Groups in Airplane allow you to establish role-based permissions - you can create groups like Engineering, add users to these groups, and then reference groups when configuring permissions, requesting tasks, and more.
To manage groups, visit your Settings:
Here, you can create new groups and edit/delete existing ones.
Groups have an optional email and slack channel you can set:
Currently, these fields are used when notifying groups of requested runs. If someone requests approval from Engineering, for example, a message will be sent to the configured Slack channel:
Airplane teams come with an Admins group that grants special privileges:
The first person in your team to join is added to Admins, and new members can be added to the group by existing Admins. (See Groups for more details on groups in Airplane.)
Team admins can perform sensitive configuration changes and have full access to tasks/runs. You should generally limit admins to team members who are developing tasks (e.g. engineers on your team) or otherwise making changes to Airplane configuration.
When creating or eding a task, select "Advanced" to configure granular group-based or user-based permissions for the task:
There are four roles that any user or group can be assigned for a task:
Viewers can see task information, but can't request or execute tasks.
Requesters have all the permission of viewers, and can also request tasks.
Executers have all the permissions of requesters, and can also execute tasks and others' requests.
Admins have full access to the task, and can change task configurations and permissions.
Runs can have granular permissions as well, controlling who can view it. When a run is created, it inherits permissions from the task:
If a task was team-accessible, the run will be team-accessible as well
If a task had granular permissions, the run is accessible to whoever executed the run, whoever requested the run (if any), and all reviewers who were asked to approve the run (if any).
Run permissions can be edited from the sidepanel (e.g. select "Shared with team"):
This is helpful if you have a locked-down task but want to selectively share the run output with specific users or groups:
The Requester role allows for a balance between safety and access. For a given task, a Requester can find that task in Airplane, fill out the parameters, but instead of running the task directly, it must then get approved by an Executer or Admin. The "Requests" page in the top navbar shows you a list of requests that you've sent as well as those from your teammates that require your approval: