Managing users in Dagster Cloud#
This guide is applicable to Dagster Cloud.
In this guide, we'll walk you through adding, removing, and assigning user roles to users in Dagster Cloud.
Adding and removing users#
Organization Admin or Admin permissions are required to add or remove users in Dagster Cloud.
Adding a user#
Before you start, note that:
Users are managed on a per-deployment basis. Organization Admins are the exception and have access to the entire organization.
For example, if you have two full deployments (
prodanddev), users who aren't Organization Admins must be added to each deployment to have access.If using Google for SSO, users must be added in Dagster Cloud before they can log in.
If using a SAML-based solution like Okta, users must be assigned to the Dagster app in the SSO portal to log in. By default, users will be granted Viewer permissions on each deployment. The default role can be adjusted by modifying the
sso_default_roledeployment setting.
To add a new user to a deployment:
Sign in to your Dagster Cloud account.
Click the user menu (your icon) > Cloud Settings.
Fill in the following:
- Email - Enter the user's email address
- Role - Select the user role for the user. Note: With the exception of the Organization Admin role, this role will only apply to the full deployment you're adding the user to.
For example:
Click + Add.
Removing a user#
To remove a user from a deployment:
- Sign in to your Dagster Cloud account.
- Click the user menu (your icon) > Cloud Settings.
- Locate the user in the user list.
- Click Remove.
- When prompted, confirm the removal.
Note: This won't remove users from other deployments. For example, if a user has been added to both prod and dev but only removed in prod, they'll still be a user in dev.
Understanding user permissions#
With the exception of the Organization Admin role, user roles are set on a per-deployment basis and enforced both in Dagster Cloud and the GraphQL API.
Dagster Cloud currently includes support for four levels of role-based access control:
- Viewer - The least permissive role
- Editor
- Admin
- Organization Admin - The most permissive role
| Viewer | Editor | Admin | Organization Admin | |
|---|---|---|---|---|
| GENERAL | ||||
| Launch, re-execute, terminate, and delete runs of jobs | N | Y | Y | Y |
| Start and stop schedules | N | Y | Y | Y |
| Start and stop sensors | N | Y | Y | Y |
| Wipe assets | N | Y | Y | Y |
| Launch and cancel backfills | N | Y | Y | Y |
| DEPLOYMENTS | ||||
| View deployments | Y | Y | Y | Y |
| Create and delete deployments | N | N | N | Y |
| Modify deployments settings | N | Y | Y | Y |
| Create, edit, delete environment variables | N | Y | Y | Y |
| View environment variables values | N | Y | Y | Y |
| Export environment variables | N | Y | Y | Y |
| CODE LOCATIONS | ||||
| View code locations | Y | Y | Y | Y |
| Create and remove code locations | N | Y | Y | Y |
| Reload code locations and workspaces | N | Y | Y | Y |
| AGENT TOKENS | ||||
| View agent tokens | N | Y | Y | Y |
| Create agent tokens | N | Y | Y | Y |
| Edit agent tokens | N | Y | Y | Y |
| Revoke agent tokens | N | Y | Y | Y |
| USER TOKENS | ||||
| View and create own user tokens | N | Y | Y | Y |
| List all user tokens | N | N | Y | Y |
| Revoke all user tokens | N | N | Y | Y |
| USER MANAGEMENT | ||||
| View users | N | Y | Y | Y |
| Create users | N | Y | Y | Y |
| Edit users | N | N | Y | Y |
| Remove users | N | N | Y | Y |
| WORKSPACE ADMINISTRATION | ||||
| Manage alerts | N | Y | Y | Y |
| Edit workspace | N | Y | Y | Y |
| Administer SAML | N | N | N | Y |
| View usage | N | N | N | Y |
| Manage billing | N | N | N | Y |