Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[docathon] - Managing users in Dagster+ #23929

Merged
merged 4 commits into from
Sep 19, 2024
Merged

[docathon] - Managing users in Dagster+ #23929

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4d0cc54
First pass
erinkcochran87 Aug 26, 2024
549928f
Merge branch 'master' into erin/docathon-plus-users
cmpadden Sep 19, 2024
7019420
address feedback
cmpadden Sep 19, 2024
fba858f
placeholders
cmpadden Sep 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 39 additions & 38 deletions docs/docs-beta/docs/dagster-plus/access/rbac/users.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,74 +1,76 @@
---
title: "User management"
title: "Managing users in Dagster+"
displayed_sidebar: "dagsterPlus"
sidebar_position: 1
sidebar_label: "User management"
sidebar_position: 10
---

# User management in Dagster+
Dagster+ allows you to grant specific permissions to your organization's users, ensuring that Dagster users have access only to what they require.
cmpadden marked this conversation as resolved.
Show resolved Hide resolved

In this guide, we'll cover how to add and remove users in your Dagster+ organization.

**Note**: If utilizing [SCIM provisioning](/dagster-plus/access/authentication/scim-provisioning), you'll need to manage users through your Identity Provider (IdP) instead of Dagster+.
In this guide, you'll learn how to manage users and their permissions using the Dagster+ UI.

<details>
<summary>Prerequisites</summary>

To complete the steps in this guide, you'll need:
<summary>Prerequisites</summary>

- [Organization Admin permissions](/dagster-plus/access/rbac/user-roles-permissions) for your organization in Dagster+
- A Dagster+ account
cmpadden marked this conversation as resolved.
Show resolved Hide resolved
- The required [Dagster+ permissions](/todo):
- **Organization Admins** can add, manage, and remove users
- **Admins** can add users

</details>

## Adding users

Before you start, note that:
## Before you start

- **If SCIM provisioning is enabled,** you'll need to add new users in your IdP. Adding users will be disabled in Dagster+.
- **If using Google for SSO**, users must be added in Dagster+ before they can log in.
- **If using an Identity Provider (IdP) like Okta for SSO**, users must be assigned to the Dagster app in the IdP to be able to log in to Dagster+. Refer to the [SSO setup guides](/dagster-plus/access/authentication) for setup instructions for each of our supported IdP solutions.
- **If System for Cross-domain Identity Management specification (SCIM) provisioning is enabled,** you'll need to add new users in your identity provider (IdP). Adding users will be disabled in Dagster+.
- **If using Google for Single sign-on (SSO)**, users must be added in Dagster+ before they can log in.
Copy link
Contributor Author

@erinkcochran87 erinkcochran87 Aug 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I put these here and not in the Prereqs because I was concerned they might get lost. Thoughts?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be neat as a little info admonition? But I think it's fine.

Is there a link to learning more about how to implement SCIM?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There will be!

- **If using an Identity Provider (IdP) like Okta for SSO**, users must be assigned to the Dagster app in the IdP to be able to log in to Dagster+. Refer to the [SSO setup guides](/todo) for setup instructions for each of our supported IdP solutions.

By default, users will be granted Viewer permissions on each deployment. The default role can be adjusted by modifying the [`sso_default_role` deployment setting](/todo).

## Adding users to Dagster+

1. Sign in to your Dagster+ account.
2. Click the **user menu (your icon) > Organization Settings**.
3. Click the **Users** tab.
4. Click **Add new user.**
5. In the **User email** field, enter the user's email address.
6. Click **Add user**. The user will be added to the list of users.

After the user is created, you can [add the user to teams and assign user roles for each deployment](#managing-user-permissions).
6. Click **Add user**.

## Managing user permissions
After the user is created, they will be notified via email, and you can [add the user to teams](#teams) and [assign user roles for each deployment](#user-roles).

Check warning on line 39 in docs/docs-beta/docs/dagster-plus/access/rbac/users.md

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Dagster.latin] Use 'with', 'through', or 'by using' instead of 'via', but consider rewriting the sentence.

Raw Output:
{"message": "[Dagster.latin] Use 'with', 'through', or 'by using' instead of 'via', but consider rewriting the sentence.", "location": {"path": "docs/docs-beta/docs/dagster-plus/access/rbac/users.md", "range": {"start": {"line": 39, "column": 50}}}, "severity": "WARNING"}

After a user is created, the **Manage user permissions** window will automatically display. You can also access this window by clicking **Edit** next to a user in the users table.
![Screenshot of assigning roles to a user](/img/placeholder.svg)

{/* TODO: Add picture previously at "/images/dagster-cloud/user-token-management/manage-new-user-permissions.png" */}
## Adding users to teams {#teams}

### Adding users to teams
:::note
Teams are a Dagster+ Pro feature.
:::

Using the **Teams** field, you can add users to one or more teams. This is useful for centralizing permission sets for different types of users. Refer to the [Managing teams](/dagster-plus/access/rbac/teams) guide for more info about creating and managing teams.
Teams are useful for centralizing permission sets for different types of users. Refer to [Managing teams](/todo) for more information about creating and managing teams.

{/* TODO: Add picture previously at "/images/dagster-cloud/user-token-management/add-user-to-teams.png */}
![Screenshot of Managing teams page](/img/placeholder.svg)

**Note**: When determining a user's level of access, Dagster+ will use the **most permissive** role assigned to the user between all of their team memberships and any individual role grants. Refer to the [Managing user roles and permissions](/dagster-plus/access/rbac/user-roles-permissions) guide for more info.
:::note
When determining a user's level of access, Dagster+ will use the **most permissive** role assigned to the user between all of their team memberships and any individual role grants. Refer to [Managing user roles and permissions](/todo) for more information.
:::

### Assigning user roles
## Assigning user roles {#user-roles}

In the **Roles** section, you can assign the select the appropriate [user role](/dagster-plus/access/rbac/user-roles-permissions) for each deployment.
In the **Roles** section, you can assign a [user role](/todo) for each deployment, granting them a set of permissions that controls their access to various features and functionalities within the platform.

1. Next to a deployment, click **Edit user role**.
2. Select the user role for the deployment. This [user role](/dagster-plus/access/rbac/user-roles-permissions) will be used as the default for all code locations in the deployment.
2. Select the user role for the deployment. This [user role](/todo) will be used as the default for all code locations in the deployment.
3. Click **Save**.
4. **Pro only**: To set permissions for individual [code locations](/dagster-plus/access/rbac/user-roles-permissions) in a deployment:
1. Click the toggle to the left of the deployment to open a list of code locations.
2. Next to a code location, click **Edit user role**.
3. Select the user role for the code location.
4. Click **Save**.
4. **Pro only**: To set permissions for individual [code locations](/todo) in a deployment:
1. Click the toggle to the left of the deployment to open a list of code locations.
2. Next to a code location, click **Edit user role**.
3. Select the user role for the code location.
4. Click **Save**.
5. Repeat the previous steps for each deployment.
6. **Optional**: To change the user's permissions for branch deployments:
1. Next to **All branch deployments**, click **Edit user role**.
2. Select the user role to use for all branch deployments.
3. Click **Save**.
1. Next to **All branch deployments**, click **Edit user role**.
2. Select the user role to use for all branch deployments.
3. Click **Save**.
7. Click **Done**.

## Removing users
Expand All @@ -83,7 +85,6 @@
6. Click **Remove user**.
7. When prompted, confirm the removal.


## Next steps

- Learn more about role-based access control (RBAC) in [Understanding User Roles & Permissions](/dagster-plus/access/rbac/user-roles-permissions)
Expand Down
2 changes: 1 addition & 1 deletion docs/docs-beta/docs/dagster-plus/deployment/environment-variables/dagster-ui.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ For example, if you wanted to provide different Snowflake passwords for your pro
- Set the value as the branch deployment password, and
- Check only the **Branch deployments** box

SCREENSHOT
![Screenshot of environment variables](/img/placeholder.svg)

## Next steps

Expand Down
2 changes: 1 addition & 1 deletion docs/docs-beta/docs/dagster-plus/deployment/hybrid/agents/kubernetes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ helm --namespace dagster-cloud upgrade agent \

You can see basic health information about your agent in the Dagster+ UI:

{/* TODO: Screenshot */}
![Screenshot of agent health information](/img/placeholder.svg)

### View logs

Expand Down
4 changes: 2 additions & 2 deletions docs/docs-beta/docs/dagster-plus/getting-started.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ The remaining steps depend on your deployment type.

We recommend following the steps in Dagster+ to add a new project.

[comment]: <> (TODO: Screenshot of Dagster+ serverless Nux)
![Screenshot of Dagster+ serverless NUX](/img/placeholder.svg)

The Dagster+ on-boarding will guide you through:
- creating a Git repository containing your Dagster code
Expand Down Expand Up @@ -58,4 +58,4 @@ Refer to the guide for [adding a code location](/dagster-plus/deployment/code-lo

## Next steps

Your Dagster+ account is automatically enrolled in a trial. You can [pick your plan type and enter your billing information](/dagster-plus/settings), or [contact the Dagster team](https://dagster.io/contact) if you need support or want to evaluate the Dagster+ Pro plan.
Your Dagster+ account is automatically enrolled in a trial. You can [pick your plan type and enter your billing information](/dagster-plus/settings), or [contact the Dagster team](https://dagster.io/contact) if you need support or want to evaluate the Dagster+ Pro plan.
6 changes: 2 additions & 4 deletions docs/docs-beta/docs/guides/kubernetes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,22 +182,20 @@ kubectl --namespace default port-forward $DAGSTER_WEBSERVER_POD_NAME 8080:80
This command gets the full name of the `webserver` pod from the output of `kubectl get pods`, and then sets up port forwarding with the `kubectl port-forward` command.

### Step 6.2: Visit your Dagster deployment
The webserver has been port-forwarded to `8080`, so you can visit the Dagster deployment by going to [http://127.0.0.1:8080](http://127.0.0.1:8080). You should see the Dagster landing page

{/* TODO screenshot */}
The webserver has been port-forwarded to `8080`, so you can visit the Dagster deployment by going to [http://127.0.0.1:8080](http://127.0.0.1:8080). You should see the Dagster landing page

![Screenshot of Dagster landing page](/img/placeholder.svg)

### Step 6.3: Materialize an asset
In the Dagster UI, navigate to the Asset catalog and click the **Materialize** button to materialize an asset. Dagster will start a Kubernetes job to materialize the asset. You can introspect on the Kubernetes cluster to see this job:


```bash
$ kubectl get jobs
NAME COMPLETIONS DURATION AGE
dagster-run-5ee8a0b3-7ca5-44e6-97a6-8f4bd86ee630 1/1 4s 11s
```


## Next steps
- Forwarding Dagster logs from a Kubernetes deployment to AWS, Azure, GCP
- Other configuration options for K8s deployment - secrets,
2 changes: 1 addition & 1 deletion docs/docs-beta/docs/guides/transform-dbt.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ Next, create a `_source.yml` file that points dbt to the upstream `raw_customers

<CodeExample filePath="guides/etl/transform-dbt/basic-dbt-project/models/example/_source.yml" language="yaml" title="_source.yml_" />

{/* TODO: Maybe screenshot to show the lineage? */}
![Screenshot of dbt lineage](/img/placeholder.svg)

## Adding downstream dependencies

Expand Down
Loading