User Roles and Permissions

Astronomer v0.9 and beyond supports role based access control (RBAC), allowing you to configure varying levels of access across all Users within your Workspace.

The Astronomer image comes bundled with an astronomer-security-manager package that connects permissions between Houston (the Astronomer API) and Airflow's built-in RBAC.

For details on how those levels of permission are defined and how to leverage them on both Astronomer and Airflow, read the guidelines below.


Astronomer supports three levels of Workspace roles:

  • Admin
  • Editor
  • Viewer

Each of these roles maps to a combination of permissions to both Astronomer and Airflow itself.

View Roles

To view roles within a Workspace, navigate to the Users tab.


Edit Roles

If you're a Workspace Admin, you can edit permissions by clicking into a user.

Configure Access

Astronomer Access


Workspace Admins are the highest-tiered role. Admins can:

  • Perform CRUD (create, read, update, delete) operations on the Workspace
  • Perform CRUD operations on any deployment within that workspace
  • Manage users and their permissions in a Workspace


Behind admins, the Editor can:

  • Perform CRUD operations on any deployment in the Workspace
  • Perform CRUD operations on any service account in the Workspace


Viewers are limited to read-only mode. They can:

  • Can view users in a Workspace
  • Can view deployments in a Workspace

Viewers cannot push code to a deployment.

Note: By default, newly invited users are Viewers in a Workspace.

Airflow Access

User roles apply to all Airflow deployments within a single Workspace.


  • Full access to the Admin panel in Airflow
  • Full access to modify and interact with DAGs in the UI


  • Full access to modify and interact with DAGs in the UI
  • Do not have access the Admin menu in Airflow, which includes:

    • Pools
    • Configuration
    • Users
    • Connections
    • Variables
    • XComs

No Admin Tab


  • Read-only access to the Airflow UI
  • Cannot deploy to, modify, or delete anything within an Airflow deployment
  • Any attempts to view logs, trigger DAGs, or anything else of the sort will result in a 403 and an Access is Denied message.

Access Denied

Coming soon

In coming releases, we'll be rolling out Deployment level permissions to use in tandem with Workspace level permissions.