This is where you’ll find information about Astro Private Cloud default user role permissions. To modify these default permissions, see Customize role permissions.
The following tables summarize the default actions that each user role can currently view or perform in Astro Private Cloud. In a few cases, read-only views don’t map one-to-one to a single permission value in the lists later in this page. Service accounts also differ from user accounts in a few important ways, which are documented later in this page.
The following sections list the default permission values for each role. Some read-only views in the comparison tables above don’t map to a separate permission value in the role lists below. The USER role and the service account comparison later in this page explain the remaining differences. You can update these permissions in your values.yaml file if you want to change the permissions that each role has. See Customize role permissions.
These lists are also published in YAML form in the Astronomer documentation repository.
The System Viewer has Workspace Viewer and Deployment Viewer access across the platform, plus the following system-scoped permissions by default:
system.airflow.get: View the Airflow UI for any Deploymentsystem.deployment.variables.get: View environment variables for any Deploymentsystem.deployments.get: View any setting for any Deployment in the Astro Private Cloud UIsystem.deployRevisions.get: Use paginatedDeployRevisions API to view deploy revisionssystem.invite.get: View information for any pending user invitesystem.monitoring.get: Access to Grafana for system-level monitoringsystem.serviceAccounts.get: View service accounts for any Deployment or Workspacesystem.updates.get: View the newest platform release version numbersystem.users.get: View information for any user on the platform, including their email address, the list of Workspaces that user has access to, and their user rolesystem.teams.get: View Teams across the platformsystem.workspace.get: View information for any Workspacesystem.airflow.viewer: Enable system viewer capabilities in the Astro Private Cloud UIsystem.taskUsage.get: View task usage for any Deploymentsystem.deployments.logs: View logs for any Deploymentsystem.deployments.metrics: View metrics for any Deploymentsystem.deployments.status: View status for any DeploymentThe System Editor has the same system-scoped permissions as the System Viewer and also inherits Workspace Editor and Deployment Editor access across the platform. In addition, it has:
system.adminCount.get: View system admin users.system.deployment.variables.update: Modify environment variables for any Deploymentsystem.serviceAccounts.update: Modify service accounts for any Workspace or Deploymentsystem.airflow.user: Airflow user permissions for all Deploymentssystem.registryBaseImages.push: Modify base layer Docker images for AirflowThe System Admin has the same system-scoped permissions as the System Viewer and System Editor and also inherits Workspace Admin and Deployment Admin access across the platform. In addition, it has:
system.clusters.register: Register a new data plane cluster
system.clusters.deregister: Deregister (remove) an existing data plane cluster
system.clusters.update: Update data plane cluster configuration or metadata
system.clusters.get: View details and status of any registered data plane cluster
system.cleanupAirflowDb.delete: Clean Deployment task metadata
system.iam.update: Update IAM for any Workspace
system.deployments.create: Create a Deployment on any Workspace
system.deployments.update: Modify any Deployment
system.deployments.upsert: Use upsertDeployment API
system.deployments.delete: Delete any Deployment
system.deployments.images.push: Deploy code to any Deployment
system.deployments.dags.push: Push Dag-only code to any Deployment
system.invites.get: View pending user invites in all Workspaces
system.serviceAccounts.create: Create a service account at any level
system.serviceAccounts.delete: Delete any service account
system.teams.create: Create any Team
system.teams.update: Update any Team
system.teams.remove: Delete any Team
system.user.invite: Invite a user
system.user.delete: Delete a user
system.user.forceDelete: Delete a user that is a part of an IDP team
system.user.verifyEmail: Bypass email verification for any user
system.workspace.delete: Delete any Workspace
system.workspace.update: Modify the name or description of any Workspace
system.cleanupDeployRevisions.delete: Clean Deployment deploy revision history
system.airflow.admin: Airflow admin permissions on any Deployment, including permission to configure:
All authenticated users and service accounts receive the USER role by default. This role has the following permissions:
system.workspace.create: Create a Workspacesystem.getEmailById: Use the email APIsystem.getDeploymentById: Use the deployment APIService accounts can have broader Deployment-level access than users with the same Workspace-level role. This difference doesn’t appear as separate permission keys in the default role lists on this page.
Assume that a user account and a service account both have the Workspace Editor role in the same Workspace.
The user account can create Deployments in that Workspace, but it doesn’t automatically receive Deployment Editor access to every Deployment in the Workspace.
The service account automatically receives Deployment Editor access to every Deployment in that Workspace.
If you explicitly assign that service account the Deployment Viewer role on one Deployment, the explicit Deployment Viewer role applies on that Deployment instead of the automatically derived Deployment Editor role.
The Workspace Viewer has the following default permissions for a given Workspace:
workspace.config.get: View the Workspaceworkspace.deployments.get: View all settings and configuration pages of any Deploymentworkspace.serviceAccounts.get: View any Deployment or Workspace-level service accountworkspace.users.get: View information for all users with access to the Workspaceworkspace.teams.get: View Teams belonging to the Workspaceworkspace.taskUsage.get: View task usage in the WorkspaceFor a given Workspace, the Workspace Editor has the same default permissions as the Workspace Viewer, plus:
workspace.adminCount.get: View Workspace admin users.workspace.config.update: Modify the Workspace, including Workspace Name, Description, and user accessworkspace.deployments.create: Create a Deployment in the Workspaceworkspace.deployments.upsert: Use Create Deployment path within the upsertDeployment APIworkspace.serviceAccounts.create: Create a Workspace-level service accountworkspace.serviceAccounts.update: Modify a Workspace-level service accountworkspace.serviceAccounts.delete: Delete a Workspace-level service accountFor a given Workspace, the Workspace Admin has the same default permissions as the Workspace Viewer and Workspace Editor, plus:
workspace.invites.get: View pending user invites for the Workspaceworkspace.config.delete: Delete the Workspaceworkspace.iam.update: Update IAM for the Workspaceworkspace.teams.getAll: View all users in Teams belonging to the Workspaceworkspace.users.getAll: View all users in the WorkspaceIn addition, Workspace Admins have Deployment Admin permissions for all Deployments within the Workspace.
For a given Deployment, a Deployment Viewer has the following permissions:
deployment.airflow.get: View the Airflow UIdeployment.config.get: View the Deployment’s settingsdeployment.deployRevisions.get: Use the paginatedDeployRevisions API to view deploy revisionsdeployment.logs.get: View the Deployment’s logsdeployment.images.pull: Access the Deployment’s running Docker imagedeployment.metrics.get: View the Deployment’s Metrics tab in the Astro Private Cloud UIdeployment.serviceAccounts.get: View any service account for the Deploymentdeployment.status.get: View the Deployment’s statusdeployment.variables.get: View the Deployment’s environment variablesdeployment.users.get: View the list of users with access to the Deploymentdeployment.teams.get: View all Teams belonging to the Deploymentdeployment.taskUsage.get: View task usage information for the DeploymentFor a given Deployment, the Deployment Editor has the same default permissions as the Deployment Viewer, plus:
deployment.adminCount.get: View Deployment admin users.deployment.airflow.user: Airflow user permissions for all Deployments, including modifying task runs and Dag runsdeployment.config.update: Modify the Deployment’s settingsdeployment.config.upsert: Use upsertDeployment APIdeployment.dags.push: Push dag-only code deploys to the Deployment using the Astro CLIdeployment.images.push: Push code to the Deployment using the Astro CLIdeployment.images.pull: Pull image from the Deployment using the Astro CLIdeployment.serviceAccounts.create: Create a Deployment-level service accountdeployment.serviceAccounts.update: Modify a Deployment-level service accountdeployment.serviceAccounts.delete: Delete a Deployment-level service accountdeployment.variables.update: Update the Deployment’s environment variablesFor a given Deployment, the Deployment Admin has the same default permissions as the Deployment Viewer and the Deployment Editor, plus:
deployment.airflow.admin: Airflow admin permissions, including permission to configure:
deployment.config.delete: Delete the Deployment
deployment.userRoles.update: Update Deployment-level permissions for users within the Deployment
deployment.teamRoles.update: Update Deployment-level permissions for Teams within the Deployment