Role-based access control (RBAC) enables you to grant specific permissions to users in your organization, ensuring that Dagster users have access to what they require in Dagster+, and no more.
In this guide, we'll cover how RBAC works in Dagster+, how to assign roles to users, and the granular permissions for each user role.
Dagster+ Pro employs a flexible approach to user roles and permissions. This system is built on two fundamental concepts:
Dagster+ Pro users can create teams of users and assign default permission sets. Refer to the Managing teams in Dagster+ guide for more info.
If you no longer need a custom role, you can delete it from the edit dialog.
Note that if the role is currently assigned to any users, you will need to reassign them to a different role before deleting the role.
Organization Admins have access to the entire organization, including all full deployments, code locations, and Branch Deployments.
For custom roles, you will have to define if the role applies to the organization settings, or deployment settings.
Level | Plan | Description |
---|---|---|
Deployment | All plans | Defines the level of access for a given deployment. Roles set at this level will be the default role for the user or team for all code locations in the deployment. Note: Granting access to a deployment grants a minimum of Viewer access to all code locations. Preventing access for specific code locations isn't currently supported. Additionally, having access to a deployment doesn't grant access to Branch Deployments - those permissions must be granted separately. |
Code location | Pro | Defines the level of access for a given code location in a deployment. Dagster+ Pro users can override the default deployment-level role for individual code locations. For example, if the Deployment role is Launcher, you could override this role with a more permissive role, such as Editor or Admin. For non-Pro users, users will have the same level of access for all code locations in a deployment. |
Branch deployments | All plans | Defines the level of access for all Branch Deployments in the code locations the user or team has access to. |
As previously mentioned, you can define individual user roles for users in your organization. You can also apply permission overrides to grant specific exceptions.
Overrides may be used to apply a more permissive role. If, for example, the default role is Admin or Organization Admin, overrides will be disabled as these are the most permissive roles.
To override a code location role for an individual user:
Users in your organization can belong to one or more teams. When determining a user's level of access, Dagster+ will use the most permissive role assigned to the user between all of their team memberships and any individual role grants.
For example, let's look at a user with the following roles for our dev
deployment:
In this example, the user would have Launcher access to the prod
deployment. This is because the Launcher role is more permissive than Viewer.
The above also applies to code locations and Branch Deployment roles.
To view deployment-level overrides for a specific user, locate the user on the Users page and hover over a deployment:
If there are code location-level overrides, a small N override(s) link will display beneath the user's deployment role. Hover over it to display the list of overrides:
Viewer | Launcher | Editor | Admin | Organization Admin | |
---|---|---|---|---|---|
View runs of jobs | ✅ | ✅ | ✅ | ✅ | ✅ |
Launch, re-execute, terminate, and delete runs of jobs | ❌ | ✅ | ✅ | ✅ | ✅ |
Start and stop schedules | ❌ | ❌ | ✅ | ✅ | ✅ |
Start and stop sensors | ❌ | ❌ | ✅ | ✅ | ✅ |
Wipe assets | ❌ | ❌ | ✅ | ✅ | ✅ |
Launch and cancel backfills | ❌ | ✅ | ✅ | ✅ | ✅ |
Add dynamic partitions | ❌ | ❌ | ✅ | ✅ | ✅ |
Deployment settings are accessed in the UI by navigating to user menu (your icon) > Organization Settings > Deployments.
Viewer | Launcher | Editor | Admin | Organization Admin | |
---|---|---|---|---|---|
View deployments | ✅ | ✅ | ✅ | ✅ | ✅ |
Modify deployment settings | ❌ | ❌ | ✅ | ✅ | ✅ |
Create, edit, delete environment variables | ❌ | ❌ | ✅ | ✅ | ✅ |
View environment variable values | ❌ | ❌ | ✅ | ✅ | ✅ |
Export environment variables | ❌ | ❌ | ✅ | ✅ | ✅ |
Create and delete deployments | ❌ | ❌ | ❌ | ❌ | ✅ |
Create Branch Deployments | ❌ | ❌ | ✅ | ✅ | ✅ |
Code locations are accessed in the UI by navigating to Deployment > Code locations.
Viewer | Launcher | Editor | Admin | Organization Admin | |
---|---|---|---|---|---|
View code locations | ✅ | ✅ | ✅ | ✅ | ✅ |
Create and remove code locations | ❌ | ❌ | ✅ | ✅ | ✅ |
Reload code locations and workspaces | ❌ | ❌ | ✅ | ✅ | ✅ |
Agent tokens are accessed in the UI by navigating to user menu (your icon) > Organization Settings > Tokens.
Viewer | Launcher | Editor | Admin | Organization Admin | |
---|---|---|---|---|---|
View agent tokens | ❌ | ❌ | ❌ | ❌ | ✅ |
Create agent tokens | ❌ | ❌ | ❌ | ❌ | ✅ |
Edit agent tokens | ❌ | ❌ | ❌ | ❌ | ✅ |
Revoke agent tokens | ❌ | ❌ | ❌ | ❌ | ✅ |
User tokens are accessed in the UI by navigating to user menu (your icon) > Organization Settings > Tokens.
Viewer | Launcher | Editor | Admin | Organization Admin | |
---|---|---|---|---|---|
View and create own user tokens | ✅ | ✅ | ✅ | ✅ | ✅ |
List all user tokens | ❌ | ❌ | ❌ | ❌ | ✅ |
Revoke all user tokens | ❌ | ❌ | ❌ | ❌ | ✅ |
User management is accessed in the UI by navigating to user menu (your icon) > Organization Settings > Users.
Viewer | Launcher | Editor | Admin | Organization Admin | |
---|---|---|---|---|---|
View users | ✅ | ✅ | ✅ | ✅ | ✅ |
Add users | ❌ | ❌ | ❌ | ✅ | ✅ |
Edit user roles | ❌ | ❌ | ❌ | ❌ | ✅ |
Remove users | ❌ | ❌ | ❌ | ❌ | ✅ |
Team management is accessed in the UI by navigating to user menu (your icon) > Organization Settings > Teams.
Note: Admin users can modify teams only in deployments where they're an Admin.
Viewer | Launcher | Editor | Admin | Organization Admin | |
---|---|---|---|---|---|
View teams | ✅ | ✅ | ✅ | ✅ | ✅ |
Modify team permissions | ❌ | ❌ | ❌ | ✅ | ✅ |
Create teams | ❌ | ❌ | ❌ | ❌ | ✅ |
Re-name teams | ❌ | ❌ | ❌ | ❌ | ✅ |
Add/remove team members | ❌ | ❌ | ❌ | ❌ | ✅ |
Remove teams | ❌ | ❌ | ❌ | ❌ | ✅ |
Viewer | Launcher | Editor | Admin | Organization Admin | |
---|---|---|---|---|---|
Manage alerts | ❌ | ❌ | ✅ | ✅ | ✅ |
Edit workspace | ❌ | ❌ | ✅ | ✅ | ✅ |
Administer SAML | ❌ | ❌ | ❌ | ❌ | ✅ |
Manage SCIM | ❌ | ❌ | ❌ | ❌ | ✅ |
View usage | ❌ | ❌ | ❌ | ❌ | ✅ |
Manage billing | ❌ | ❌ | ❌ | ❌ | ✅ |
View audit logs | ❌ | ❌ | ❌ | ❌ | ✅ |