Astro Private Cloud user role and permission reference

This page lists the default permissions for each user role on Astro Private Cloud. To modify these default permissions, see Customize role permissions.

Config governance permissions (2.0)

Astro Private Cloud 2.0 adds permissions for config governance on the deployments object (cluster, workspace, and deployment overrides). The APC API checks these permission strings (not the UI label) when you call the GraphQL API. Workspace-scoped users need both a workspace role and the right deployment role when they act in a specific Deployment. System-scoped system.* permissions apply when a user is operating across workspaces or Deployments from a system role binding (for example, a System Admin).

Permission	What it gates (the APC API examples)	Default role(s)
`workspace.deployments.config.get`	`workspaceDeploymentsConfig` query: read a workspace’s stored `deployments` config override.	Workspace Viewer and above; use `system.workspace.deployments.config.get` for the same read from a system-scoped role
`workspace.deployments.config.update`	`updateWorkspaceDeploymentsConfig` mutation.	Workspace Editor and above; `system.workspace.deployments.config.update` (System Editor+) for system-scoped update
`workspace.deployments.config.delete`	`deleteWorkspaceDeploymentsConfig` mutation.	Workspace Admin; `system.workspace.deployments.config.delete` (System Admin) for system-scoped delete
`deployment.deployments.config.update`	`updateDeploymentConfig` for that Deployment.	Deployment Editor+; `system.deployment.deployments.config.update` (System Editor+) for any Deployment
`deployment.deployments.config.delete`	`deleteDeploymentConfig` for that Deployment.	Deployment Admin; `system.deployment.deployments.config.delete` (System Admin) for any Deployment
`system.workspace.deployments.config.get`	Read workspace `deployments` config when the caller uses a system-scoped path.	System Viewer and above (see chart defaults)
`system.workspace.deployments.config.update`	Update workspace `deployments` config from a system context.	System Editor and above
`system.workspace.deployments.config.delete`	Delete workspace `deployments` config from a system context.	System Admin
`system.deployment.deployments.config.update`	`updateDeploymentConfig` on any deployment from a system context.	System Editor and above
`system.deployment.deployments.config.delete`	`deleteDeploymentConfig` on any deployment from a system context.	System Admin

Cluster data plane overrides are updated with updateCluster and the cluster.config.* and system.clusters.update permissions (Cluster Admin and System Admin defaults), not the workspace.* or deployment.deployments.* names above. See Override data plane cluster configurations.

Default role permissions tables

The following tables show high-level comparisons of the different permitted actions between different user roles.

Default Deployment user permissions

Permission	Deployment Viewer	Deployment Editor	Deployment Admin
View the Airflow UI	✔️	✔️	✔️
View the Deployment’s settings	✔️	✔️	✔️
View the Deployment’s logs	✔️	✔️	✔️
Access the Deployment’s running Docker image	✔️	✔️	✔️
View the Deployment’s Metrics tab in the Astro Private Cloud UI	✔️	✔️	✔️
View any service account for the Deployment	✔️	✔️	✔️
View the Deployment’s environment variables	✔️	✔️	✔️
View the list of users with access to the Deployment	✔️	✔️	✔️
View all Teams belonging to the Deployment	✔️	✔️	✔️
View task usage information for the Deployment	✔️	✔️	✔️
View Deployment Admin users		✔️	✔️
Modify the Deployment’s settings		✔️	✔️
Upgrade the Deployment’s Astro Runtime version		✔️	✔️
Airflow user permissions for the Deployment, including modifying task runs and Dag runs		✔️	✔️
Push code as an image or full project deploy to the Deployment using the Astro CLI		✔️	✔️
Push code as a Dag-only deploy to the Deployment using the Astro CLI		✔️	✔️
Create, update, and delete a Deployment-level service account		✔️	✔️
Update the Deployment’s environment variables		✔️	✔️
Airflow admin permissions for the Deployment			✔️
Delete the Deployment			✔️
Update Deployment-level permissions for users within the Deployment			✔️
Update Deployment-level permissions for Teams within the Deployment			✔️
Upgrade the Deployment to an unsupported version of Astro Runtime			✔️

Default Workspace user permissions

Permission	Workspace Viewer	Workspace Editor	Workspace Admin
View the Workspace	✔️	✔️	✔️
View all settings and configuration pages of any Deployment	✔️	✔️	✔️
View any Deployment or Workspace-level service account	✔️	✔️	✔️
View information for all users with access to the Workspace	✔️	✔️	✔️
View Teams belonging to the Workspace	✔️	✔️	✔️
View any service account for the Deployment	✔️	✔️	✔️
View task usage in the Workspace	✔️	✔️	✔️
View Workspace admin users.		✔️	✔️
Modify the Workspace, including Workspace Name, Description, and user access		✔️	✔️
Create a Deployment in the Workspace		✔️	✔️
Update any Deployment in the Workspace		✔️	✔️
Upgrade any Deployment in the Workspace		✔️	✔️
Create, modify, and delete Workspace-level service accounts		✔️	✔️
View pending user invites for the Workspace			✔️
Delete the Workspace			✔️
Update IAM for the Workspace			✔️
View all users in Teams belonging to the Workspace			✔️
View all users in the Workspace			✔️
Upgrade any Deployment in the Workspace to an unsupported version of Astro Runtime			✔️

Default System user permissions

Permission	System Viewer	System Editor	System Admin
Deployment Admin permissions for all Deployments	✔️	✔️	✔️
View environment variables for any Deployment	✔️	✔️	✔️
View any setting for any Deployment in the Astro Private Cloud UI	✔️	✔️	✔️
View all pending user invites in the System Admin tab of the Astro Private Cloud UI	✔️	✔️	✔️
View information for any pending user invite	✔️	✔️	✔️
Access to Grafana for system-level monitoring	✔️	✔️	✔️
View service accounts for any Deployment or Workspace	✔️	✔️	✔️
View the newest platform release version number	✔️	✔️	✔️
View information for any user on the platform, including their email address, the list of Workspaces that user has access to, and their user role	✔️	✔️	✔️
View system admin users.	✔️	✔️	✔️
Modify environment variables for any Deployment		✔️	✔️
Modify IAM roles for any Deployment		✔️	✔️
Modify service accounts for any Workspace or Deployment		✔️	✔️
Airflow user permissions for all Deployments		✔️	✔️
Modify base layer Docker images for Deployments		✔️	✔️
Clean Deployment task metadata			✔️
Create, update, or delete a Deployment on any Workspace			✔️
Deploy code to any Deployment			✔️
View logs for any Deployment			✔️
View metrics for any Deployment			✔️
View pending user invites in all Workspaces			✔️
Create, update, or delete a service account at any level			✔️
Create, update, or delete any Team			✔️
Invite, update, or delete any user			✔️
Bypass email verification for any user			✔️
Create, update, or delete a Workspace			✔️
Airflow admin permissions for all Deployments			✔️
Create a Deployment in any Workspace			✔️
Update a Deployment in any Workspace			✔️
Create a Deployment with an unsupported version of Astro Runtime			✔️
Register a new cluster			✔️
Deregister (remove) an existing cluster			✔️
Update cluster configuration or metadata			✔️
View details and status of any registered cluster			✔️

Default role permissions lists

The following sections list the permission values that each role has by default as defined in the Astronomer Helm chart. You can update these permissions in your values.yaml file if you want to change the permissions that each role has. See Customize role permissions.

These lists are also published in YAML form in the Astronomer documentation repository.

System Viewer

The System Viewer has the following permissions by default:

system.airflow.get: View the Airflow UI for any Deployment
system.deployment.variables.get: View environment variables for any Deployment
system.deployments.get: View any setting for any Deployment in the Astro Private Cloud UI
system.deployRevisions.get: Use paginatedDeployRevisions API to view deploy revisions
system.invites.get: View all pending user invites in the System Admin tab of the Astro Private Cloud UI
system.invite.get: View information for any pending user invite
system.monitoring.get: Access to Grafana for system-level monitoring
system.serviceAccounts.get: View service accounts for any Deployment or Workspace
system.updates.get: View the newest platform release version number
system.users.get: View information for any user on the platform, including their email address, the list of Workspaces that user has access to, and their user role
system.workspace.get: View information for any Workspace
system.workspace.deployments.config.get: Read a workspace’s deployments config override when using a system-scoped role binding (same workspaceDeploymentsConfig query with system permissions)

System Editor

The System Editor has the same default permissions as the System Viewer, plus:

system.adminCount.get: View system admin users.
system.deployment.variables.update: Modify environment variables for any Deployment
system.iam.update: Modify IAM roles for any Deployment
system.serviceAccounts.update: Modify service accounts for any Workspace or Deployment
deployment.airflow.user: Airflow user permissions for all Deployments
system.registryBaseImages.push: Modify base layer Docker images for Airflow
system.workspace.deployments.config.update: Update a workspace’s deployments config override from a system context (updateWorkspaceDeploymentsConfig with a system role)
system.deployment.deployments.config.update: Update any Deployment’s deployments config override from a system context (updateDeploymentConfig)

System Admin

The System Admin has the same default permissions as the System Viewer and System Editor, plus:

system.clusters.register: Register a new data plane cluster
system.clusters.deregister: Deregister (remove) an existing data plane cluster
system.clusters.update: Update data plane cluster configuration or metadata
system.clusters.get: View details and status of any registered data plane cluster
system.cleanupAirflowDb.delete: Clean Deployment task metadata
system.deployments.create: Create a Deployment on any Workspace
system.deployments.update: Modify any Deployment
system.deployments.upsert: Use upsertDeployment API
system.deployments.delete: Delete any Deployment
system.deployments.images.push: Deploy code to any Deployment
system.deployments.logs: View logs for any Deployment
system.deployments.metrics: View metrics for any Deployment
system.invites.get: View pending user invites in all Workspaces
system.serviceAccounts.create: Create a service account at any level
system.serviceAccounts.delete: Delete any service account
system.serviceAccounts.update: Modify any service account
system.teams.remove: Delete any Team
system.user.invite: Invite a user
system.user.delete: Delete a user
system.user.forceDelete: Delete a user that is a part of an IdP team
system.user.verifyEmail: Bypass email verification for any user
system.workspace.delete: Delete any Workspace
system.workspace.update: Modify the name or description of any Workspace
system.airflow.admin: Airflow admin permissions on any Deployment, including permission to configure:
- Pools
- Configuration
- Users
- Connections
- Variables
- XComs
system.workspace.deployments.config.delete: Delete (reset) a workspace’s deployments config override from a system context (deleteWorkspaceDeploymentsConfig)
system.deployment.deployments.config.delete: Delete (reset) any Deployment’s deployments config override from a system context (deleteDeploymentConfig)

Workspace Viewer

The Workspace Viewer has the following default permissions for a given Workspace:

workspace.config.get: View the Workspace
system.deployments.get: View all settings and configuration pages of any Deployment
workspace.serviceAccounts.get: View any Deployment or Workspace-level service account
workspace.users.get: View information for all users with access to the Workspace
workspace.teams.get: View Teams belonging to the Workspace
workspace.taskUsage.get: View task usage in the Workspace
workspace.deployments.config.get: Read the workspace config governance override (workspaceDeploymentsConfig in the APC API)

Workspace Editor

For a given Workspace, the Workspace Editor has the same default permissions as the Workspace Viewer, plus:

workspace.adminCount.get: View Workspace admin users.
workspace.config.update: Modify the Workspace, including Workspace Name, Description, and user access
workspace.deployments.create: Create a Deployment in the Workspace
workspace.deployments.upsert: Use Create Deployment path within the upsertDeployment API
workspace.serviceAccounts.create: Create a Workspace-level service account
workspace.serviceAccounts.update: Modify a Workspace-level service account
workspace.serviceAccounts.delete: Delete a Workspace-level service account
workspace.deployments.config.update: Create or update the workspace’s deployments config override (updateWorkspaceDeploymentsConfig in the APC API)

Workspace Admin

For a given Workspace, the Workspace Admin has the same default permissions as the Workspace Viewer and Workspace Editor, plus:

workspace.invites.get: View pending user invites for the Workspace
workspace.config.delete: Delete the Workspace
workspace.iam.update: Update IAM for the Workspace
workspace.teams.getAll: View all users in Teams belonging to the Workspace
workspace.users.getAll: View all users in the Workspace
workspace.deployments.config.delete: Delete (reset) the workspace’s deployments config override (deleteWorkspaceDeploymentsConfig in the APC API)

In addition, Workspace Admins have Deployment Admin permissions for all Deployments within the Workspace.

Deployment Viewer

For a given Deployment, a Deployment Viewer has the following permissions:

deployment.airflow.get: View the Airflow UI
deployment.config.get: View the Deployment’s settings
deployment.deployRevisions.get: Use the paginatedDeployRevisions API to view deploy revisions
deployment.logs.get: View the Deployment’s logs
deployment.images.pull: Access the Deployment’s running Docker image
deployment.metrics.get: View the Deployment’s Metrics tab in the Astro Private Cloud UI
deployment.serviceAccounts.get: View any service account for the Deployment
deployment.status.get: View the Deployment’s status
deployment.variables.get: View the Deployment’s environment variables
deployment.users.get: View the list of users with access to the Deployment
deployment.teams.get: View all Teams belonging to the Deployment
deployment.taskUsage.get: View task usage information for the Deployment

Deployment Editor

For a given Deployment, the Deployment Editor has the same default permissions as the Deployment Viewer, plus:

deployment.adminCount.get: View Deployment admin users.
deployment.airflow.user: Airflow user permissions for all Deployments, including modifying task runs and Dag runs
deployment.config.update: Modify the Deployment’s settings
deployment.config.upsert: Use upsertDeployment API
deployment.dags.push: Push Dag-only code deploys to the Deployment using the Astro CLI
deployment.images.push: Push code to the Deployment using the Astro CLI
deployment.images.pull: Pull image from the Deployment using the Astro CLI
deployment.serviceAccounts.create: Create a Deployment-level service account
deployment.serviceAccounts.update: Modify a Deployment-level service account
deployment.serviceAccounts.delete: Delete a Deployment-level service account
deployment.variables.update: Update the Deployment’s environment variables
deployment.deployments.config.update: Create or update the Deployment’s deployments config override (updateDeploymentConfig in the APC API)

Deployment Admin

For a given Deployment, the Deployment Admin has the same default permissions as the Deployment Viewer and the Deployment Editor, plus:

deployment.airflow.admin: Airflow admin permissions, including permission to configure:
- Pools
- Configuration
- Users
- Connections
- Variables
- XComs
deployment.config.delete: Delete the Deployment
deployment.userRoles.update: Update Deployment-level permissions for users within the Deployment
deployment.teamRoles.update: Update Deployment-level permissions for Teams within the Deployment
deployment.deployments.config.delete: Delete (reset) the Deployment’s deployments config override (deleteDeploymentConfig in the APC API)