Permissions
Airplane's permissioning system allows for fine-grained, role-based access control for small and large organizations alike.
Groups
Permissions can be assigned directly to users or to groups of users. It's recommended that you
assign permissions to groups instead of users, so that new users simply have to be added to the
right group(s) instead of individual tasks, runbooks, etc.
For more information, see Groups.
Team permissions
By default, users on teams have limited permissions. Tasks and runbooks with permissions set to
"team access" can be viewed and executed by users.
For elevated permissions, groups can be assigned roles:
- Team admin, has full control over the team including users, permissions, and updating tasks/runbooks.
- Team developer, has similar access to team admin minus user management.
Users can be added to groups to inherit these permissions. (Note that, at this time, users can't be
directly assigned team-level roles and must be added to a group.)
See Team roles for details.
Task and runbook permissions
When creating/editing a task or runbook, click
Advanced to configure granular group-based or
user-based permissions for the task:
There are four roles that any user or group can be assigned for a task:
- Viewers can see task/runbook information, but can't request or execute tasks/runbooks.
- Requesters have all the permission of viewers, and can also request tasks/runbooks.
- Executers have all the permissions of requesters, and can also execute tasks/runbooks and others' requests.
- Admins have full access to the task/runbook, and can change configurations and permissions.
Run and session permissions
When executed, tasks and runbooks produce runs and sessions, respectively, and these can have
granular permissions assigned to determine who can view them.
The default permissions for a run can either be set to
task-viewers or task-participants:Task viewers(default) Anyone who can view the task can also view the run. This means that if the task is team-accessible, the run can be viewed by anyone on the team. If the run has explicit permions enabled, allViewerson the task can also view any run of the task.Task participantsCan only be viewed by those who execute, request, or approve the run. This is useful for runs that contain sensitive information, such as credentials, that should only be viewed by those who are directly involved in the run, and not by anyone who can view the task.
The default permissions for a runbook session is always
Session viewers which has the same
behavior as Task viewers.typescriptCopied1// my_task.airplane.ts2export default airplane.task(3{4slug: "my_task",5defaultRunPermissions: "task-participants",6},7async () => {...}8);
javascriptCopied1// my_task.airplane.js2export default airplane.task(3{4slug: "my_task",5defaultRunPermissions: "task-participants",6},7async () => {...}8);
pythonCopied1# my_task_airplane.py2@airplane.task(3default_run_permissions="task-participants",4)5def my_task():6pass
In your task definition file (the file with extension
.task.yaml):yamlCopied1# my_task.task.yaml2defaultRunPermissions: task-participants
In the Advanced section of the task editor:
Once a run is created, its permissions can be edited from the sidepanel (e.g. select "Shared with
team"):
This is helpful if you have a locked-down task or runbook but want to selectively share the run or
session output with specific users or groups:
Requests and approvals
The Requester role allows for a balance between safety and access. For a given task or runbook,
a Requester can find that task in Airplane, fill out the parameters, but instead of running it
directly, the task/runbook must then get approved by an Executer or Admin. The "Requests" page in
the top navbar shows you a list of requests that you've sent as well as those from your teammates
that require your approval:
Next steps