Permissions

Groups

Groups in Airplane allow you to establish role-based permissions—you can create groups like Engineering, add users to these groups, and then reference groups when configuring permissions, requesting tasks or runbooks, and more.
Group sync with identity providers like Okta is coming soon! Contact us at hello@airplane.dev if you're interested.
To manage groups, visit your Settings:
Here, you can create new groups and edit/delete existing ones.
Groups have an optional email and slack channel you can set:
Currently, these fields are used when notifying groups of requested runs. If someone requests approval from Engineering, for example, a message will be sent to the configured Slack channel:
Slack messages require that you've first configured the Slack integration for your team.

Admin access

Airplane teams come with an Admins group that grants special privileges:
https://app.airplane.dev/settings/groups
https://app.airplane.dev/settings/groups
The first person in your team to join is added to Admins, and new members can be added to the group by existing Admins.
Team admins can perform sensitive configuration changes and have full access to tasks, runs, runbooks, and sessions. You should generally limit admins to team members who are developing tasks or runbooks (e.g. engineers on your team) or otherwise making changes to Airplane configuration.

Configuring task permissions

When creating or editing a task, select "Advanced" to configure granular group-based or user-based permissions for the task:
There are four roles that any user or group can be assigned for a task:
  • Viewers can see task/runbook information, but can't request or execute tasks/runbooks.
  • Requesters have all the permission of viewers, and can also request tasks/runbooks.
  • Executers have all the permissions of requesters, and can also execute tasks/runbooks and others' requests.
  • Admins have full access to the task/runbook, and can change configurations and permissions.

Run permissions

Runs can have granular permissions as well, controlling who can view it. When a run is created, it inherits permissions from the task:
  • If a task was team-accessible, the run will be team-accessible as well
  • If a task had granular permissions, the run is accessible to whoever executed the run, whoever requested the run (if any), and all reviewers who were asked to approve the run (if any).
Run permissions can be edited from the sidepanel (e.g. select "Shared with team"):
This is helpful if you have a locked-down task or runbook but want to selectively share the run or session output with specific users or groups:

Requests and approvals

The Requester role allows for a balance between safety and access. For a given task or runbook, a Requester can find that task in Airplane, fill out the parameters, but instead of running it directly, the task/runbook must then get approved by an Executer or Admin. The "Requests" page in the top navbar shows you a list of requests that you've sent as well as those from your teammates that require your approval: