Enhanced Astro Workspace Roles for more granular permissions

  • Piotr Chomiak

Security and data protection are at the forefront of every administrator’s mind, while ensuring usability and a great user experience are still respected. The balance of the two priorities is not only critical in delivering Astro to our users, but also increasingly important and difficult as the demands for safeguarding organizations from cybercrime, unauthorized access and data breaches continue to expand.

In this blog post, we will dive into the details of the Astro’s Role-Based Access Control (RBAC) and new Workspace Role updates, and explore improvements to popular use cases of Astro.

Astro’s RBAC Model

Astro offers a set of roles with defined permissions across two entities in the product — Organization and Workspaces. The Astro Organization is a collection of your entire Astro estate including users, workspaces, and deployments. Every user within an Organization has a specific Organization role that specifies what they are allowed to do. Along with users, Organization API Tokens and Teams can also be assigned an Organization role.

Similarly, a user may belong to one or more Astro Workspaces. Every user added to a Workspace is assigned a Workspace role, that specifies what they are allowed to do in that Workspace. In addition to users, both Organization and Workspace API Tokens and Teams can also be assigned a Workspace role.

Another key aspect of Astro’s RBAC is that it is hierarchical. The most privileged roles in the Organization and Workspace entities inherit the permissions of the lesser privileged roles. The most privileged Organization role also inherits all the permissions to all Workspaces. Lastly, if a user has permissions to a Workspace both as an individual and as a member of a Team, then Astronomer recognizes the more privileged role.

Revisiting Workspace Roles

Since the launch of Astro, we received considerable feedback about the challenges customers were facing with the existing set of Workspace roles, and it became apparent we had to improve this experience as part of delivering a modern data orchestration solution. The feedback revolved around two main issues:

  1. Lack of Airflow permissions for non-Workspace Admins
  2. Missing role for the data engineer persona

We went back to the drawing board to better understand the appropriate mix of permissions for existing roles and how to best serve the data engineer persona with an appropriate role, with an ultimate goal of making it easier and more secure to develop, manage, and support data pipelines and deployments at scale.

Ultimately, the major enhancements include expanded Airflow permissions for the Workspace Operator, previously Editor, and a new Workspace Author role for the unique and specific needs of the data engineer using Astro. Check out the table and the end of the blog for a detailed breakdown of Workspace roles and associated permissions.

Improved User Experience

Beyond the two main issues shared above, we learned of specific use cases and challenges that were suffering as a result of previous Workspace roles.

The Nitty Gritty Details

The table below breaks down the new Workspace roles and associated permissions. The asterisk represents new capabilities.

PermissionWorkspace MemberWorkspace AuthorWorkspace OperatorWorkspace Owner
View Workspace Users, Teams, and API Tokens✔️✔️*✔️✔️
View all Deployments in the Cloud UI✔️✔️*✔️✔️
View DAGs in the Astro and Airflow UI✔️✔️*✔️✔️
View Airflow Task logs✔️✔️*✔️✔️
View Astro Cloud IDE projects✔️✔️*✔️✔️
View Astro Alerts✔️✔️*✔️✔️
View Airflow Datasets✔️*✔️*✔️*✔️
Manage Astro Alerts ✔️*✔️✔️
Manually trigger DAG and Task Runs ✔️*✔️✔️
Pause or unpause a DAG ✔️*✔️✔️
Clear/mark a Task Instance or DAG Run ✔️*✔️✔️
Push code to Deployments or Cloud IDE projects ✔️*✔️✔️
Create, Update, and Delete Astro Cloud IDE projects ✔️*✔️✔️
View Airflow Connections, Variables, Plugins, Providers, Pools, XComs ✔️*✔️*✔️
Create, Update, and Delete Airflow Connections, Variables, Pools  ✔️*✔️
View Airflow Configurations  ✔️*✔️
Delete XComs  ✔️*✔️
Create and Delete Deployments  ✔️✔️
Create, Update and Delete Deployment Environment Variables  ✔️✔️
Update Deployment configurations  ✔️✔️
Transfer a Deployment  ✔️✔️
Create, Update, and Delete Deployment API Keys   ✔️
Update User, Team, and API Token roles   ✔️
Invite Users to a Workspace   ✔️
Assign Teams to or remove from Workspace   ✔️
Create, Update, and Delete Workspace API Tokens   ✔️
Manage Workspace Settings   ✔️
Delete Workspace   ✔️

Ready to Get Started?

Get Started Free

Try Astro free for 14 days and power your next big data project.