Authentication & Authorization#

Prerequisites#

To authenticate into Dagster Cloud, you will need cookies enabled on your web browser.

Authentication#

Single Sign-On Providers#

Dagster Cloud supports SSO with a variety of identity providers. We also provide SAML authentication to provide administrators with more control over their users.

SSO#

  • Google
  • GitHub

SAML SSO#

Managing users#

You can add and remove users’ access to Dagster Cloud from within the Dagster Cloud web interface.

Log in to Dagster Cloud, then click on the icon representing your user account at the top right of the web interface. From the drop-down, select "Cloud Settings".

Settings Dropdown

If you have permissions to manage users for your organization, you can use this interface to add users, remove users, and assign them to roles to control their authorization.

Cloud Settings Interface for Permissions

If you are using Google for SSO, you will need to manually add users through the Cloud Settings interface before they will be able to log in to your organization.

If you are using a SAML-based SSO solution (Okta, OneLogin, or Azure AD), you’ll need to assign users from your organization to the Dagster Cloud application in your SSO portal. This will allow them to log in to Dagster Cloud. By default, users that use a SAML-based SSO solution to log in to Dagster Cloud are given viewer permissions for all deployments.

Managing user and agent tokens#

You can manage user and agent tokens from within the Dagster Cloud web interface.

Log in to Dagster Cloud, then click on the icon representing your user account at the top right of the web interface. From the drop-down, select "Cloud Settings".

Settings Dropdown

If you have permissions to do so, you can use this interface to issue, monitor, and revoke tokens associated with your user account for API access, tokens associated with other user accounts, and agent tokens.

Cloud Settings Interface for Tokens

Seed users#

When your organization is first created, we will seed your database with admin users as requested. If you need to add more users, configure SAML or SSO, or are having trouble with your permissions, please contact these seed users.

Authorization#

Role-based access controls#

Dagster Cloud currently includes support for four levels of role-based access control: Viewer, Editor, Admin, and Organization Admin.

You can set roles for users on a per-deployment basis.

Role-based access controls are enforced both in the web interface and in the GraphQL API.

 ViewerEditorAdminOrganization Admin
View deploymentYYYY
Launch, re-execute, terminate, and delete runs of pipelines/jobsNYYY
Start and stop schedulesNYYY
Start and stop sensorsNYYY
Reload code locations and workspacesNYYY
Wipe assetsNYYY
Launch and cancel backfillsNYYY
View usersNYYY
Edit alertsNYYY
View agent tokensNYYY
Edit agent tokensNYYY
View and create own user tokensNYYY
Edit workspaceNYYY
Modify deployment settingsNYYY
Edit usersNNYY
List all user tokensNNYY
Revoke all user tokensNNYY
Administer SAMLNNNY
Create and delete deploymentsNNNY