User Roles and Permissions
Astronomer v0.9 and beyond supports role based access control (RBAC), allowing you to configure varying levels of access across all Users within your Workspace.
The Astronomer image comes bundled with an astronomer-fab-security manager package that connects permissions between Houston (the Astronomer API) and Airflow's built-in RBAC.
For details on how those levels of permission are defined and how to leverage them on both Astronomer and Airflow, read the guidelines below.
Astronomer supports three levels of Workspace roles:
Each of these roles maps to a combination of permissions to both Astronomer and Airflow itself.
To view roles within a Workspace, navigate to the
If you're a Workspace Admin, you can edit permissions by clicking into a user.
Workspace Admins are the highest-tiered role. Admins can:
- Perform CRUD (create, read, update, delete) operations on the Workspace
- Perform CRUD operations on any Airflow deployment within that workspace
- Manage users and their permissions in a Workspace
Behind admins, the Editor can:
- Perform CRUD operations on any deployment in the Workspace
- Perform CRUD operations on any service account in the Workspace
Editors cannot manage other users in the Workspace.
Viewers are limited to read-only mode. They can:
- Can view users in a Workspace
- Can view deployments in a Workspace
Viewers cannot push code to a deployment.
Note: By default, newly invited users are
Viewers in a Workspace.
Astronomer RBAC not only applies to functions on Astronomer itself, but it also maps to Airflow native roles and permissions. User roles apply to all Airflow deployments within a single Workspace.
Read below for a breakdown of how Astronomer roles translate to Airflow access and functionality.
- Full deploy functionality to all deployments within the Workspace
- Full access to the
Adminpanel in Airflow
- Full access to modify and interact with DAGs in the UI
- Full access to modify and interact with DAGs in the Airflow UI
Do not have access to the
Adminmenu in Airflow, which includes:
- Read-only access to the Airflow UI
- Cannot deploy to, modify, or delete anything within an Airflow deployment
- Any attempts to view logs, trigger DAGs, or anything else of the sort will result in a
Access is Deniedmessage.
In coming releases, we'll be rolling out Deployment level permissions to use in tandem with Workspace level permissions.