Skip to content

Commit

Permalink
Adding environment permission setup beta (#5645)
Browse files Browse the repository at this point in the history
## What are you changing in this pull request and why?

Adds beta instructions for configuring environment-level permissions for
dbt Cloud

## Checklist
<!--
Uncomment when publishing docs for a prerelease version of dbt:
- [ ] Add versioning components, as described in [Versioning
Docs](https://github.com/dbt-labs/docs.getdbt.com/blob/current/contributing/single-sourcing-content.md#versioning-entire-pages)
- [ ] Add a note to the prerelease version [Migration
Guide](https://github.com/dbt-labs/docs.getdbt.com/tree/current/website/docs/docs/dbt-versions/core-upgrade)
-->
- [ ] Review the [Content style
guide](https://github.com/dbt-labs/docs.getdbt.com/blob/current/contributing/content-style-guide.md)
so my content adheres to these guidelines.
- [ ] For [docs
versioning](https://github.com/dbt-labs/docs.getdbt.com/blob/current/contributing/single-sourcing-content.md#about-versioning),
review how to [version a whole
page](https://github.com/dbt-labs/docs.getdbt.com/blob/current/contributing/single-sourcing-content.md#adding-a-new-version)
and [version a block of
content](https://github.com/dbt-labs/docs.getdbt.com/blob/current/contributing/single-sourcing-content.md#versioning-blocks-of-content).
- [ ] Add a checklist item for anything that needs to happen before this
PR is merged, such as "needs technical review" or "change base branch."

Adding or removing pages (delete if not applicable):
- [ ] Add/remove page in `website/sidebars.js`
- [ ] Provide a unique filename for new pages
- [ ] Add an entry for deleted pages in `website/vercel.json`
- [ ] Run link testing locally with `npm run build` to update the links
that point to deleted pages
  • Loading branch information
matthewshaver authored Jun 11, 2024
1 parent a182bf2 commit 393524d
Show file tree
Hide file tree
Showing 8 changed files with 71 additions and 0 deletions.
65 changes: 65 additions & 0 deletions website/docs/docs/cloud/secure/environment-permissions-setup.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
---
title: "Set up environment-level permissions"
id: environment-permissions-setup
description: "Set up environment-level permissions to protect your information"
sidebar_label: "Set up environment-level permissions"
pagination_next: null
pagination_prev: null
---

# Set up environment-level permissions <Lifecycle status='beta' />

:::note

This is a beta feature available to select dbt Cloud Enterprise customers. If you are interested in beta testing this feature, please contact your account manager.

:::

To set up and configure environment-level permissions, you must have write permissions to the **Groups & Licenses** settings of your dbt Cloud account. For more information about roles and permissions, check out [User permissions and licenses](/docs/cloud/manage-access/seats-and-users).

Environment-level permissions are not the same as account-level [role-based access control (RBAC)](/docs/cloud/manage-access/about-user-access#role-based-access-control) and are configured separately from those workflows.

## Setup instructions

In your dbt Cloud account:

1. Open the **gear menu** and select **Account settings**. From the left-side menu, select **Groups & Licenses**. While you can edit existing groups, we recommend not altering the default `Everyone`, `Member`, and `Owner` groups.

<Lightbox src="/img/docs/dbt-cloud/groups-and-licenses.png" width="80%" title="Groups & Licenses page in dbt Cloud with the default groups highlighted."/>

2. Create a new or open an existing group. If it's a new group, give it a name, then scroll down to **Access & permissions**. Click **Add**.

<Lightbox src="/img/docs/dbt-cloud/add-permissions.png" width="80%" title="The Access & permissions section with the Add button highlighted."/>

3. Select the **Permission set** for the group. Only the following permissions sets can have environment-level permissions configured:

- Database admin
- Git admin
- Team admin
- Analyst
- Developer

Other permission sets are restricted because they have access to everything (for example, Account admin), or limitations prevent them from having write access to environments (for example, Account viewer).

If you select a permission set that is not supported, the environment permission option will not appear.

<Lightbox src="/img/docs/dbt-cloud/no-option.png" width="80%" title="The view of the permissions box if there is no option for environment permissions."/>

4. Select the **Environment** for group access. The default is **All environments**, but you can select multiple. If none are selected, the group will have read-only access. Note that `Other` maps to the `General` environment type.

<Lightbox src="/img/docs/dbt-cloud/environment-options.png" width="80%" title="A list of available environments with the Staging and Other boxes checked."/>

5. Save the Group settings. You're now setup and ready to assign users!

## User experience

Users with permissions to the environment will see all capabilities assigned to their role. The environment-level permissions are `write` or `read-only` access. This feature does not currently support determining which features in the environment are accessible. For more details on what can and can not be done with environment-level permissions, refer to [About environment-permissions](/docs/cloud/secure/environment-permissions).

For example, here is an overview of the **Jobs** section of the environment page if a user has been granted access:

<Lightbox src="/img/docs/dbt-cloud/write-access.png" width="80%" title="The jobs page with write access and the 'Create job' button visible ."/>

The same page if the user has not been granted environment-level permissions:

<Lightbox src="/img/docs/dbt-cloud/read-only-access.png" width="80%" title="The jobs page with read-only access and the 'Create job' button is not visible ."/>

6 changes: 6 additions & 0 deletions website/docs/docs/cloud/secure/environment-permissions.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ This is a beta feature available to select dbt Cloud Enterprise customers. If yo

Environment-level permissions give dbt Cloud admins the ability to grant write permission to groups and service tokens for specific [environment types](/docs/dbt-cloud-environments) within a project. Granting access to an environment give users access to all environment-level write actions and resources associated with their assigned roles. For example, users with a Developer role can create and run jobs within the environment(s) they have access to. For all other environments, those same users will have read-only access.

For configuration instructions, check out the [setup page](/docs/cloud/secure/environment-permissions-setup).

## Current limitations

Environment-level permissions give dbt Cloud admins more flexibility to protect their environments, but it's important to understand that there are some limitations to this feature, so those admins can make informed decisions about granting access.
Expand Down Expand Up @@ -80,3 +82,7 @@ With mixed access across projects:
- **Other Admins:** A user (non-Admin) can have access to multiple projects depending on the requirements.

If the user has the same roles across projects, you can apply environment access across all projects.


## Related docs
-[Environment-level permissions setup](/docs/cloud/secure/environment-permissions-setup)
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added website/static/img/docs/dbt-cloud/no-option.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 393524d

Please sign in to comment.