As an Organization Owner or Workspace Owner, you can use Teams to batch assign Organization and Workspace roles to groups of users. Organization Owners create, update, or delete Teams. Then, either Organization Owners or Workspace Owners can assign Teams to different Workspaces and define their Workspace permissions. For Deployments running Astro Runtime 3.1-12 or later, you can also assign Teams to individual Dags with Dag-specific roles. See Dag-level access control.
A Team is a group of users in an Organization that share the same Organization and Workspace permissions. You can use Teams to securely assign permissions for a large group of users across multiple Workspaces. For example, you can create a Team of dag authors, then assign that Team to each of your development Workspaces as a Workspace author.
You can also assign different roles for each Workspace. For example, you can have a group of dag authors that has full Workspace Owner permissions for development Workspaces, and that same Team can have only Workspace Member permissions for production Workspaces.
In the Astro UI, click Organization Settings, then click Access Management.
Click Teams.
Click + Team to create a new Team.
Configure the following details about your Team:
If you don’t find the user you want to add, you might need to add the user to your Organization.
After you finish adding users to the Team, click Add Team.
You can now add your Team to a Workspace and define the Team users’ permissions in the Workspace.
In the Astro UI, click Organization Settings, then click Access Management.
Click Teams.
Click the name of the Team you want to update.
Update your Team:
In the Astro UI, select a Workspace and click Workspace Settings > Access Management.
Click Teams.
Click + Team.
Select the Team you want to add and define their Workspace Role, which determines their Workspace user permissions.
Organization Owners can also add or update a Team for a Workspace from the Organization Settings:
astro workspace team add for example output and commands.You can assign a Team to specific Dags within a Deployment, giving all Team members the same Dag-level permissions. For complete instructions, see Assign Dag roles to Teams.
You can use the Astro CLI and a shell script to add a Team to multiple Workspaces at once. The shell script reads from a text file which contains Team information. You can generate a text file for each Team that needs to be assigned to Workspaces and run a script to process the file. You must have Organization Owner or Workspace Owner level permissions to add Teams to Workspaces.
Create a text file named teams.txt.
Open the text file. On each line, add a Team ID, the Team’s role, and the Workspace ID delimited by spaces. Your text file should look similar to the following:
Create a file named add-teams.sh and add the following script to it:
(Optional) Log in to the Astro CLI using astro login, then run astro workspace list to ensure that you have access to the Workspaces where you want to add the users.
Run the following command to execute the shell script:
(Optional) To use this script as part of a CI/CD pipeline, create an Organization API token and specify the following environment variable in your CI/CD environment:
ASTRO_API_TOKEN<your-api-token>To preserve a single source of truth for user group management, some Team management actions are limited when you set up SCIM provisioning. Specifically, when you set up SCIM provisioning:
For any Teams that were created before you set up SCIM provisioning, you can still complete the following actions: