Prefect Cloud’s Pro and Enterprise tiers allow you to set team member access to the appropriate level within specific workspaces.

Role-based access controls (RBAC) enable you to assign users granular permissions to perform certain activities.

Enterprise account administrators can create custom roles for users to give users access to capabilities beyond the scope of Prefect’s built-in workspace roles.

Built-in roles

Roles give users abilities at either the account level or at the individual workspace level.

  • An account-level role defines a user’s default permissions within an account.
  • A workspace-level role defines a user’s permissions within a specific workspace.

The following sections outline the abilities of the built-in, Prefect-defined access controls and workspace roles.

Account-level roles

The following built-in roles have permissions across an account in Prefect Cloud.

RoleAbilities
Owner- Set/change all account profile settings allowed to be set/changed by a Prefect user.
- Add and remove account members, and their account roles.
- Create and delete service accounts in the account.
- Create workspaces in the account.
- Implicit workspace owner access on all workspaces in the account.
- Bypass SSO.
Admin- Set/change all account profile settings allowed to be set/changed by a Prefect user.
- Add and remove account members, and their account roles.
- Create and delete service accounts in the account.
- Create workspaces in the account.
- Implicit workspace owner access on all workspaces in the account.
- Cannot bypass SSO.
Member- View account profile settings.
- View workspaces you have access to in the account.
- View account members and their roles.
- View service accounts in the account.

Workspace-level roles

The following built-in roles have permissions within a given workspace in Prefect Cloud.

RoleAbilities
Viewer- View flow runs within a workspace.
- View deployments within a workspace.
- View all work pools within a workspace.
- View all blocks within a workspace.
- View all automations within a workspace.
- View workspace handle and description.
RunnerAll Viewer abilities, plus:
- Run deployments within a workspace.
DeveloperAll Runner abilities, plus:
- Run flows within a workspace.
- Delete flow runs within a workspace.
- Create, edit, and delete deployments within a workspace.
- Create, edit, and delete work pools within a workspace.
- Create, edit, and delete all blocks and their secrets within a workspace.
- Create, edit, and delete automations within a workspace.
- View all workspace settings.
OwnerAll Developer abilities, plus:
- Add and remove account members, and set their role within a workspace.
- Set the workspace’s default workspace role for all users in the account.
- Set, view, edit workspace settings.
WorkerThe minimum scopes required for a worker to poll for and submit work.

Custom workspace roles

The built-in roles serve the needs of most users, but custom roles give users access to specific permissions within a workspace.

Custom roles can inherit permissions from a built-in role. This enables tweaks to the role to meet your team’s needs, while ensuring users still benefit from Prefect’s default workspace role permission curation as new capabilities becomes available.

You can create custom workspace roles independently of Prefect’s built-in roles. This option gives workspace admins full control of user access to workspace capabilities. However, for non-inherited custom roles, the workspace Admin takes on the responsibility for monitoring and setting permissions for new capabilities as it is released.

See Role permissions for details of permissions you may set for custom roles.

After you create a new role, it becomes available in the account Members page and the Workspace Sharing page for you to apply to users.

Inherited roles

You can configure a custom role as an Inherited Role. Using an inherited role allows you to create a custom role from a set of initial permissions associated with a built-in Prefect role. You can add additional permissions to the custom role. Permissions included in the inherited role cannot be removed.

Custom roles created from an inherited role follow Prefect’s default workspace role permission curation as new capabilities becomes available.

To configure an inherited role alongside a custom role, select Inherit permission from a default role, then select the role from which the new role should inherit permissions.

Workspace role permissions

The following permissions are available for custom roles.

Automations

PermissionDescription
View automationsUser can see configured automations within a workspace.
Create, edit, and delete automationsUser can create, edit, and delete automations within a workspace. Includes permissions of View automations.

Blocks

PermissionDescription
View blocksUser can see configured blocks within a workspace.
View secret block dataUser can see configured blocks and their secrets within a workspace. Includes permissions of View blocks.
Create, edit, and delete blocksUser can create, edit, and delete blocks within a workspace. Includes permissions of View blocks and View secret block data.

Deployments

PermissionDescription
View deploymentsUser can see configured deployments within a workspace.
Run deploymentsUser can run deployments within a workspace. This does not give a user permission to execute the flow associated with the deployment. This only gives a user (through their key) the ability to run a deployment—another user/key must actually execute that flow, such as a service account with an appropriate role. Includes permissions of View deployments.
Create and edit deploymentsUser can create and edit deployments within a workspace. Includes permissions of View deployments and Run deployments.
Delete deploymentsUser can delete deployments within a workspace. Includes permissions of View deployments, Run deployments, and Create and edit deployments.

Flows

PermissionDescription
View flows and flow runsUser can see flows and flow runs within a workspace.
Create, update, and delete saved search filtersUser can create, update, and delete saved flow run search filters configured within a workspace. Includes permissions of View flows and flow runs.
Create, update, and run flowsUser can create, update, and run flows within a workspace. Includes permissions of View flows and flow runs.
Delete flowsUser can delete flows within a workspace. Includes permissions of View flows and flow runs and Create, update, and run flows.

Notifications

PermissionDescription
View notification policiesUser can see notification policies configured within a workspace.
Create and edit notification policiesUser can create and edit notification policies configured within a workspace. Includes permissions of View notification policies.
Delete notification policiesUser can delete notification policies configured within a workspace. Includes permissions of View notification policies and Create and edit notification policies.

Task run concurrency

PermissionDescription
View concurrency limitsUser can see configured task run concurrency limits within a workspace.
Create, edit, and delete concurrency limitsUser can create, edit, and delete task run concurrency limits within a workspace. Includes permissions of View concurrency limits.

Work pools

PermissionDescription
View work poolsUser can see work pools configured within a workspace.
Create, edit, and pause work poolsUser can create, edit, and pause work pools configured within a workspace. Includes permissions of View work pools.
Delete work poolsUser can delete work pools configured within a workspace. Includes permissions of View work pools and Create, edit, and pause work pools.

Workspace management

PermissionDescription
View information about workspace service accountsUser can see service accounts configured within a workspace.
View information about workspace usersUser can see user accounts for users invited to the workspace.
View workspace settingsUser can see settings configured within a workspace.
Edit workspace settingsUser can edit settings for a workspace. Includes permissions of View workspace settings.
Delete the workspaceUser can delete a workspace. Includes permissions of View workspace settings and Edit workspace settings.