Hello Apache Airflow Dev Community, Hope you are all doing well! I wanted to start a thread to get some feedback about an Airflow Improvement Proposal that our organization thought would be helpful:
Motivation Many companies require strict access control and segregation of data for security and compliance purposes. In Apache Airflow, while DAG-level permissions exist, similar controls are not available for Variables. This lack of granular control poses a risk as different internal teams might inadvertently or intentionally access and view Variables belonging to other teams. This can potentially expose sensitive information or configurations. To address this, a feature request is made to introduce Role-Based Access Control (RBAC) for Variables, enabling companies to enforce permissions and ensure that internal teams cannot view each other's Variables. Proposed Changes Introduce permissions for Variables to allow authorization of specific roles for access. This would include permissions to read, edit, and delete Variables. Example Variable: `team_a_database_credentials` Role Permission Team A Lead `can_read`, `can_edit`, `can_delete` Team A Member `can_read` Team B Member None Variable: `team_b_api_key` Role Permission Team B Lead `can_read`, `can_edit`, `can_delete` Team B Member `can_read` Team A Member None Let us know your thoughts and if you feel this would be beneficial. Thank you, [LogoDescription automatically generated] Robert Sanders Senior Assistant Vice President, Data & Analytics e: robert.sand...@exlservice.com<mailto:robert.sand...@exlservice.com> l: https://www.linkedin.com/in/robert-sanders-cs/ Follow us on LinkedIn<https://www.linkedin.com/company/exl-service/> www.EXLservice.com<http://www.EXLservice.com> We make sense of data to drive your business forward. This e-mail and any attachments hereto including any file or documents (collectively or severally, the "Attachments") sent with it are intended solely for the named recipient(s) or person(s) or entity(ies) to whom they are addressed. This e-mail (including all its contents including the Attachment/s) is highly confidential and may be privileged; it may contain confidential and proprietary business information of ExlService Holdings, Inc. and / or its affiliates ("Exl") and/ or any of its clients/ partners. If you are not an intended recipient or if you have received this e-mail erroneously, please notify us / the sender immediately by replying to the e-mail and please delete the e-mail and any original message (including all the appended Attachments) immediately from your system / device. You should not access / read, or disclose, any of the contents of this e-mail or Attachment, to any person, or use this e-mail, its contents or Attachment for any purpose whatsoever. Unauthorized use, copying or further full or partial distribution or disclosure of this e-mail or its contents or Attachment is strictly prohibited. Further do not store or copy any content of this e-mail or Attachment in any medium or in any form or manner whatsoever. Any review, retransmission, dissemination, disclosure, storage or any other use of or dealing in including without limitation taking copies of, or taking any action in reliance upon, the information contained here-in by any person or entity other than intended recipients is strictly prohibited. Exl and/ or its affiliates reserve all rights including under law or equity to take appropriate action including without limitation, seeking injunctive relief and claim for damages from unauthorized user/s. While this e-mail and any Attachment are believed to be free of any virus or other malicious content, it is the sole responsibility of the recipient to ensure that it is virus free. Exl and / or its affiliates are not liable for any loss, liability or damage arising in any way from the receipt or use of this e-mail or its Attachment. This email does not constitute an agreement to conduct transactions by electronic means and does not create any legally binding contract or enforceable obligation in the absence of a fully signed written contract.
