To better protect your data pipelines and cloud infrastructure, Astro offers role-based access control for Organizations and Workspaces. Each Astro user has a Workspace role in each Workspace they belong to, plus a single Organization role. Role-based access control is not available for Deployments.
An Organization role grants a user some level of access to an Astro Organization, including all of the Workspaces within that Organization. All users have an Organization role regardless of whether they belong to a Workspace. The following table lists the available Organization roles:
|Permission||Organization Member||Organization Billing Admin||Organization Owner|
|View Organization details and user membership||✔️||✔️||✔️|
|View lineage data in the Lineage tab||✔️||✔️||✔️|
|Create a new Workspace||✔️||✔️||✔️|
|Update Organization billing information and settings||✔️||✔️|
|View usage for all Workspaces in the Usage tab||✔️||✔️|
|Workspace Admin permissions to all Workspaces||✔️|
|Update roles and permissions of existing Organization users||✔️|
|Invite a new user to an Organization||✔️|
|Remove a user from an Organization||✔️|
Update Organization roles
- In the Cloud UI, click the People tab.
- Find the user in the table and click Edit. The Members table lists all users that have been added to a Workspace in your Organization. If you can't find a user, it might be because they haven't been invited to a Workspace or accepted their invite.
A Workspace role grants a user some level of access to a specific Workspace. The following table lists the available Workspace roles:
|Permission||Workspace Viewer||Workspace Editor||Workspace Admin|
|View Workspace users||✔️||✔️||✔️|
|View all Deployments in the Cloud UI||✔️||✔️||✔️|
|View DAGs in the Airflow UI||✔️||✔️||✔️|
|View Airflow task logs||✔️||✔️||✔️|
|View Astro Cloud IDE projects||✔️||✔️||✔️|
|Update Deployment configurations||✔️||✔️|
|Manually trigger DAG and task runs||✔️||✔️|
|Pause or unpause a DAG||✔️||✔️|
|Clear/mark a task instance or DAG run||✔️||✔️|
|Push code to Deployments||✔️||✔️|
|Create and Delete Deployments||✔️||✔️|
|Create, Update and Delete Environment Variables||✔️||✔️|
|Create, update, and delete Astro Cloud IDE projects||✔️||✔️|
|Create, Update and Delete API Keys||✔️|
|View Airflow connections and Variables||✔️|
|Update user roles and permissions||✔️|
|Update Airflow connections and Variables||✔️|
|Invite users to a Workspace||✔️|
Update Workspace roles
Workspace Admins can set user roles on the Access tab in the Cloud UI. See Manage Workspaces.
If a user changes Workspace roles, it can take a maximum of 10 minutes for corresponding Airflow permission changes to take effect.