Astro Private Cloud user role and permission reference

This is where you’ll find information about Astro Private Cloud default user role permissions. To modify these default permissions, see Customize role permissions.

Default role permissions tables

The following tables summarize the default actions that each user role can currently view or perform in Astro Private Cloud. In a few cases, read-only views don’t map one-to-one to a single permission value in the lists later in this page. Service accounts also differ from user accounts in a few important ways, which are documented later in this page.

Default Deployment user permissions

Permission	Deployment Viewer	Deployment Editor	Deployment Admin
View the Airflow UI	✔️	✔️	✔️
View the Deployment’s settings	✔️	✔️	✔️
View the Deployment’s logs	✔️	✔️	✔️
Access the Deployment’s running Docker image	✔️	✔️	✔️
View the Deployment’s Metrics tab in the Astro Private Cloud UI	✔️	✔️	✔️
View any service account for the Deployment	✔️	✔️	✔️
View the Deployment’s environment variables	✔️	✔️	✔️
View the list of users with access to the Deployment	✔️	✔️	✔️
View all Teams belonging to the Deployment	✔️	✔️	✔️
View task usage information for the Deployment	✔️	✔️	✔️
View Deployment Admin users		✔️	✔️
Modify the Deployment’s settings		✔️	✔️
Upgrade the Deployment’s Astro Runtime version		✔️	✔️
Airflow user permissions for the Deployment, including modifying task runs and Dag runs		✔️	✔️
Push code as an image or full project deploy to the Deployment using the Astro CLI		✔️	✔️
Push code as a Dag-only deploy to the Deployment using the Astro CLI		✔️	✔️
Create, update, and delete a Deployment-level service account		✔️	✔️
Update the Deployment’s environment variables		✔️	✔️
Airflow admin permissions for the Deployment			✔️
Delete the Deployment			✔️
Update Deployment-level permissions for users within the Deployment			✔️
Update Deployment-level permissions for Teams within the Deployment			✔️
Upgrade the Deployment to an unsupported version of Astro Runtime			✔️

Default Workspace user permissions

Permission	Workspace Viewer	Workspace Editor	Workspace Admin
View the Workspace	✔️	✔️	✔️
View all settings and configuration pages of any Deployment	✔️	✔️	✔️
View any Deployment- or Workspace-level service account	✔️	✔️	✔️
View information for all users with access to the Workspace	✔️	✔️	✔️
View Teams belonging to the Workspace	✔️	✔️	✔️
View users in Teams belonging to the Workspace	✔️	✔️	✔️
View task usage in the Workspace	✔️	✔️	✔️
View which Workspace users have the Workspace Admin role	✔️	✔️	✔️
View pending user invites for the Workspace	✔️	✔️	✔️
Modify the Workspace, including Workspace Name, Description, and user access		✔️	✔️
Create a Deployment in the Workspace		✔️	✔️
Update any Deployment in the Workspace			✔️
Upgrade any Deployment in the Workspace			✔️
Create, modify, and delete Workspace-level service accounts		✔️	✔️
Delete the Workspace			✔️
Update IAM for the Workspace			✔️
Upgrade any Deployment in the Workspace to an unsupported version of Astro Runtime			✔️

Default System user permissions

Permission	System Viewer	System Editor	System Admin
View the Airflow UI for any Deployment	✔️	✔️	✔️
View any Deployment’s settings and configuration pages	✔️	✔️	✔️
View any Deployment’s logs	✔️	✔️	✔️
Access any Deployment’s running Docker image	✔️	✔️	✔️
View any Deployment’s Metrics tab in the Astro Private Cloud UI	✔️	✔️	✔️
View any Deployment’s environment variables	✔️	✔️	✔️
View any Deployment- or Workspace-level service account	✔️	✔️	✔️
View information for any user on the platform, including their email address, the list of Workspaces they have access to, and their user role	✔️	✔️	✔️
View Teams in any Workspace	✔️	✔️	✔️
View pending user invites in any Workspace	✔️	✔️	✔️
View task usage for any Deployment	✔️	✔️	✔️
View the newest platform release version number	✔️	✔️	✔️
Access Grafana for system-level monitoring	✔️	✔️	✔️
View system admin users		✔️	✔️
Create a Workspace	✔️	✔️	✔️
Create, update, and delete Workspace- or Deployment-level service accounts anywhere		✔️	✔️
Create, update, or delete a service account at any level			✔️
Create and update Deployments in any Workspace		✔️	✔️
Upgrade any Deployment in any Workspace		✔️	✔️
Push code to any Deployment using the Astro CLI		✔️	✔️
Airflow user permissions for any Deployment		✔️	✔️
Modify base layer Docker images for Deployments		✔️	✔️
Delete any Deployment			✔️
Create, update, and delete a system-level service account			✔️
Update IAM for any Workspace			✔️
Clean Deployment task metadata			✔️
Create, update, and delete any Team			✔️
Invite, update, and delete any user			✔️
Bypass email verification for any user			✔️
Update or delete any Workspace			✔️
Airflow admin permissions for any Deployment			✔️
Create a Deployment with an unsupported version of Astro Runtime			✔️
Register a new cluster			✔️
Deregister (remove) an existing cluster			✔️
Update cluster configuration or metadata			✔️
View details and status of any registered cluster			✔️

Default role permissions lists

The following sections list the default permission values for each role. Some read-only views in the comparison tables above don’t map to a separate permission value in the role lists below. The USER role and the service account comparison later in this page explain the remaining differences. You can update these permissions in your values.yaml file if you want to change the permissions that each role has. See Customize role permissions.

These lists are also published in YAML form in the Astronomer documentation repository.

System Viewer

The System Viewer has Workspace Viewer and Deployment Viewer access across the platform, plus the following system-scoped permissions by default:

system.airflow.get: View the Airflow UI for any Deployment
system.deployment.variables.get: View environment variables for any Deployment
system.deployments.get: View any setting for any Deployment in the Astro Private Cloud UI
system.deployRevisions.get: Use paginatedDeployRevisions API to view deploy revisions
system.invite.get: View information for any pending user invite
system.monitoring.get: Access to Grafana for system-level monitoring
system.serviceAccounts.get: View service accounts for any Deployment or Workspace
system.updates.get: View the newest platform release version number
system.users.get: View information for any user on the platform, including their email address, the list of Workspaces that user has access to, and their user role
system.teams.get: View Teams across the platform
system.workspace.get: View information for any Workspace
system.airflow.viewer: Enable system viewer capabilities in the Astro Private Cloud UI
system.taskUsage.get: View task usage for any Deployment
system.deployments.logs: View logs for any Deployment
system.deployments.metrics: View metrics for any Deployment
system.deployments.status: View status for any Deployment

System Editor

The System Editor has the same system-scoped permissions as the System Viewer and also inherits Workspace Editor and Deployment Editor access across the platform. In addition, it has:

system.adminCount.get: View system admin users.
system.deployment.variables.update: Modify environment variables for any Deployment
system.serviceAccounts.update: Modify service accounts for any Workspace or Deployment
system.airflow.user: Airflow user permissions for all Deployments
system.registryBaseImages.push: Modify base layer Docker images for Airflow

System Admin

The System Admin has the same system-scoped permissions as the System Viewer and System Editor and also inherits Workspace Admin and Deployment Admin access across the platform. In addition, it has:

system.clusters.register: Register a new data plane cluster
system.clusters.deregister: Deregister (remove) an existing data plane cluster
system.clusters.update: Update data plane cluster configuration or metadata
system.clusters.get: View details and status of any registered data plane cluster
system.cleanupAirflowDb.delete: Clean Deployment task metadata
system.iam.update: Update IAM for any Workspace
system.deployments.create: Create a Deployment on any Workspace
system.deployments.update: Modify any Deployment
system.deployments.upsert: Use upsertDeployment API
system.deployments.delete: Delete any Deployment
system.deployments.images.push: Deploy code to any Deployment
system.deployments.dags.push: Push Dag-only code to any Deployment
system.invites.get: View pending user invites in all Workspaces
system.serviceAccounts.create: Create a service account at any level
system.serviceAccounts.delete: Delete any service account
system.teams.create: Create any Team
system.teams.update: Update any Team
system.teams.remove: Delete any Team
system.user.invite: Invite a user
system.user.delete: Delete a user
system.user.forceDelete: Delete a user that is a part of an IDP team
system.user.verifyEmail: Bypass email verification for any user
system.workspace.delete: Delete any Workspace
system.workspace.update: Modify the name or description of any Workspace
system.cleanupDeployRevisions.delete: Clean Deployment deploy revision history
system.airflow.admin: Airflow admin permissions on any Deployment, including permission to configure:
- Pools
- Configuration
- Users
- Connections
- Variables
- XComs

USER

All authenticated users and service accounts receive the USER role by default. This role has the following permissions:

system.workspace.create: Create a Workspace
system.getEmailById: Use the email API
system.getDeploymentById: Use the deployment API

Service account behavior

Service accounts can have broader Deployment-level access than users with the same Workspace-level role. This difference doesn’t appear as separate permission keys in the default role lists on this page.

Scenario	User account	Service account
Base `USER` role	Receives the `USER` role automatically	Receives the `USER` role automatically
`WORKSPACE_VIEWER` on a Workspace	Doesn’t automatically receive `DEPLOYMENT_VIEWER` for every Deployment in the Workspace	Automatically receives `DEPLOYMENT_VIEWER` for every Deployment in the Workspace
`WORKSPACE_EDITOR` on a Workspace	Can create Deployments in the Workspace, but doesn’t automatically receive `DEPLOYMENT_EDITOR` for every Deployment in the Workspace	Automatically receives `DEPLOYMENT_EDITOR` for every Deployment in the Workspace
`WORKSPACE_ADMIN` on a Workspace	Is treated as `DEPLOYMENT_ADMIN` for permission checks on Deployments in that Workspace	Automatically receives `DEPLOYMENT_ADMIN` for every Deployment in the Workspace
Explicit Deployment role on a Deployment	Uses the explicit Deployment role that is assigned	Uses the explicit Deployment role for that Deployment instead of the derived Deployment role

Example

Assume that a user account and a service account both have the Workspace Editor role in the same Workspace.

The user account can create Deployments in that Workspace, but it doesn’t automatically receive Deployment Editor access to every Deployment in the Workspace.

The service account automatically receives Deployment Editor access to every Deployment in that Workspace.

If you explicitly assign that service account the Deployment Viewer role on one Deployment, the explicit Deployment Viewer role applies on that Deployment instead of the automatically derived Deployment Editor role.

Workspace Viewer

The Workspace Viewer has the following default permissions for a given Workspace:

workspace.config.get: View the Workspace
workspace.deployments.get: View all settings and configuration pages of any Deployment
workspace.serviceAccounts.get: View any Deployment or Workspace-level service account
workspace.users.get: View information for all users with access to the Workspace
workspace.teams.get: View Teams belonging to the Workspace
workspace.taskUsage.get: View task usage in the Workspace

Workspace Editor

For a given Workspace, the Workspace Editor has the same default permissions as the Workspace Viewer, plus:

workspace.adminCount.get: View Workspace admin users.
workspace.config.update: Modify the Workspace, including Workspace Name, Description, and user access
workspace.deployments.create: Create a Deployment in the Workspace
workspace.deployments.upsert: Use Create Deployment path within the upsertDeployment API
workspace.serviceAccounts.create: Create a Workspace-level service account
workspace.serviceAccounts.update: Modify a Workspace-level service account
workspace.serviceAccounts.delete: Delete a Workspace-level service account

Workspace Admin

For a given Workspace, the Workspace Admin has the same default permissions as the Workspace Viewer and Workspace Editor, plus:

workspace.invites.get: View pending user invites for the Workspace
workspace.config.delete: Delete the Workspace
workspace.iam.update: Update IAM for the Workspace
workspace.teams.getAll: View all users in Teams belonging to the Workspace
workspace.users.getAll: View all users in the Workspace

In addition, Workspace Admins have Deployment Admin permissions for all Deployments within the Workspace.

Deployment Viewer

For a given Deployment, a Deployment Viewer has the following permissions:

deployment.airflow.get: View the Airflow UI
deployment.config.get: View the Deployment’s settings
deployment.deployRevisions.get: Use the paginatedDeployRevisions API to view deploy revisions
deployment.logs.get: View the Deployment’s logs
deployment.images.pull: Access the Deployment’s running Docker image
deployment.metrics.get: View the Deployment’s Metrics tab in the Astro Private Cloud UI
deployment.serviceAccounts.get: View any service account for the Deployment
deployment.status.get: View the Deployment’s status
deployment.variables.get: View the Deployment’s environment variables
deployment.users.get: View the list of users with access to the Deployment
deployment.teams.get: View all Teams belonging to the Deployment
deployment.taskUsage.get: View task usage information for the Deployment

Deployment Editor

For a given Deployment, the Deployment Editor has the same default permissions as the Deployment Viewer, plus:

deployment.adminCount.get: View Deployment admin users.
deployment.airflow.user: Airflow user permissions for all Deployments, including modifying task runs and Dag runs
deployment.config.update: Modify the Deployment’s settings
deployment.config.upsert: Use upsertDeployment API
deployment.dags.push: Push dag-only code deploys to the Deployment using the Astro CLI
deployment.images.push: Push code to the Deployment using the Astro CLI
deployment.images.pull: Pull image from the Deployment using the Astro CLI
deployment.serviceAccounts.create: Create a Deployment-level service account
deployment.serviceAccounts.update: Modify a Deployment-level service account
deployment.serviceAccounts.delete: Delete a Deployment-level service account
deployment.variables.update: Update the Deployment’s environment variables

Deployment Admin

For a given Deployment, the Deployment Admin has the same default permissions as the Deployment Viewer and the Deployment Editor, plus:

deployment.airflow.admin: Airflow admin permissions, including permission to configure:
- Pools
- Configuration
- Users
- Connections
- Variables
- XComs
deployment.config.delete: Delete the Deployment
deployment.userRoles.update: Update Deployment-level permissions for users within the Deployment
deployment.teamRoles.update: Update Deployment-level permissions for Teams within the Deployment