Roles allow you to control who has access to sensitive team-level operations, including managing users and creating/updating tasks and runbooks.
To assign team roles, users should be added to Groups, and groups can then be assigned roles. You can assign different roles for each environment from the group settings page.
Users who aren't in any groups with roles can still run tasks that are configured with "Team access", or for which they are granted access explicitly.

Team roles

Some roles are not associated with a specific environment. They can be assigned to a group when All is selected in the environment dropdown.

Team admin

Team admins can perform sensitive configuration changes and have full access to tasks, runs, runbooks, and sessions, as well as any settings that affect the entire team (such as inviting new members or controlling the allowed login methods). You should generally limit admins to team members who need to manage and configure the entire team's access to Airplane.
By default, Airplane teams come with an Admins group that is assigned the Team admin role. The first person in your team to join will be added to Admins.

User manager

User managers can manage groups and invite new members, and are able to set permissions in the UI. However, they are generally restricted from developing on Airplane. Assign this role to members that take a purely administrative role within Airplane.

Deploy creator

Deploy creators can create and update tasks via deployments. Currently, only Service Accounts can be granted this role.
In the future, the deploy creator role will become an environment-specific role so that it can be locked down to deploying in a specific environment.

Environment-specific roles

The Developer and Restricted developer roles apply to the specific environment they're assigned to. This allows different levels of access for each environment.


Developers have full access to tasks, runs, runbooks, and sessions. You should generally limit developers to team members who are developing tasks or runbooks (e.g. engineers on your team).

Restricted developer

Restricted developers have similar access to developers, but cannot create or update tasks or runbooks. The restricted developer role is useful when tasks in a given environment are fully configured in code, since it limits direct task updates.