For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Overview
        • Organization users
        • Workspace users
        • Teams
        • Set up SSO
        • Set up IP Access List
        • Set up SCIM provisioning
        • Manage domains
        • User permissions reference
        • Dag-level access control
      • Billing
    • Book Office Hours

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Organization roles
  • Enhanced Support Access
  • Workspace roles
  • Deployment roles
  • Dag roles
  • Permissions reference
  • Workspace role permissions
  • Deployment Admin permissions
  • Relationship between user roles and Team roles
AdministrationUser access

Astro user permissions reference

Edit this page
Built with

To better protect your data pipelines and cloud infrastructure, Astro provides role-based access control (RBAC) for Organizations and Workspaces. Each Astro user has a Workspace role in each Workspace they belong to, plus a single Organization role. Users can also belong to Teams, which apply the same Workspace role to a group of users. RBAC is also available for Deployments through Deployment Admin and custom Deployment roles. For Deployments running Astro Runtime 3.1-12 or later, Dag-level roles provide fine-grained access control for individual Dags within a Deployment. See Dag-level access control.

You can also apply roles to API tokens to limit the scope of their actions in CI/CD and automation pipelines. See Manage Deployments as code.

Astro has hierarchical RBAC. Within a given Workspace or Organization, senior roles have their own permissions in addition to the permissions granted to lower roles. For example, a user or API token with Organization Owner permissions inherits Organization Billing Admin and Organization Member permissions because those roles are lower in the hierarchy.

The Astro role hierarchies in order of inheritance are:

  • Organization Owner > Organization Billing Admin > Organization Observe Admin > Organization Observe Member > Organization Member
  • Workspace Owner > Workspace Operator > Workspace Author > Workspace Member > Workspace Accessor (Preview)

Additionally, Organization Owners inherit Workspace Owner permissions for all Workspaces in the Organization.

Organization roles

An Organization role grants a user or API token some level of access to an Astro Organization. The Organization Owner role includes access to all of the Workspaces within that Organization. All users have at least an Organization Member role regardless of whether they belong to a Workspace, however, an API token’s access is based on the scope you define for it. For example, you must give an API token an organization owner role to perform Organization-level actions or to access the list of all Workspaces in the Organization.

Developer plans are limited to two non Organization Owner users. See pricing.

The following table lists the available Organization roles:

PermissionMemberObserve MemberObserve AdminBilling AdminOwner
View Organization details and user membership✔️✔️✔️✔️✔️
View lineage metadata in the Lineage tab✔️✔️✔️✔️✔️
View clusters✔️✔️✔️✔️✔️
View Data Products, SLAs, connections, and monitors in Observe✔️✔️✔️✔️✔️
View Observe notification channels and alerts for their Workspaces✔️✔️✔️✔️
Create, update, and delete Data Products✔️✔️✔️✔️
Create, update, and delete Data Product SLAs✔️✔️✔️✔️
Create, update, and delete notification channels✔️✔️✔️
Update Organization billing information and settings✔️✔️
View usage for all Workspaces in the Usage tab✔️✔️
View Organization-level metrics dashboards on the Dashboards page✔️✔️
Create, update, and delete clusters✔️
Create a new Workspace✔️
Workspace Owner permissions to all Workspaces✔️
Update roles and permissions of existing Organization users✔️
Invite a new user to an Organization✔️
Remove a user from an Organization✔️
Create, update, and delete Organization API tokens✔️
Export audit logs✔️
Access, regenerate, and delete single sign-on (SSO) bypass links✔️
Create, update, and delete a Team✔️
Configure environment secrets fetching✔️
Configure IP access✔️
Enable and disable AI features for the Organization✔️

To manage users in an Organization, see Manage Organization users. To manage the Organization permissions of your API tokens, see Organization API tokens.

Enhanced Support Access

Enhanced Support Access is enabled by default for all Organizations to ensure faster, more effective assistance from the Astronomer support team. It grants read-only Admin access to your Organization’s details, allowing the support team to troubleshoot issues in real time and provide premium-level support. Support does not have access to make any changes to your environment.

You can view any activity by the Astronomer support team by viewing your Organization’s Audit Logs.

If you have IP Access List enabled, Astronomer support with Enhanced Support Access can still view your Organization’s details.

You can disable this feature at any time by going to the General Settings page in your Organization Settings page. Click Edit Details and change the Enhanced Support Access from Allowed to Disallowed.

Workspace roles

A Workspace role grants a user or API token some level of access to a specific Workspace. If a user or API token has some level of access to a Workspace, that access applies to all Deployments in the Workspace.

  • A Workspace Accessor has the fewest permissions in a Workspace. A Workspace Accessor can only see basic information about the Workspace in which they have the role. They can only be granted further permissions through a Deployment role. If you grant a user a Deployment role without first assigning them a Workspace role, they’ll automatically be granted the Workspace Accessor role for the Workspace. For more information, see Customize Deployment roles.
  • A Workspace Member can view the most basic details about Deployments, Dags, tasks, logs, and alerts. Give a user this role if they need to be able to monitor a Dag run or view Deployment health, but they shouldn’t make any changes to a Deployment themselves.
  • A Workspace Author has all of the same permissions as a Workspace Member, plus the ability to update Dag code and run Dags in the Airflow UI, plus limited permissions to configure Deployment-level observability features such as Astro alerts. Give a user this role if they are primarily Dag developers and don’t need to manage the environments their Dags run in.
  • A Workspace Operator has all the same permissions as a Workspace Author, plus the ability to manage Deployment-level configurations, such as environment variables. Give a user this role if they need to manage the environments that Dags run in.
  • A Workspace Owner has all the same permissions as a Workspace Operator, plus the ability to manage user membership in the Workspace. Give a user this role if they need to administrate membership to the Workspace.

To manage a user’s Workspace permissions, see Manage Workspace users.

Deployment roles

There are two types of Deployment roles: the default Deployment Admin role and custom Deployment roles.

Deployment Admin roles have the same permissions as the Workspace Operator role but only Deployment-level operations in a specific Deployment. For example, a Deployment Admin can create a Deployment environment variable but, unlike a Workspace Operator, they can’t create an Astro alert because alerts are configured at the Workspace level.

A custom Deployment role is a role that your Organization has configured to have specific Deployment-level permissions. For a complete list of available custom Deployment role permissions, see Custom role permissions reference.

Dag roles

Labs
Dag-level access control is in Labs and requires Astro Runtime 3.1-12 or later and an Enterprise plan. Contact your account team to enable this feature.

Dag roles provide per-Dag access control within a Deployment. Unlike Deployment roles, which apply to all Dags in a Deployment, Dag roles are scoped to specific Dags by tag or Dag ID. Astronomer recommends binding roles using Dag tags so that new Dags with matching tags are automatically covered. There are two default Dag roles:

  • Dag Viewer: Read-only access to a specific Dag and its resources.
  • Dag Author: Read, edit, and delete access to a specific Dag and its resources.

You can also create custom Dag roles with granular permissions. For complete setup instructions, see Dag-level access control. For a list of available custom Dag role permissions, see Custom role permissions reference.

Permissions reference

Workspace role permissions

PermissionWorkspace AccessorWorkspace MemberWorkspace AuthorWorkspace OperatorWorkspace Owner
View Deployment and Workspace users and teams✔️✔️✔️✔️✔️
View all Deployments in the Astro UI✔️✔️✔️✔️✔️
View Dag metadata in the Astro UI✔️✔️✔️✔️✔️
View Dags in the Airflow UI✔️✔️✔️✔️
View Airflow task logs✔️✔️✔️✔️
View Airflow datasets✔️✔️✔️✔️
Create and delete Airflow datasets✔️✔️✔️
View Astro alerts✔️✔️✔️✔️
View the Cluster Activity tab in the Airflow UI✔️✔️✔️✔️
Use custom plugins from the Airflow UI menu✔️✔️✔️✔️
Manually trigger Dag and task runs✔️✔️✔️
Pause or unpause a Dag✔️✔️✔️
Clear/mark a task run or Dag run✔️✔️✔️
Create, update, and delete Astro alerts✔️✔️✔️
View Airflow connections, variables, plugins, providers, pools, and XComs that were created in the Airflow UI✔️✔️✔️
Create, update, and delete Airflow connections, variables, plugins, providers, pools, and XComs✔️✔️
Create, update, delete, and assign connections, Airflow variables, and environment variables to Deployments in the Astro Environment Manager✔️✔️
Update Deployment configurations✔️✔️
Create and delete Deployments✔️✔️
Create, update, and delete Deployment environment variables✔️✔️
Create, update, and delete Workspace API tokens✔️
Create, delete, pause, and unpause hibernation schedules✔️✔️
Create, update, and delete Deployment API tokens✔️
Update user roles and permissions✔️
Invite users to a Workspace✔️
Assign Teams to or remove from Workspaces✔️
List, cordon, uncordon, and delete a Remote Execution Agent✔️
List, create, and delete Remote Execution Agent API tokens✔️
View Astro IDE✔️✔️✔️✔️
Edit projects in Astro IDE and use AI features✔️✔️✔️
Start ephemeral test Deployments in Astro IDE✔️✔️

Deployment Admin permissions

A Deployment Admin has permissions equivalent to a Workspace Operator, but scoped to a specific Deployment rather than the entire Workspace. A user can be a Deployment Admin for multiple Deployments.

Because Deployment Admin permissions apply only within the assigned Deployment, a Deployment Admin can’t perform Workspace-level actions such as creating Astro alerts, managing Workspace API tokens, inviting users, or using the Astro Environment Manager.

Within their assigned Deployment, a Deployment Admin can:

  • View Deployment users and teams
  • View Dags in the Airflow UI
  • View Airflow task logs, datasets, and alerts
  • View the Cluster Activity tab in the Airflow UI
  • Use custom plugins from the Airflow UI menu
  • Create and delete Airflow datasets
  • Manually trigger Dag and task runs
  • Pause or unpause a Dag
  • Clear/mark a task run or Dag run
  • View, create, update, and delete Airflow connections, variables, plugins, providers, pools, and XComs
  • Update Deployment configurations
  • Create, update, and delete Deployment environment variables
  • Create, delete, pause, and unpause hibernation schedules
  • Create, update, and delete Deployment API tokens
  • List, cordon, uncordon, and delete a Remote Execution Agent
  • List, create, and delete Remote Execution Agent API tokens
  • View, edit, and start ephemeral test Deployments in Astro IDE

Relationship between user roles and Team roles

There are two ways to define a user’s role in a Workspace:

  • Define the individual user role when you add a user to a Workspace.
  • Assign a Workspace role to a Team and add the user to the Team.

If a user has permissions to a Workspace both as an individual and as a member of a Team, then Astronomer recognizes the more privileged role.

For example, if a user belongs to a Workspace as a Workspace Member, but also belongs to a Team in the Workspace with Workspace Owner privileges, then the user has Workspace Owner privileges in the Workspace.