Documentation

User Roles and Permissions


Astronomer v0.9 and beyond supports role based access control (RBAC), allowing you to configure varying levels of access across all Users within your Workspace.

The Astronomer image comes bundled with an astronomer-security-manager package that connects permissions between Houston (the Astronomer API) and Airflow's built-in RBAC.

For details on how those levels of permission are defined and how to leverage them on both Astronomer and Airflow, read the guidelines below.

Overview

Astronomer supports three levels of Workspace roles:

  • Admin
  • Editor
  • Viewer

Each of these roles maps to a combination of permissions to both Astronomer and Airflow itself.

View Roles

To view roles within a Workspace, navigate to the Users tab.

Users

Edit Roles

If you're a Workspace Admin, you can edit permissions by clicking into a user.

Configure Access

Astronomer Access

Admin

Workspace Admins are the highest-tiered role. Admins can:

  • Perform CRUD (create, read, update, delete) operations on the Workspace
  • Perform CRUD operations on any deployment within that workspace
  • Manage users and their permissions in a Workspace

Editor

Behind admins, the Editor can:

  • Perform CRUD operations on any deployment in the Workspace
  • Perform CRUD operations on any service account in the Workspace

Viewer

Viewers are limited to read-only mode. They can:

  • Can view users in a Workspace
  • Can view deployments in a Workspace

Viewers cannot push code to a deployment.

Note: By default, newly invited users are Viewers in a Workspace.

Airflow Access

User roles apply to all Airflow deployments within a single Workspace.

Admins

  • Full access to the Admin panel in Airflow
  • Full access to modify and interact with DAGs in the UI

Editors

  • Full access to modify and interact with DAGs in the UI
  • Do not have access the Admin menu in Airflow, which includes:

    • Pools
    • Configuration
    • Users
    • Connections
    • Variables
    • XComs

No Admin Tab

Viewers

  • Read-only access to the Airflow UI
  • Cannot deploy to, modify, or delete anything within an Airflow deployment
  • Any attempts to view logs, trigger DAGs, or anything else of the sort will result in a 403 and an Access is Denied message.

Access Denied

Coming soon

In coming releases, we'll be rolling out Deployment level permissions to use in tandem with Workspace level permissions.