Airplane's permissioning system allows for fine-grained, role-based access control for small and large organizations alike.
Permissions can be assigned directly to users or to groups of users. It's recommended that you assign permissions to groups instead of users, so that new users simply have to be added to the right group(s) instead of individual tasks, runbooks, etc.
For more information, see Groups.
By default, users on teams have limited permissions. Tasks and runbooks with permissions set to "team access" can be viewed and executed by users.
For elevated permissions, groups can be assigned roles:
- Team admin, has full control over the team including users, permissions, and updating tasks/runbooks.
- Team developer, has similar access to team admin minus user management.
Users can be added to groups to inherit these permissions. (Note that, at this time, users can't be directly assigned team-level roles and must be added to a group.)
See Team roles for details.
Task and runbook permissions
When creating/editing a task or runbook, click
Advancedto configure granular group-based or user-based permissions for the task:
There are four roles that any user or group can be assigned for a task:
- Viewers can see task/runbook information, but can't request or execute tasks/runbooks.
- Requesters have all the permission of viewers, and can also request tasks/runbooks.
- Executers have all the permissions of requesters, and can also execute tasks/runbooks and others' requests.
- Admins have full access to the task/runbook, and can change configurations and permissions.
Run and session permissions
When executed, tasks and runbooks produce runs and sessions, respectively, and these can have granular permissions assigned. When a run/session is created, it inherits permissions from the task/runbook:
- If a task/runbook was team-accessible, the run/session will be team-accessible as well
- If a task/runbook had granular permissions, the run/session is accessible to whoever executed the run, whoever requested the run (if any), and all reviewers who were asked to approve the run (if any).
Permissions can be edited from the sidepanel (e.g. select "Shared with team"):
This is helpful if you have a locked-down task or runbook but want to selectively share the run or session output with specific users or groups:
Requests and approvals
The Requester role allows for a balance between safety and access. For a given task or runbook, a Requester can find that task in Airplane, fill out the parameters, but instead of running it directly, the task/runbook must then get approved by an Executer or Admin. The "Requests" page in the top navbar shows you a list of requests that you've sent as well as those from your teammates that require your approval: