafka-cluster", "", "Kafka cluster ID for the role binding.")
 		cmd.Flags().String("schema-registry-cluster", "", "Schema Registry cluster ID for the role binding.")
 		cmd.Flags().String("ksql-cluster", "", "ksqlDB cluster name for the role binding.")
 		cmd.Flags().String("flink-region", "", `Flink region for the role binding, formatted as "cloud.region".`)
+		cmd.Flags().String("usm-kafka-cluster", "", "USM Kafka cluster ID for the role binding.")
+		cmd.Flags().String("usm-connect-cluster", "", "USM Connect cluster ID for the role binding.")
 	} else {
 		cmd.Flags().String("kafka-cluster", "", "Kafka cluster ID for the role binding.")
 		cmd.Flags().String("schema-registry-cluster", "", "Schema Registry cluster ID for the role binding.")
@@ -569,7 +578,7 @@
 	}, nil
 }

 func (c *roleBindingCommand) parseV2BaseCrnPattern(cmd *cobra.Command) (string, error) {
 	crnPattern := "crn://confluent.cloud/organization=" + c.Context.GetCurrentOrganization()

 	if cmd.Flags().Changed("current-environment") {
@@ -626,6 +635,22 @@
 		crnPattern += "/flink-region=" + flinkRegion
 	}
 
+	if cmd.Flags().Changed("usm-kafka-cluster") {
+		usmKafkaCluster, err := cmd.Flags().GetString("usm-kafka-cluster")
+		if err != nil {
+			return "", err
+		}
+		crnPattern += "/usm-kafka-cluster=" + usmKafkaCluster
+	}
+
+	if cmd.Flags().Changed("usm-connect-cluster") {
+		usmConnectCluster, err := cmd.Flags().GetString("usm-connect-cluster")
+		if err != nil {
+			return "", err
+		}
+		crnPattern += "/usm-connect-cluster=" + usmConnectCluster
+	}
+
 	if cmd.Flags().Changed("role") {
 		role, err := cmd.Flags().GetString("role")
 		if err != nil {
@@ -634,12 +659,18 @@
 		if clusterScopedRolesV2.Contains(role) && !cmd.Flags().Changed("cloud-cluster") {
 			return "", errors.New(specifyCloudClusterErrorMsg)
 		}
-		if (environmentScopedRoles[role] || clusterScopedRolesV2.Contains(role)) && !cmd.Flags().Changed("current-environment") && !cmd.Flags().Changed("environment") {
+		if usmKafkaClusterScopedRoles.Contains(role) && !cmd.Flags().Changed("usm-kafka-cluster") {
+			return "", errors.New(specifyUsmKafkaClusterErrorMsg)
+		}
+		if usmConnectClusterScopedRoles.Contains(role) && !cmd.Flags().Changed("usm-connect-cluster") {
+			return "", errors.New(specifyUsmConnectClusterErrorMsg)
+		}
+		if (environmentScopedRoles[role] || clusterScopedRolesV2.Contains(role) || usmKafkaClusterScopedRoles.Contains(role) || usmConnectClusterScopedRoles.Contains(role)) && !cmd.Flags().Changed("current-environment") && !cmd.Flags().Changed("environment") {
 			return "", errors.New(specifyEnvironmentErrorMsg)
 		}
 	}
 
-	if cmd.Flags().Changed("cloud-cluster") && !cmd.Flags().Changed("current-environment") && !cmd.Flags().Changed("environment") {
+	if (cmd.Flags().Changed("cloud-cluster") || cmd.Flags().Changed("usm-kafka-cluster") || cmd.Flags().Changed("usm-connect-cluster")) && !cmd.Flags().Changed("current-environment") && !cmd.Flags().Changed("environment") {
 		return "", errors.New(specifyEnvironmentErrorMsg)
 	}
 	return crnPattern, nil

@@ -63,6 +63,14 @@ func (c *roleBindingCommand) newCreateCommand() *cobra.Command {
 				Text: `Grant the "FlinkDeveloper" scoped to Flink compute pool "lfcp-123456" in AWS us-east-1 to principal "User:u-123456":`,
 				Code: "confluent iam rbac role-binding create --principal User:u-123456 --role FlinkDeveloper --environment env-123456 --flink-region aws.us-east-1 --resource ComputePool:lfcp-123456",
 			},
+			examples.Example{
+				Text: `Grant the role "UsmKafkaClusterAdmin" to the principal "User:u-123456" for the USM Kafka cluster "usmkc-123456" in the environment "env-123456":`,
+				Code: "confluent iam rbac role-binding create --principal User:u-123456 --role UsmKafkaClusterAdmin --environment env-123456 --usm-kafka-cluster usmkc-123456",
+			},
+			examples.Example{
+				Text: `Grant the role "UsmConnectClusterAdmin" to the principal "User:u-123456" for the USM Connect cluster "usmcc-123456" in the environment "env-123456":`,
+				Code: "confluent iam rbac role-binding create --principal User:u-123456 --role UsmConnectClusterAdmin --environment env-123456 --usm-connect-cluster usmcc-123456",
+			},
 		)
 	} else {
 		exs = append(exs,

@@ -31,6 +31,10 @@ func (c *roleBindingCommand) newDeleteCommand() *cobra.Command {
 				Text: `Delete the role "ResourceOwner" for the resource "Topic:my-topic" on the Kafka cluster "lkc-123456":`,
 				Code: "confluent iam rbac role-binding delete --principal User:u-123456 --role ResourceOwner --environment env-123456 --kafka-cluster lkc-123456 --resource Topic:my-topic",
 			},
+			examples.Example{
+				Text: `Delete the role "UsmKafkaClusterAdmin" for the principal "User:u-123456" on the USM Kafka cluster "usmkc-123456" in the environment "env-123456":`,
+				Code: "confluent iam rbac role-binding delete --principal User:u-123456 --role UsmKafkaClusterAdmin --environment env-123456 --usm-kafka-cluster usmkc-123456",
+			},
 		)
 	} else {
 		cmd.Example = examples.BuildExampleString(

@@ -54,6 +54,10 @@ func (c *roleBindingCommand) newListCommand() *cobra.Command {
 				Text: `List the role bindings for user "u-123456" with role "CloudClusterAdmin":`,
 				Code: "confluent iam rbac role-binding list --principal User:u-123456 --role CloudClusterAdmin --environment env-123456 --cloud-cluster lkc-123456",
 			},
+			examples.Example{
+				Text: `List the role bindings for user "u-123456" with role "UsmKafkaClusterAdmin" for the USM Kafka cluster "usmkc-123456":`,
+				Code: "confluent iam rbac role-binding list --principal User:u-123456 --role UsmKafkaClusterAdmin --environment env-123456 --usm-kafka-cluster usmkc-123456",
+			},
 			examples.Example{
 				Text: `List the role bindings for user "u-123456" for all scopes:`,
 				Code: "confluent iam rbac role-binding list --principal User:u-123456 --inclusive",
@@ -100,6 +104,8 @@ func (c *roleBindingCommand) newListCommand() *cobra.Command {
 		cmd.Flags().String("schema-registry-cluster", "", "Schema Registry cluster ID, which specifies the Schema Registry cluster scope.")
 		cmd.Flags().String("ksql-cluster", "", "ksqlDB cluster name, which specifies the ksqlDB cluster scope.")
 		cmd.Flags().String("flink-region", "", `Flink region for the role binding, formatted as "cloud.region".`)
+		cmd.Flags().String("usm-kafka-cluster", "", "USM Kafka cluster ID, which specifies the USM Kafka cluster scope.")
+		cmd.Flags().String("usm-connect-cluster", "", "USM Connect cluster ID, which specifies the USM Connect cluster scope.")
 	} else {
 		cmd.Flags().String("kafka-cluster", "", "Kafka cluster ID, which specifies the Kafka cluster scope.")
 		cmd.Flags().String("schema-registry-cluster", "", "Schema Registry cluster ID, which specifies the Schema Registry cluster scope.")
@@ -424,6 +430,12 @@ func (c *roleBindingCommand) listMyRoleBindings(cmd *cobra.Command, listRoleBind
 				envName = content
 			case "cloud-cluster":
 				cloudClusterName = content
+			case "usm-kafka-cluster":
+				clusterType = "USM Kafka"
+				logicalCluster = content
+			case "usm-connect-cluster":
+				clusterType = "USM Connect"
+				logicalCluster = content
 			case "ksql":
 				clusterType = "ksqlDB"
 				logicalCluster = content

@@ -3,7 +3,11 @@
 import (
 	"testing"
 
+	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/require"
+
+	pcmd "github.com/confluentinc/cli/v4/pkg/cmd"
+	"github.com/confluentinc/cli/v4/pkg/config"
 )
 
 func TestParseAndValidateResourcePattern_Prefixed(t *testing.T) {
@@ -35,3 +39,90 @@
 	_, err := parseAndValidateResourcePattern("string with no colon", true)
 	require.Error(t, err)
 }
+
+// newRoleBindingTestCommand returns a roleBindingCommand with a minimal context that only
+// supplies the current organization, which is all parseV2BaseCrnPattern reads from context.
+func newRoleBindingTestCommand() *roleBindingCommand {
+	return &roleBindingCommand{
+		AuthenticatedCLICommand: &pcmd.AuthenticatedCLICommand{
+			Context: &config.Context{LastOrgId: "abc-123"},
+		},
+	}
+}
+
+// newCloudRoleBindingFlagSet registers the cloud scope flags that parseV2BaseCrnPattern reads.
+func newCloudRoleBindingFlagSet() *cobra.Command {
+	cmd := &cobra.Command{}
+	cmd.Flags().String("role", "", "")
+	cmd.Flags().String("environment", "", "")
+	cmd.Flags().Bool("current-environment", false, "")
+	cmd.Flags().String("cloud-cluster", "", "")
+	cmd.Flags().String("schema-registry-cluster", "", "")
+	cmd.Flags().String("ksql-cluster", "", "")
+	cmd.Flags().String("kafka-cluster", "", "")
+	cmd.Flags().String("flink-region", "", "")
+	cmd.Flags().String("usm-kafka-cluster", "", "")
+	cmd.Flags().String("usm-connect-cluster", "", "")
+	return cmd
+}
+
+func TestParseV2BaseCrnPattern_UsmKafkaCluster(t *testing.T) {
+	cmd := newCloudRoleBindingFlagSet()
+	require.NoError(t, cmd.Flags().Set("role", "UsmKafkaClusterAdmin"))
+	require.NoError(t, cmd.Flags().Set("environment", "env-596"))
+	require.NoError(t, cmd.Flags().Set("usm-kafka-cluster", "usmkc-123456"))
+
+	crnPattern, err := newRoleBindingTestCommand().parseV2BaseCrnPattern(cmd)
+	require.NoError(t, err)
+	require.Equal(t, "crn://confluent.cloud/organization=abc-123/environment=env-596/usm-kafka-cluster=usmkc-123456", crnPattern)
+}
+
+func TestParseV2BaseCrnPattern_UsmConnectCluster(t *testing.T) {
+	cmd := newCloudRoleBindingFlagSet()
+	require.NoError(t, cmd.Flags().Set("role", "UsmConnectClusterAdmin"))
+	require.NoError(t, cmd.Flags().Set("environment", "env-596"))
+	require.NoError(t, cmd.Flags().Set("usm-connect-cluster", "usmcc-123456"))
+
+	crnPattern, err := newRoleBindingTestCommand().parseV2BaseCrnPattern(cmd)
+	require.NoError(t, err)
+	require.Equal(t, "crn://confluent.cloud/organization=abc-123/environment=env-596/usm-connect-cluster=usmcc-123456", crnPattern)
+}
+
+func TestParseV2BaseCrnPattern_UsmKafkaRolesRequireClusterFlag(t *testing.T) {
+	for _, role := range []string{"UsmKafkaClusterAdmin", "UsmKafkaOperator", "UsmKafkaMetricsViewer"} {
+		cmd := newCloudRoleBindingFlagSet()
+		require.NoError(t, cmd.Flags().Set("role", role))
+		require.NoError(t, cmd.Flags().Set("environment", "env-596"))
+
+		_, err := newRoleBindingTestCommand().parseV2BaseCrnPattern(cmd)
+		require.EqualError(t, err, specifyUsmKafkaClusterErrorMsg, "role %q must require --usm-kafka-cluster", role)
+	}
+}
+
+func TestParseV2BaseCrnPattern_UsmConnectRolesRequireClusterFlag(t *testing.T) {
+	for _, role := range []string{"UsmConnectClusterAdmin", "UsmConnectOperator", "UsmConnectMetricsViewer"} {
+		cmd := newCloudRoleBindingFlagSet()
+		require.NoError(t, cmd.Flags().Set("role", role))
+		require.NoError(t, cmd.Flags().Set("environment", "env-596"))
+
+		_, err := newRoleBindingTestCommand().parseV2BaseCrnPattern(cmd)
+		require.EqualError(t, err, specifyUsmConnectClusterErrorMsg, "role %q must require --usm-connect-cluster", role)
+	}
+}
+
+func TestParseV2BaseCrnPattern_UsmRoleRequiresEnvironment(t *testing.T) {
+	cmd := newCloudRoleBindingFlagSet()
+	require.NoError(t, cmd.Flags().Set("role", "UsmKafkaClusterAdmin"))
+	require.NoError(t, cmd.Flags().Set("usm-kafka-cluster", "usmkc-123456"))
+
+	_, err := newRoleBindingTestCommand().parseV2BaseCrnPattern(cmd)
+	require.EqualError(t, err, specifyEnvironmentErrorMsg)
+}
+
+func TestParseV2BaseCrnPattern_UsmClusterFlagRequiresEnvironment(t *testing.T) {
+	cmd := newCloudRoleBindingFlagSet()
+	require.NoError(t, cmd.Flags().Set("usm-connect-cluster", "usmcc-123456"))
+
+	_, err := newRoleBindingTestCommand().parseV2BaseCrnPattern(cmd)
+	require.EqualError(t, err, specifyEnvironmentErrorMsg)
+}
@@ -44,6 +44,14 @@ Grant the "FlinkDeveloper" scoped to Flink compute pool "lfcp-123456" in AWS us-
 
   $ confluent iam rbac role-binding create --principal User:u-123456 --role FlinkDeveloper --environment env-123456 --flink-region aws.us-east-1 --resource ComputePool:lfcp-123456
 
+Grant the role "UsmKafkaClusterAdmin" to the principal "User:u-123456" for the USM Kafka cluster "usmkc-123456" in the environment "env-123456":
+
+  $ confluent iam rbac role-binding create --principal User:u-123456 --role UsmKafkaClusterAdmin --environment env-123456 --usm-kafka-cluster usmkc-123456
+
+Grant the role "UsmConnectClusterAdmin" to the principal "User:u-123456" for the USM Connect cluster "usmcc-123456" in the environment "env-123456":
+
+  $ confluent iam rbac role-binding create --principal User:u-123456 --role UsmConnectClusterAdmin --environment env-123456 --usm-connect-cluster usmcc-123456
+
 Flags:
       --role string                      REQUIRED: Role name of the new role binding.
       --principal string                 REQUIRED: Principal type and identifier using "Prefix:ID" format.
@@ -54,6 +62,8 @@ Flags:
       --schema-registry-cluster string   Schema Registry cluster ID for the role binding.
       --ksql-cluster string              ksqlDB cluster name for the role binding.
       --flink-region string              Flink region for the role binding, formatted as "cloud.region".
+      --usm-kafka-cluster string         USM Kafka cluster ID for the role binding.
+      --usm-connect-cluster string       USM Connect cluster ID for the role binding.
       --resource string                  Resource type and identifier using "Prefix:ID" format.
       --prefix                           Whether the provided resource name is treated as a prefix pattern.
   -o, --output string                    Specify the output format as "human", "json", or "yaml". (default "human")

@@ -0,0 +1,5 @@
++-----------+------------------------+
+| Principal | User:u-11aaa           |
+| Email     | u-11aaa@confluent.io   |
+| Role      | UsmConnectClusterAdmin |
++-----------+------------------------+
@@ -0,0 +1,5 @@
++-----------+----------------------+
+| Principal | User:u-11aaa         |
+| Email     | u-11aaa@confluent.io |
+| Role      | UsmKafkaClusterAdmin |
++-----------+----------------------+
@@ -8,6 +8,10 @@ Delete the role "ResourceOwner" for the resource "Topic:my-topic" on the Kafka c
 
   $ confluent iam rbac role-binding delete --principal User:u-123456 --role ResourceOwner --environment env-123456 --kafka-cluster lkc-123456 --resource Topic:my-topic
 
+Delete the role "UsmKafkaClusterAdmin" for the principal "User:u-123456" on the USM Kafka cluster "usmkc-123456" in the environment "env-123456":
+
+  $ confluent iam rbac role-binding delete --principal User:u-123456 --role UsmKafkaClusterAdmin --environment env-123456 --usm-kafka-cluster usmkc-123456
+
 Flags:
       --role string                      REQUIRED: Role name of the existing role binding.
       --principal string                 REQUIRED: Principal type and identifier using "Prefix:ID" format.
@@ -19,6 +23,8 @@ Flags:
       --schema-registry-cluster string   Schema Registry cluster ID for the role binding.
       --ksql-cluster string              ksqlDB cluster name for the role binding.
       --flink-region string              Flink region for the role binding, formatted as "cloud.region".
+      --usm-kafka-cluster string         USM Kafka cluster ID for the role binding.
+      --usm-connect-cluster string       USM Connect cluster ID for the role binding.
       --resource string                  Resource type and identifier using "Prefix:ID" format.
       --prefix                           Whether the provided resource name is treated as a prefix pattern.
   -o, --output string                    Specify the output format as "human", "json", or "yaml". (default "human")

@@ -7,6 +7,10 @@ Delete the role "ResourceOwner" for the resource "Topic:my-topic" on the Kafka c
 
   $ confluent iam rbac role-binding delete --principal User:u-123456 --role ResourceOwner --environment env-123456 --kafka-cluster lkc-123456 --resource Topic:my-topic
 
+Delete the role "UsmKafkaClusterAdmin" for the principal "User:u-123456" on the USM Kafka cluster "usmkc-123456" in the environment "env-123456":
+
+  $ confluent iam rbac role-binding delete --principal User:u-123456 --role UsmKafkaClusterAdmin --environment env-123456 --usm-kafka-cluster usmkc-123456
+
 Flags:
       --role string                      REQUIRED: Role name of the existing role binding.
       --principal string                 REQUIRED: Principal type and identifier using "Prefix:ID" format.
@@ -18,6 +22,8 @@ Flags:
       --schema-registry-cluster string   Schema Registry cluster ID for the role binding.
       --ksql-cluster string              ksqlDB cluster name for the role binding.
       --flink-region string              Flink region for the role binding, formatted as "cloud.region".
+      --usm-kafka-cluster string         USM Kafka cluster ID for the role binding.
+      --usm-connect-cluster string       USM Connect cluster ID for the role binding.
       --resource string                  Resource type and identifier using "Prefix:ID" format.
       --prefix                           Whether the provided resource name is treated as a prefix pattern.
   -o, --output string                    Specify the output format as "human", "json", or "yaml". (default "human")

@@ -0,0 +1,6 @@
++-----------+----------------------+
+| ID        | rb-88hhh             |
+| Principal | User:u-11aaa         |
+| Email     | u-11aaa@confluent.io |
+| Role      | UsmKafkaClusterAdmin |
++-----------+----------------------+
-Original file line number
+Diff line change
@@ Expand Up / @@ -363,6 +363,7 @@ var vocabWords = []string{ @@
     	"uri",
     	"url",
     	"us",
+    	"usm",
     	"v2",
     	"vertexai",
     	"vnet",
@@ Expand Down @@