This page lists the default permissions for each user role on Astro Private Cloud. To modify these default permissions, see Customize role permissions.
Astro Private Cloud 2.0 adds permissions for config governance on the deployments object (cluster, workspace, and deployment overrides). The APC API checks these permission strings (not the UI label) when you call the GraphQL API. Workspace-scoped users need both a workspace role and the right deployment role when they act in a specific Deployment. System-scoped system.* permissions apply when a user is operating across workspaces or Deployments from a system role binding (for example, a System Admin).
Cluster data plane overrides are updated with updateCluster and the cluster.config.* and system.clusters.update permissions (Cluster Admin and System Admin defaults), not the workspace.* or deployment.deployments.* names above. See Override data plane cluster configurations.
The following tables show high-level comparisons of the different permitted actions between different user roles.
The following sections list the permission values that each role has by default as defined in the Astronomer Helm chart. You can update these permissions in your values.yaml file if you want to change the permissions that each role has. See Customize role permissions.
These lists are also published in YAML form in the Astronomer documentation repository.
The System Viewer has the following permissions by default:
system.airflow.get: View the Airflow UI for any Deploymentsystem.deployment.variables.get: View environment variables for any Deploymentsystem.deployments.get: View any setting for any Deployment in the Astro Private Cloud UIsystem.deployRevisions.get: Use paginatedDeployRevisions API to view deploy revisionssystem.invites.get: View all pending user invites in the System Admin tab of the Astro Private Cloud UIsystem.invite.get: View information for any pending user invitesystem.monitoring.get: Access to Grafana for system-level monitoringsystem.serviceAccounts.get: View service accounts for any Deployment or Workspacesystem.updates.get: View the newest platform release version numbersystem.users.get: View information for any user on the platform, including their email address, the list of Workspaces that user has access to, and their user rolesystem.workspace.get: View information for any Workspacesystem.workspace.deployments.config.get: Read a workspace’s deployments config override when using a system-scoped role binding (same workspaceDeploymentsConfig query with system permissions)The System Editor has the same default permissions as the System Viewer, plus:
system.adminCount.get: View system admin users.system.deployment.variables.update: Modify environment variables for any Deploymentsystem.iam.update: Modify IAM roles for any Deploymentsystem.serviceAccounts.update: Modify service accounts for any Workspace or Deploymentdeployment.airflow.user: Airflow user permissions for all Deploymentssystem.registryBaseImages.push: Modify base layer Docker images for Airflowsystem.workspace.deployments.config.update: Update a workspace’s deployments config override from a system context (updateWorkspaceDeploymentsConfig with a system role)system.deployment.deployments.config.update: Update any Deployment’s deployments config override from a system context (updateDeploymentConfig)The System Admin has the same default permissions as the System Viewer and System Editor, plus:
system.clusters.register: Register a new data plane cluster
system.clusters.deregister: Deregister (remove) an existing data plane cluster
system.clusters.update: Update data plane cluster configuration or metadata
system.clusters.get: View details and status of any registered data plane cluster
system.cleanupAirflowDb.delete: Clean Deployment task metadata
system.deployments.create: Create a Deployment on any Workspace
system.deployments.update: Modify any Deployment
system.deployments.upsert: Use upsertDeployment API
system.deployments.delete: Delete any Deployment
system.deployments.images.push: Deploy code to any Deployment
system.deployments.logs: View logs for any Deployment
system.deployments.metrics: View metrics for any Deployment
system.invites.get: View pending user invites in all Workspaces
system.serviceAccounts.create: Create a service account at any level
system.serviceAccounts.delete: Delete any service account
system.serviceAccounts.update: Modify any service account
system.teams.remove: Delete any Team
system.user.invite: Invite a user
system.user.delete: Delete a user
system.user.forceDelete: Delete a user that is a part of an IdP team
system.user.verifyEmail: Bypass email verification for any user
system.workspace.delete: Delete any Workspace
system.workspace.update: Modify the name or description of any Workspace
system.airflow.admin: Airflow admin permissions on any Deployment, including permission to configure:
system.workspace.deployments.config.delete: Delete (reset) a workspace’s deployments config override from a system context (deleteWorkspaceDeploymentsConfig)
system.deployment.deployments.config.delete: Delete (reset) any Deployment’s deployments config override from a system context (deleteDeploymentConfig)
The Workspace Viewer has the following default permissions for a given Workspace:
workspace.config.get: View the Workspacesystem.deployments.get: View all settings and configuration pages of any Deploymentworkspace.serviceAccounts.get: View any Deployment or Workspace-level service accountworkspace.users.get: View information for all users with access to the Workspaceworkspace.teams.get: View Teams belonging to the Workspaceworkspace.taskUsage.get: View task usage in the Workspaceworkspace.deployments.config.get: Read the workspace config governance override (workspaceDeploymentsConfig in the APC API)For a given Workspace, the Workspace Editor has the same default permissions as the Workspace Viewer, plus:
workspace.adminCount.get: View Workspace admin users.workspace.config.update: Modify the Workspace, including Workspace Name, Description, and user accessworkspace.deployments.create: Create a Deployment in the Workspaceworkspace.deployments.upsert: Use Create Deployment path within the upsertDeployment APIworkspace.serviceAccounts.create: Create a Workspace-level service accountworkspace.serviceAccounts.update: Modify a Workspace-level service accountworkspace.serviceAccounts.delete: Delete a Workspace-level service accountworkspace.deployments.config.update: Create or update the workspace’s deployments config override (updateWorkspaceDeploymentsConfig in the APC API)For a given Workspace, the Workspace Admin has the same default permissions as the Workspace Viewer and Workspace Editor, plus:
workspace.invites.get: View pending user invites for the Workspaceworkspace.config.delete: Delete the Workspaceworkspace.iam.update: Update IAM for the Workspaceworkspace.teams.getAll: View all users in Teams belonging to the Workspaceworkspace.users.getAll: View all users in the Workspaceworkspace.deployments.config.delete: Delete (reset) the workspace’s deployments config override (deleteWorkspaceDeploymentsConfig in the APC API)In addition, Workspace Admins have Deployment Admin permissions for all Deployments within the Workspace.
For a given Deployment, a Deployment Viewer has the following permissions:
deployment.airflow.get: View the Airflow UIdeployment.config.get: View the Deployment’s settingsdeployment.deployRevisions.get: Use the paginatedDeployRevisions API to view deploy revisionsdeployment.logs.get: View the Deployment’s logsdeployment.images.pull: Access the Deployment’s running Docker imagedeployment.metrics.get: View the Deployment’s Metrics tab in the Astro Private Cloud UIdeployment.serviceAccounts.get: View any service account for the Deploymentdeployment.status.get: View the Deployment’s statusdeployment.variables.get: View the Deployment’s environment variablesdeployment.users.get: View the list of users with access to the Deploymentdeployment.teams.get: View all Teams belonging to the Deploymentdeployment.taskUsage.get: View task usage information for the DeploymentFor a given Deployment, the Deployment Editor has the same default permissions as the Deployment Viewer, plus:
deployment.adminCount.get: View Deployment admin users.deployment.airflow.user: Airflow user permissions for all Deployments, including modifying task runs and Dag runsdeployment.config.update: Modify the Deployment’s settingsdeployment.config.upsert: Use upsertDeployment APIdeployment.dags.push: Push Dag-only code deploys to the Deployment using the Astro CLIdeployment.images.push: Push code to the Deployment using the Astro CLIdeployment.images.pull: Pull image from the Deployment using the Astro CLIdeployment.serviceAccounts.create: Create a Deployment-level service accountdeployment.serviceAccounts.update: Modify a Deployment-level service accountdeployment.serviceAccounts.delete: Delete a Deployment-level service accountdeployment.variables.update: Update the Deployment’s environment variablesdeployment.deployments.config.update: Create or update the Deployment’s deployments config override (updateDeploymentConfig in the APC API)For a given Deployment, the Deployment Admin has the same default permissions as the Deployment Viewer and the Deployment Editor, plus:
deployment.airflow.admin: Airflow admin permissions, including permission to configure:
deployment.config.delete: Delete the Deployment
deployment.userRoles.update: Update Deployment-level permissions for users within the Deployment
deployment.teamRoles.update: Update Deployment-level permissions for Teams within the Deployment
deployment.deployments.config.delete: Delete (reset) the Deployment’s deployments config override (deleteDeploymentConfig in the APC API)