Managing users and permissions in Dagster Cloud#

This guide is applicable to Dagster Cloud.

Users in Dagster Cloud can be granted specific permissions what they can and cannot do in your organization. Granularly assigning permissions to users ensures that the right people have appropriate access to what they require in Dagster Cloud, and no more.

In this guide, we'll cover the available user roles, how permissions are assigned, and how to add and remove users in your organization.

Understanding user roles#

User roles#

Dagster Cloud supports five user roles for several levels of role-based access control:

Role	Plan	Description
Viewer	Enterprise	The least permissive role. Grants view access to most things in a deployment, with some exceptions. Refer to the User role permissions tab for more info.
Launcher	Enterprise	Includes all Viewer permissions and the ability to launch and terminate runs.
Editor	All plans	Includes all Launcher permissions and the ability to: Manage sensors and schedules Launch and cancel backfills Manage environment variables Manage code locations Manage agents and alerts Manage own user tokens
Admin	All plans	Includes all Editor permissions and the ability to: Add and edit users Manage and revoke others' user tokens
Organization Admin	All plans	The most permissive role. Includes all Admin permissions and the ability to: Create and delete deployments Administer SAML Remove users View account usage Manage billing

Click the User role permissions tab to view all granular permissions for each user role.

	Viewer	Launcher	Editor	Admin	Organization Admin
GENERAL
View runs of jobs	✅	✅	✅	✅	✅
Launch, re-execute, terminate, and delete runs of jobs	❌	✅	✅	✅	✅
Start and stop schedules	❌	❌	✅	✅	✅
Start and stop sensors	❌	❌	✅	✅	✅
Wipe assets	❌	❌	✅	✅	✅
Launch and cancel backfills	❌	❌	✅	✅	✅
DEPLOYMENTS
View deployments	✅	✅	✅	✅	✅
Modify deployment settings	❌	❌	✅	✅	✅
Create, edit, delete environment variables	❌	❌	✅	✅	✅
View environment variable values	❌	❌	✅	✅	✅
Export environment variables	❌	❌	✅	✅	✅
Create and delete deployments	❌	❌	❌	❌	✅
CODE LOCATIONS
View code locations	✅	✅	✅	✅	✅
Create and remove code locations	❌	❌	✅	✅	✅
Reload code locations and workspaces	❌	❌	✅	✅	✅
AGENT TOKENS
View agent tokens	❌	❌	✅	✅	✅
Create agent tokens	❌	❌	✅	✅	✅
Edit agent tokens	❌	❌	✅	✅	✅
Revoke agent tokens	❌	❌	✅	✅	✅
USER TOKENS
View and create own user tokens	❌	❌	✅	✅	✅
List all user tokens	❌	❌	❌	✅	✅
Revoke all user tokens	❌	❌	❌	✅	✅
USER MANAGEMENT
View users	✅	✅	✅	✅	✅
Add users	❌	❌	❌	✅	✅
Edit users	❌	❌	❌	❌	✅
Remove users	❌	❌	❌	❌	✅
WORKSPACE ADMINISTRATION
Manage alerts	❌	❌	✅	✅	✅
Edit workspace	❌	❌	✅	✅	✅
Administer SAML	❌	❌	❌	❌	✅
View usage	❌	❌	❌	❌	✅
Manage billing	❌	❌	❌	❌	✅

Assigning user roles#

All user roles are enforced both in Dagster Cloud and the GraphQL API. With the exception of the Organization Admin role, user roles are set on a per-deployment basis. Organization Admins have access to the entire organization, including all full deployments, code locations, and Branch Deployments.

Deployment permissions#

All Dagster Cloud accounts - Enterprise plan or not - can set permissions at the deployment level. When defined, the selected user role will be used as the default for all code locations contained in the deployment.

For example, if a user is assigned the Editor user role for a deployment, they'll also be an Editor for all code locations in the deployment:

Default Editor user role for prod code locations

For Dagster Cloud Enterprise users, default user roles can be overridden at the code location level. For non-Enterprise users, the user will have the same level of access for all code locations in the deployment.

Note: Having access to a deployment doesn't automatically grant access to Branch Deployments. Branch deployment permissions must be granted separately.

Code location permissions#

Code location permissions are a Dagster Cloud Enterprise feature.

Dagster Cloud Enterprise users can override the deployment-level user role by setting permissions at the code location level. Overrides can only be performed if:

The user is not Organization Admin, and
The current user role for the deployment is Viewer or Launcher

For example, if a user is assigned the Viewer user role for a deployment, only a more permissive role can be assigned for a code location in the deployment. Specifically, an Editor or Launcher user role:

Overriding the Viewer user role for a code location

If a user is an Organization Admin or a deployment-level Admin or Editor, they already have the most permissive user role possible for the code location. In this case, an override is unnecessary and the Edit user role button next to the code location will be disabled:

Override for a code location not allowed

To remove an override, click Edit user role next to the code location to open the user role selection dialog. Then, click the Remove override button:

Removing the override for a code location

Branch deployment permissions#

Granting access to Branch Deployments gives users access to all Branch Deployments for all the code locations they have access to. Consider the following example:

User roles for prod, staging, and all Branch Deployments

In this case, the user would have Editor access to Branch Deployments for all code locations in the prod deployment, but not in staging. This is because they're a Viewer for the code locations in the prod deployment, but they don't have access to the staging deployment or any of its code locations.

Adding users#

Organization Admin or Admin permissions are required to add users in Dagster Cloud.

Before you start, note that:

If using Google for SSO, users must be added in Dagster Cloud before they can log in.
If using a SAML-based solution like Okta, users must be assigned to the Dagster app in the SSO portal to log in. By default, users will be granted Viewer permissions on each deployment. The default role can be adjusted by modifying the sso_default_role deployment setting.

Sign in to your Dagster Cloud account.
Click the user menu (your icon) > Cloud Settings.
Click the Users tab.
In the Enter an email... field, enter the user's email address.
Click Add user. The user will be added to the list of users.
In the window that displays, select the appropriate user role for each deployment. Note: For Admins, you can only set permissions for deployments where you're an Admin:
1. Next to a deployment, click Edit user role.
2. Select the user role for the deployment. This user role will be used as the default for all code locations in the deployment.
3. Click Save.
4. Enterprise only: To set permissions for individual code locations in a deployment:
  1. Click the toggle to the left of the deployment to open a list of code locations.
  2. Next to a code location, click Edit user role.
  3. Select the user role for the code location.
  4. Click Save.
Repeat step 6 for each deployment.
Optional: To change the user's permissions for branch deployments:
1. Next to All branch deployments, click Edit user role.
2. Select the user role to use for all branch deployments.
3. Click Save.
Click Done.

Removing users#

Organization Admin permissions are required to remove users in Dagster Cloud.

Removing a user removes them from the organization. Note: If using a SAML-based SSO solution like Okta, you'll also need to remove the user from the Identity Provider (IdP). Removing the user in Dagster Cloud doesn't remove them from the IdP.

Sign in to your Dagster Cloud account.
Click the user menu (your icon) > Cloud Settings.
Click the Users tab.
Locate the user in the user list.
Click Edit.
Click Remove user.
When prompted, confirm the removal.