User and Service Account Roles ¶
Prefect Cloud's Pro and Custom tiers allow you to set team member access to the appropriate level within specific workspaces.
Role-based access controls (RBAC) enable you to assign users granular permissions to perform certain activities.
To give users access to functionality beyond the scope of Prefect’s built-in workspace roles, Custom account Admins can create custom roles for users.
Built-in roles¶
Roles give users abilities at either the account level or at the individual workspace level.
- An account-level role defines a user's default permissions within an account.
- A workspace-level role defines a user's permissions within a specific workspace.
The following sections outline the abilities of the built-in, Prefect-defined ac and workspace roles.
Account-level roles¶
The following built-in roles have permissions across an account in Prefect Cloud.
Role | Abilities |
---|---|
Owner | • Set/change all account profile settings allowed to be set/changed by a Prefect user. • Add and remove account members, and their account roles. • Create and delete service accounts in the account. • Create workspaces in the account. • Implicit workspace owner access on all workspaces in the account. • Bypass SSO. |
Admin | • Set/change all account profile settings allowed to be set/changed by a Prefect user. • Add and remove account members, and their account roles. • Create and delete service accounts in the account. • Create workspaces in the account. • Implicit workspace owner access on all workspaces in the account. • Cannot bypass SSO. |
Member | • View account profile settings. • View workspaces I have access to in the account. • View account members and their roles. • View service accounts in the account. |
Workspace-level roles¶
The following built-in roles have permissions within a given workspace in Prefect Cloud.
Role | Abilities |
---|---|
Viewer | • View flow runs within a workspace. • View deployments within a workspace. • View all work pools within a workspace. • View all blocks within a workspace. • View all automations within a workspace. • View workspace handle and description. |
Runner | All Viewer abilities, plus: • Run deployments within a workspace. |
Developer | All Runner abilities, plus: • Run flows within a workspace. • Delete flow runs within a workspace. • Create, edit, and delete deployments within a workspace. • Create, edit, and delete work pools within a workspace. • Create, edit, and delete all blocks and their secrets within a workspace. • Create, edit, and delete automations within a workspace. • View all workspace settings. |
Owner | All Developer abilities, plus: • Add and remove account members, and set their role within a workspace. • Set the workspace’s default workspace role for all users in the account. • Set, view, edit workspace settings. |
Worker | The minimum scopes required for a worker to poll for and submit work. |
Custom workspace roles¶
The built-in roles will serve the needs of most users, but your team may need to configure custom roles, giving users access to specific permissions within a workspace.
Custom roles can inherit permissions from a built-in role. This enables tweaks to the role to meet your team’s needs, while ensuring users can still benefit from Prefect’s default workspace role permission curation as new functionality becomes available.
Custom workspace roles can also be created independent of Prefect’s built-in roles. This option gives workspace admins full control of user access to workspace functionality. However, for non-inherited custom roles, the workspace admin takes on the responsibility for monitoring and setting permissions for new functionality as it is released.
See Role permissions for details of permissions you may set for custom roles.
After you create a new role, it become available in the account Members page and the Workspace Sharing page for you to apply to users.
Inherited roles¶
A custom role may be configured as an Inherited Role. Using an inherited role allows you to create a custom role using a set of initial permissions associated with a built-in Prefect role. Additional permissions can be added to the custom role. Permissions included in the inherited role cannot be removed.
Custom roles created using an inherited role will follow Prefect's default workspace role permission curation as new functionality becomes available.
To configure an inherited role when configuring a custom role, select the Inherit permission from a default role check box, then select the role from which the new role should inherit permissions.
Workspace role permissions¶
The following permissions are available for custom roles.
Automations¶
Permission | Description |
---|---|
View automations | User can see configured automations within a workspace. |
Create, edit, and delete automations | User can create, edit, and delete automations within a workspace. Includes permissions of View automations. |
Blocks¶
Permission | Description |
---|---|
View blocks | User can see configured blocks within a workspace. |
View secret block data | User can see configured blocks and their secrets within a workspace. Includes permissions of View blocks. |
Create, edit, and delete blocks | User can create, edit, and delete blocks within a workspace. Includes permissions of View blocks and View secret block data. |
Deployments¶
Permission | Description |
---|---|
View deployments | User can see configured deployments within a workspace. |
Run deployments | User can run deployments within a workspace. This does not give a user permission to execute the flow associated with the deployment. This only gives a user (via their key) the ability to run a deployment — another user/key must actually execute that flow, such as a service account with an appropriate role. Includes permissions of View deployments. |
Create and edit deployments | User can create and edit deployments within a workspace. Includes permissions of View deployments and Run deployments. |
Delete deployments | User can delete deployments within a workspace. Includes permissions of View deployments, Run deployments, and Create and edit deployments. |
Flows¶
Permission | Description |
---|---|
View flows and flow runs | User can see flows and flow runs within a workspace. |
Create, update, and delete saved search filters | User can create, update, and delete saved flow run search filters configured within a workspace. Includes permissions of View flows and flow runs. |
Create, update, and run flows | User can create, update, and run flows within a workspace. Includes permissions of View flows and flow runs. |
Delete flows | User can delete flows within a workspace. Includes permissions of View flows and flow runs and Create, update, and run flows. |
Notifications¶
Permission | Description |
---|---|
View notification policies | User can see notification policies configured within a workspace. |
Create and edit notification policies | User can create and edit notification policies configured within a workspace. Includes permissions of View notification policies. |
Delete notification policies | User can delete notification policies configured within a workspace. Includes permissions of View notification policies and Create and edit notification policies. |
Task run concurrency¶
Permission | Description |
---|---|
View concurrency limits | User can see configured task run concurrency limits within a workspace. |
Create, edit, and delete concurrency limits | User can create, edit, and delete task run concurrency limits within a workspace. Includes permissions of View concurrency limits. |
Work pools¶
Permission | Description |
---|---|
View work pools | User can see work pools configured within a workspace. |
Create, edit, and pause work pools | User can create, edit, and pause work pools configured within a workspace. Includes permissions of View work pools. |
Delete work pools | User can delete work pools configured within a workspace. Includes permissions of View work pools and Create, edit, and pause work pools. |
Workspace management¶
Permission | Description |
---|---|
View information about workspace service accounts | User can see service accounts configured within a workspace. |
View information about workspace users | User can see user accounts for users invited to the workspace. |
View workspace settings | User can see settings configured within a workspace. |
Edit workspace settings | User can edit settings for a workspace. Includes permissions of View workspace settings. |
Delete the workspace | User can delete a workspace. Includes permissions of View workspace settings and Edit workspace settings. |