Hey everyone, We are trying to add some fine grained authorization to our Prefect server (such as which user can perform which action and which flow). I understand the Cloud version as roles and custom roles but I don't think this would be detailed enough for our needs (for example the read permission on flows can be granted, but I don't think it can be limited to a particular flow group id for example). It seems like the easiest way to tackle this is at the GraphQL level, using resolvers to customize exactly what request can be performed by who. By any chance, does anyone has some experience doing this ?

Hey @Didier Marin, I have not seen anyone yet undertake this effort at this granularity. I think the main use case I have seen for this is a situation where you are a business with multiple clients and you only want to give them access to each other’s flows. (This said scenario is potentially a violation of the server license). I have seen an attempt to create an auth layer to an API above the Prefect Cloud one. If authenticated, it would forward the request to Prefect. I don’t know how they achieve granularity though or if they even pushed through. I think they ended up going with Cloud + multiple tenants gives you some granularity because you can restrict users from accessing the flows in other tenants.

Thank you for your answer Kevin ! Indeed it makes sense to combine Cloud with multiple tenants to achieve this granularity.

Not accusing anyone of anything here 😆. Just that the example makes a lot of sense to illustrate the point. I honestly don’t know if you building your own API with authentication is easier than fiddling with Prefect graphql (you kinda get locked in a version anytime you edit Prefect)