Another question for early Monday - is there a set of RBAC permissions that would allow a user of Prefect Cloud to be able to deploy flows - and change the flow parameters - but NOT be able to change the flow tags? Additionally, is there any way to limit permissions on a per project basis in Prefect cloud? The use case here is that we currently have two Prefect Cloud accounts - one that we share between our Dev/Tst environment, the other between Stg/Prod environments. Each account has two projects- one project for each environment whose flows are tagged in such a way as to associate them with an Agent running infra for that environment. Wondering what our options are for allowing users to access one project and not the other and also to ensure that a user cannot target Tst infra from Dev project by simply changing the flow tags. The agents themselves are environment specific and targeted via Flow Tags.

I think this can be achieved if you give a user Create permissions for Flow Runs but Read-only permissions for the Flow so they can alter it. These are not project specific.

@Kevin Kho With these permissions a user could still modify the flow arguments, but not the RunConfig or Tags? Am I understanding that correctly? This is definitely a bigger concern for us than project specific RBAC at the moment.

Yes I think that’s right. Can test in a bit to be completely sure

Awesome. Thanks I can also possible test this at some point today. As a related aside, is there a documentation page anywhere for the RBAC roles in Prefect cloud and what capabilities each corresponds to?

Nothing beyond this page

Ok. Thanks - I had seen that page, but your response definitely helps point me towards the specific behavior we hope to achieve. I'll test it before I sound the victory though. Thanks again

The read only user is kicking off Flows from the UI right?

Yes, that is correct, Modifying some inputs and then kicking them off from the Prefect Cloud UI

I have spoken with some team members and this is not doable because you can limit editing of Flows, but Flow Runs are always customizeable if you use the UI and click the

Run

button. When these runs are triggered, there is nothing stopping users from changing labels for ad-hoc runs.

Ugh...thats too bad. We'll have to think of something else then,