Ask AI

Understanding role-based access control in Dagster+#

This guide is applicable to Dagster+.

Role-based access control (RBAC) enables you to grant specific permissions to users in your organization, ensuring that Dagster users have access to what they require in Dagster+, and no more.

In this guide, we'll cover how RBAC works in Dagster+, how to assign roles to users, and the granular permissions for each user role.

All roles are enforced both in Dagster+ and the GraphQL API


Dagster+ Pro user roles#

Dagster+ Pro employs a flexible approach to user roles and permissions. This system is built on two fundamental concepts:

  1. Permission scope - Permissions are context-specific, falling into two main categories:
    • Organization-wide settings (for example, "Create Teams")
    • Deployment-specific actions (for example, "Launch and Cancel Backfills")
  2. Role types - Dagster+ supports two types of roles:
    • Default roles: Hierarchical roles, based on sensible defaults provided by Dagster.
    • Custom roles: Roles you define with specific sets of permissions to match your organization's needs.

Teams#

Dagster+ Pro users can create teams of users and assign default permission sets. Refer to the Managing teams in Dagster+ guide for more info.


Creating custom roles#

  1. Navigate to the Organization Settings page.
  2. Click the Roles tab.
  3. Click the Create new role button.
  4. Select a name and icon.
  5. Provide a brief description.
  6. Choose deployment or organization type depending on where you want your role applied.
  7. Select the permissions you want to apply to the role. Note that you can base your role off of an existing role for ease of creation.

Editing custom roles#

  1. Navigate to the Organization Settings page.
  2. Click the Roles tab.
  3. Click the edit button next to the role you want to edit.
  4. Make your changes.
  5. Save your changes.
  6. You will see a confirmation dialog including the changes that have been made.

Deleting custom roles#

If you no longer need a custom role, you can delete it from the edit dialog.

  1. Navigate to the Organization Settings page.
  2. Click the Roles tab.
  3. Click the edit button next to the role you want to delete.
  4. At the bottom of the edit dialog, click Delete role.

Note that if the role is currently assigned to any users, you will need to reassign them to a different role before deleting the role.

Deleting a role is a permanent action and cannot be undone.

Assigning user and team roles#

Organization Admins have access to the entire organization, including all full deployments, code locations, and Branch Deployments.

For custom roles, you will have to define if the role applies to the organization settings, or deployment settings.

LevelPlanDescription
DeploymentAll plansDefines the level of access for a given deployment. Roles set at this level will be the default role for the user or team for all code locations in the deployment.

Note: Granting access to a deployment grants a minimum of Viewer access to all code locations. Preventing access for specific code locations isn't currently supported. Additionally, having access to a deployment doesn't grant access to Branch Deployments - those permissions must be granted separately.
Code locationProDefines the level of access for a given code location in a deployment.

Dagster+ Pro users can override the default deployment-level role for individual code locations. For example, if the Deployment role is Launcher, you could override this role with a more permissive role, such as Editor or Admin.

For non-Pro users, users will have the same level of access for all code locations in a deployment.
Branch deploymentsAll plansDefines the level of access for all Branch Deployments in the code locations the user or team has access to.

Applying role overrides#

This section is applicable to Dagster+ Pro plans.

As previously mentioned, you can define individual user roles for users in your organization. You can also apply permission overrides to grant specific exceptions.

Overrides may be used to apply a more permissive role. If, for example, the default role is Admin or Organization Admin, overrides will be disabled as these are the most permissive roles.

Code locations#

To override a code location role for an individual user:

  1. Locate the user in the list of users.
  2. Click Edit.
  3. Click the toggle to the left of the deployment to open a list of code locations.
  4. Next to a code location, click Edit user role.
  5. Select the user role for the code location: Overriding the Viewer user role for a code location
  6. Click Save.

Team members#

Users in your organization can belong to one or more teams. When determining a user's level of access, Dagster+ will use the most permissive role assigned to the user between all of their team memberships and any individual role grants.

For example, let's look at a user with the following roles for our dev deployment:

  • Team 1: Launcher
  • Team 2: Viewer
  • Individual: Viewer

In this example, the user would have Launcher access to the prod deployment. This is because the Launcher role is more permissive than Viewer.

The above also applies to code locations and Branch Deployment roles.

Viewing overrides#

To view deployment-level overrides for a specific user, locate the user on the Users page and hover over a deployment:

Deployment overrides popup in Dagster+

If there are code location-level overrides, a small N override(s) link will display beneath the user's deployment role. Hover over it to display the list of overrides:

Code location overrides popup in Dagster+

Removing overrides#

  1. Locate the user in the list of users.
  2. Click Edit.
  3. To remove an override:
    • For a deployment, click Edit user role next to the deployment.
    • For a code location, click the toggle next to the deployment to display a list of code locations. Click Edit user role next to the code location.
  4. Click the Remove override button.
  5. Click Save.

User permissions reference#

General#

 ViewerLauncherEditorAdminOrganization
Admin
View runs of jobs
Launch, re-execute, terminate, and delete runs of jobs
Start and stop schedules
Start and stop sensors
Wipe assets
Launch and cancel backfills
Add dynamic partitions

Deployments#

Deployment settings are accessed in the UI by navigating to user menu (your icon) > Organization Settings > Deployments.

 ViewerLauncherEditorAdminOrganization
Admin
View deployments
Modify deployment settings
Create, edit, delete environment variables
View environment variable values
Export environment variables
Create and delete deployments
Create Branch Deployments

Code locations#

Code locations are accessed in the UI by navigating to Deployment > Code locations.

 ViewerLauncherEditorAdminOrganization
Admin
View code locations
Create and remove code locations
Reload code locations and workspaces

Agent tokens#

Agent tokens are accessed in the UI by navigating to user menu (your icon) > Organization Settings > Tokens.

 ViewerLauncherEditorAdminOrganization
Admin
View agent tokens
Create agent tokens
Edit agent tokens
Revoke agent tokens

User tokens#

User tokens are accessed in the UI by navigating to user menu (your icon) > Organization Settings > Tokens.

 ViewerLauncherEditorAdminOrganization
Admin
View and create own user tokens
List all user tokens
Revoke all user tokens

Users#

User management is accessed in the UI by navigating to user menu (your icon) > Organization Settings > Users.

 ViewerLauncherEditorAdminOrganization
Admin
View users
Add users
Edit user roles
Remove users

Teams#

Team management is accessed in the UI by navigating to user menu (your icon) > Organization Settings > Teams.

Note: Admin users can modify teams only in deployments where they're an Admin.

 ViewerLauncherEditorAdminOrganization
Admin
View teams
Modify team permissions
Create teams
Re-name teams
Add/remove team members
Remove teams

Workspace administration#

 ViewerLauncherEditorAdminOrganization
Admin
Manage alerts
Edit workspace
Administer SAML
Manage SCIM
View usage
Manage billing
View audit logs