Bring your towel and join one of the fastest growing data communities. Welcome to our second-generation open source orchestration platform, a completely rethought approach to dataflow automation.

Prefect Community

Hi team, just had a couple of queries in relation to locking down a Prefect account to primarily a "Flow Run" account

1.  In "Default Roles" in <https://cloud.prefect.io/team/roles> the "User" role appears to have Read/Update/Delete permissions on secrets.  In the UI secrets don't appear to be viewable but they can be retrieved using the GraphQL API. What is the recommended approach to preventing normal users from accessing secrets? I'd assume a custom role without secret access assigned to users?
2. We are using a Kubernetes agent which allows a custom image used during run execution in the `Image` input for "Run configuration". Is there a way to prevent this being used by the user?
3. Additionally I'd like to prevent the ability to run agents locally, flows at times are sensitive and should not be run on local agents only in our Kubernetes agent.
Thanks