https://prefect.io logo
t

Tim Wright

01/31/2022, 3:12 PM
Another question for early Monday - is there a set of RBAC permissions that would allow a user of Prefect Cloud to be able to deploy flows - and change the flow parameters - but NOT be able to change the flow tags? Additionally, is there any way to limit permissions on a per project basis in Prefect cloud? The use case here is that we currently have two Prefect Cloud accounts - one that we share between our Dev/Tst environment, the other between Stg/Prod environments. Each account has two projects- one project for each environment whose flows are tagged in such a way as to associate them with an Agent running infra for that environment. Wondering what our options are for allowing users to access one project and not the other and also to ensure that a user cannot target Tst infra from Dev project by simply changing the flow tags. The agents themselves are environment specific and targeted via Flow Tags.
k

Kevin Kho

01/31/2022, 3:16 PM
I think this can be achieved if you give a user Create permissions for Flow Runs but Read-only permissions for the Flow so they can alter it. These are not project specific.
t

Tim Wright

01/31/2022, 3:22 PM
@Kevin Kho With these permissions a user could still modify the flow arguments, but not the RunConfig or Tags? Am I understanding that correctly? This is definitely a bigger concern for us than project specific RBAC at the moment.
k

Kevin Kho

01/31/2022, 3:23 PM
Yes I think that’s right. Can test in a bit to be completely sure
t

Tim Wright

01/31/2022, 3:24 PM
Awesome. Thanks I can also possible test this at some point today. As a related aside, is there a documentation page anywhere for the RBAC roles in Prefect cloud and what capabilities each corresponds to?
k

Kevin Kho

01/31/2022, 3:27 PM
Nothing beyond this page
t

Tim Wright

01/31/2022, 3:29 PM
Ok. Thanks - I had seen that page, but your response definitely helps point me towards the specific behavior we hope to achieve. I'll test it before I sound the victory though. Thanks again
k

Kevin Kho

01/31/2022, 3:31 PM
The read only user is kicking off Flows from the UI right?
t

Tim Wright

01/31/2022, 3:32 PM
Yes, that is correct, Modifying some inputs and then kicking them off from the Prefect Cloud UI
Just want to make sure they can't target a new environment by editing the Tags (which will cause the flows to get picked up by environment specific agents)
k

Kevin Kho

01/31/2022, 5:24 PM
I have spoken with some team members and this is not doable because you can limit editing of Flows, but Flow Runs are always customizeable if you use the UI and click the
Run
button. When these runs are triggered, there is nothing stopping users from changing labels for ad-hoc runs.
t

Tim Wright

01/31/2022, 5:26 PM
Ugh...thats too bad. We'll have to think of something else then,
Thanks for checking for me though.
5 Views