NEW Get insights from 5,800+ data practitioners in The State of Apache Airflow® 2026 - Read Now
Support | Log In
Blog |

Dag-Level Roles on Astro: Fine-Grained Access for Enterprise Airflow

6 min read |

As organizations scale their use of Apache Airflow, a common tension emerges: the more teams share a single deployment, the harder it becomes to control who can see, edit, or trigger specific Dags. Without fine-grained access controls, platform teams are left with two imperfect options. Over-permission users and accept the risk, or spin up additional deployments just to enforce isolation. Both come with real costs.

Today, we’re excited to announce that Dag-level roles are now available on Astro, giving Enterprise customers the ability to control access to individual Dags within a shared deployment.

Why Dag-Level Access Control Matters

For data platform teams at mid-to-large enterprises, Airflow often serves as the backbone of business-critical operations: financial reporting, ML model training, customer-facing data products, and compliance workflows. These workloads frequently run side by side in shared deployments, and the teams responsible for them need different levels of access.

Consider a financial services company with a data engineering team managing ETL pipelines alongside a risk analytics team running regulatory models. Both teams use the same Airflow deployment for efficiency, but neither should have full visibility into or control over the other’s Dags. Until now, enforcing that boundary on Astro required workarounds: separate deployments, custom in-Dag permission logic that any author could override, or simply accepting the risk of over-permissioning.

Dag-level roles eliminate that tradeoff. Admins can now assign granular permissions, at the individual Dag or Dag tag level, to users, teams, and API tokens directly from the Astro UI or API. Only authorized Dags are visible to each user, and every permission change is captured in enterprise audit logs.

What You Can Do with Dag-Level Roles

Dag-level roles on Astro introduce two new built-in role types that align with Apache Airflow 3’s native permission model:

Dag Viewer grants read-only access to specified Dags, including their runs and task instances. This is ideal for stakeholders or downstream consumers who need visibility without the ability to modify or trigger workflows.

Dag Author includes everything in Dag Viewer plus the ability to edit, delete, and trigger Dags and their runs. This is designed for the engineers and analysts who actively own and operate specific pipelines.

Both roles can be scoped to individual Dag IDs or to sets of Dags using Dag tags, a capability that becomes especially important at scale. Instead of assigning permissions Dag by Dag, admins can tag related Dags (by team, domain, or environment) and assign access at the tag level. As new Dags are added with the appropriate tags, permissions apply automatically.

These roles work across users, teams, and API tokens, meaning you can enforce the same access policies for human users and programmatic workflows alike.

Built for Enterprise Governance

Dag-level roles on Astro aren’t just a surface-level feature bolted on top of open-source Airflow. Astro delivers a managed, control-plane-driven implementation that includes:

Multiple management surfaces. Dag-level roles can be managed through the Astro UI and the Astro API (v1) starting on day one, with CLI and Terraform support arriving shortly after. This means platform teams can codify their access policies and integrate them into existing infrastructure-as-code workflows.

Custom roles. In addition to the built-in Dag Viewer and Dag Author roles, admins can create custom Dag-level roles with specific permission sets tailored to their organization’s needs.

Enterprise audit logging. Every Dag-level permission change is logged and auditable, supporting compliance requirements across regulated industries like financial services, healthcare, and retail.

Tag-based scoping. Rather than managing access on a per-Dag basis, organizations can use Dag tags to group and scope permissions at scale. This is critical for teams managing hundreds or thousands of Dags.

Why We Built Dag-Level Access into the Control Plane

Both Amazon MWAA and Google Cloud Composer expose Airflow’s built-in RBAC system, which includes the ability to restrict users to specific Dags. MWAA supports this through manual configuration in the Airflow UI, while Cloud Composer offers a Per-folder Roles Registration feature that auto-creates roles based on your /dags folder structure. These capabilities can get the job done for smaller teams, but operationalizing them at scale typically means manual role management, workarounds for programmatic access, and permission models that live inside the Airflow metadata layer rather than your broader infrastructure toolchain.

For platform teams responsible for governing Airflow across multiple teams, the question isn’t whether Dag-level access is technically possible. It’s whether your permission model can scale consistently alongside the rest of your infrastructure. Astro moves Dag-level access into the control plane, so permissions are managed through the same UI, API, Terraform, and CLI workflows you already use for the rest of your Astro environment, not through a separate system inside the Airflow metadata layer.

Tag-based scoping is what makes this practical at enterprise scale:

  • Permissions that follow your organizational model. Tag Dags by team, domain, business unit, or environment, and assign access at the tag level. A “risk-analytics” tag can govern dozens of Dags with a single role assignment.
  • Dynamic access as Dags are created. When a new Dag is deployed with the appropriate tags, permissions apply automatically. No manual grants, no tickets, no drift.
  • Uniform enforcement across subjects. The same tag-based policies apply to users, teams, and API tokens, so human access and CI/CD-driven automation are governed by the same rules.
  • Auditable by default. Every permission change is captured in enterprise audit logs, giving compliance teams a single trail for who has access to what and when it changed.

Consolidate Deployments Without Compromising Security

One of the most immediate benefits of Dag-level roles is the ability to safely consolidate workloads into fewer deployments. Many enterprise customers today maintain separate deployments purely to enforce team boundaries, not because the workloads require separate infrastructure. This adds operational overhead, increases costs, and complicates cross-team coordination.

With Dag-level roles, teams can share a deployment while maintaining strict access boundaries. Platform admins define who can see and operate which Dags, and Astro enforces those policies at the control plane level. The result is fewer deployments to manage, lower infrastructure costs, and a simpler operational model, all without sacrificing governance.

Getting Started

Dag-level roles are available now for Astro Enterprise customers running Airflow 3.1.0+ via Astro Runtime. To get access, reach out to your Astronomer account team and they’ll work with you to enable it for your environment. Once enabled:

  1. Ensure your deployment is running Astro Runtime with Airflow 3.1.0 or later.
  2. Navigate to your deployment’s access management settings in the Astro UI.
  3. Assign Dag Viewer or Dag Author roles to users, teams, or API tokens, scoped to specific Dag IDs or tags.

For programmatic management, the Astro API supports Dag-level role assignments today, and Terraform and CLI support will be available in the coming weeks.

To learn more, visit our documentation or book a demo to see Dag-level roles in action.

Build, run, & observe your data workflows.
All in one place.

Get Started Free

Build, run, & observe
your data workflows.
All in one place.

Try Astro today and get up to $20 in free credits during your 14-day trial.

Get Started FreeBook a Demo