Managing users in Dagster Cloud#

This guide is applicable to Dagster Cloud.

In this guide, we'll walk you through adding, removing, and assigning user roles to users in Dagster Cloud.

Adding and removing users#

Organization Admin or Admin permissions are required to add or remove users in Dagster Cloud.

Adding a user#

Before you start, note that:

  • Users are managed on a per-deployment basis. Organization Admins are the exception and have access to the entire organization.

    For example, if you have two full deployments (prod and dev), users who aren't Organization Admins must be added to each deployment to have access.

  • If using Google for SSO, users must be added in Dagster Cloud before they can log in.

  • If using a SAML-based solution like Okta, users must be assigned to the Dagster app in the SSO portal to log in. By default, users will be granted Viewer permissions on each deployment. The default role can be adjusted by modifying the sso_default_role deployment setting.

To add a new user to a deployment:

  1. Sign in to your Dagster Cloud account.

  2. Click the user menu (your icon) > Cloud Settings.

  3. Fill in the following:

    • Email - Enter the user's email address
    • Role - Select the user role for the user. Note: With the exception of the Organization Admin role, this role will only apply to the full deployment you're adding the user to.

    For example:

    Cloud Settings Interface for Permissions
  4. Click + Add.

Removing a user#

To remove a user from a deployment:

  1. Sign in to your Dagster Cloud account.
  2. Click the user menu (your icon) > Cloud Settings.
  3. Locate the user in the user list.
  4. Click Remove.
  5. When prompted, confirm the removal.

Note: This won't remove users from other deployments. For example, if a user has been added to both prod and dev but only removed in prod, they'll still be a user in dev.

Understanding user permissions#

With the exception of the Organization Admin role, user roles are set on a per-deployment basis and enforced both in Dagster Cloud and the GraphQL API.

Dagster Cloud currently includes support for four levels of role-based access control:

  • Viewer - The least permissive role
  • Editor
  • Admin
  • Organization Admin - The most permissive role
 ViewerEditorAdminOrganization Admin
Launch, re-execute, terminate, and delete runs of jobsNYYY
Start and stop schedulesNYYY
Start and stop sensorsNYYY
Wipe assetsNYYY
Launch and cancel backfillsNYYY
View deploymentsYYYY
Create and delete deploymentsNNNY
Modify deployments settingsNYYY
Create, edit, delete environment variablesNYYY
View environment variables valuesNYYY
Export environment variablesNYYY
View code locationsYYYY
Create and remove code locationsNYYY
Reload code locations and workspacesNYYY
View agent tokensNYYY
Create agent tokensNYYY
Edit agent tokensNYYY
Revoke agent tokensNYYY
View and create own user tokensNYYY
List all user tokensNNYY
Revoke all user tokensNNYY
View usersNYYY
Create usersNYYY
Edit usersNNYY
Remove usersNNYY
Manage alertsNYYY
Edit workspaceNYYY
Administer SAMLNNNY
View usageNNNY
Manage billingNNNY