Hey everyone! My team is exploring the Dagster Cloud Hybrid Standard plan, as we originally created a trial before the new plan definitions were public and have basically been testing out the Enterprise version. I'm trying to understand if there are any best practices or guidance around role-based access in a Standard plan. Specifically, is there any mechanism to allow a developer to write dagster jobs, deploy and inspect results in a branch deploy, but limit their ability to modify or interact with the main non-branch (e.g.,

prod

) deploy? It's not clear to me what the developer workflow is now supposed to look like given the

viewer

role only exists now as part of the Enterprise plan. Our basic intuition here is 1. Maintain two separate Standard accounts, corresponding to a

dev

and

prod

environment and simply not grant much access to

prod

. The obvious flaw here is then most people would be unable to actually view or debug issues that happen in prod, as they simply wouldn't have access. 2. Encourage more purely local development, e.g., viewing job changes in a local dagit instance. We don't have enough experience to know if this is practical, i.e., if the runtimes are sufficiently similar.

This is also something I am interested in. Especially, assuming the DEV commits (accidentally) a BUG to an IO manager which is perhaps confusing ENV variables / somehow potentially wrong to the wrong / PROD schema instead of the branch one. (i.e. how this could be prevented).

Sorry for the delay here! I think the best option currently is go with an enterprise plan where you can assign more fine-grained access like this.

What is more here? You mean viewer RBAC access?

Yep!