Is there some kind of standard configuration for a Custom Ro Prefect Community #ask-community

Is there some kind of standard configuration for a...

Sean Talia

07/21/2021, 7:10 PM

Is there some kind of standard configuration for a "Custom Role" that would basically be a "Read Only" user with the additional enhancement of being able to execute flows on an ad hoc basis? I created a custom role that mimicked the standard "Read Only" role, and gave it

Create

access on

Flow > Run

and

Flow > Logs

, but the person whom I gave this role was still unable to actually create a flow run from the prefect UI

Sean Talia

07/21/2021, 7:11 PM

it's a little difficult to see, but there are a few flow runs that the person in my org tried to kick off by just clicking "Quick Run", but nothing ever happened – the flow doesn't appear to have ever started, no logging, etc.

Sean Talia

07/21/2021, 7:12 PM

(that one green run there is from me, an admin, going and clicking "Quick Run" myself)

nicholas

07/21/2021, 7:42 PM

Hi @Sean Talia - could you try giving them

update

permissions on runs as well?

👍 1

Sean Talia

07/21/2021, 7:50 PM

okay I think that works! is there any kind of guide somewhere that explains what each of the CRUD actions grants for the various features? it's not intuitive to me that they'd need create + update permissions to deploy a flow

nicholas

07/21/2021, 7:57 PM

Unfortunately we don't have a full guide for that yet but in this case it's because when a run is created we do an immediate lookup for idempotency and update the run accordingly. I'm going to pass this to the Cloud team and see if there's perhaps a better way to handle that

👍 1

Sean Talia

07/29/2021, 2:37 PM

hey @nicholas – I've got another question on this subject. One of our users is trying to add / update a README to the flow they just published, but the UI is showing the

GraphQL Error: Unauthorized

when they go to save the edits they've made. Is there a certain set of create + update permissions they need for this one as well? I would have thought this was sufficient for editing a flow README:

nicholas

07/29/2021, 4:53 PM

Hm you're correct, that should be sufficient @Sean Talia - let me raise the issue. Can you do me a favor and have the user run this query in the InteractiveAPI and send me the result?

Copy code

query {
  permissions_info {
    user_permissions_filtered_by_license_features
  }
}

Sean Talia

07/29/2021, 5:46 PM

yep! Here you go: { "data": { "permissions_info": { "user_permissions_filtered_by_license_features": [ "read:key-value", "read:role", "create:flow-sla", "read:project", "read:api-key", "create:key-value", "read:usage", "read:secret-value", "read:agent", "update:log", "create:log", "read:flow-sla", "read:user", "read:log", "create:flow", "delete:message", "read:cloud-hook", "read:service-account", "update:run", "read:membership", "update:message", "update:flow", "create:run", "update:user", "read:message", "read:tenant", "read:concurrency-limit", "read:flow", "read:secret", "read:hook", "read:license", "create:membership", "update:membership", "read:run", "create:hook", "create:message" ] } } }

nicholas

07/29/2021, 5:56 PM

thank you! let me look into this

Sean Talia

07/29/2021, 7:12 PM

alright my teammate told me it’s working for her now — I’m wondering if it just takes a little while for the changes to take effect That’s my bad, I should have waited more than a few minutes to give her the go-ahead

nicholas

07/29/2021, 7:16 PM

Ahh I was just returning to ask if the issue persisted

nicholas

07/29/2021, 7:16 PM

Sometimes auth changes take some time to clear the cache

nicholas

07/29/2021, 7:17 PM

(this is a security feature to prevent abuse by any one user)

👍 1

2 Views

Open in Slack

Previous Next