Environment Protection

Environment protection restricts who can run commands against specific environments. When a protection is active, only users on the exception list for that environment can execute plans targeting it.

How It Works

Protection is environment-name based. You define a protection record for an environment name (e.g., prod, staging) and then control which users are excepted from the restriction.

• No protection configured - Any project member can target the environment.
• Protection enabled - Only users explicitly added to the exception list can run plans or commands targeting that environment. All other users are blocked.
• Protection disabled (toggled off) - The protection record exists but is not enforced. All users can target the environment until it is re-enabled.

This is an allowlist model: you protect an environment, then add specific users who are permitted to run against it.

Configuring Protection

Navigate to Settings → Protection tab.

Warning

The Protection tab is only visible to users with the view_secrets permission. Organization owners have this permission by default.

Adding a Protection

1. Click Add Protection.
2. Enter the environment name exactly as it appears in your project configuration (e.g., prod).
3. Leave Enabled toggled on if you want the protection active immediately.
4. Click Add Protection.

The protection is now active. No users are excepted yet - add them next.

Adding Excepted Users

Users on the exception list can run commands against the protected environment.

1. Click the users icon next to the protection record.
2. Select a user from the dropdown and click the add button.
3. Repeat for each user who should have access.

To remove a user, click the delete icon next to their name in the exception list.

Toggling Protection On or Off

Use the toggle switch next to any protection record to enable or disable it without deleting the record or changing the exception list. This is useful for temporarily opening an environment for maintenance without losing your access configuration.

Deleting a Protection

Click the delete icon and confirm. This removes the protection entirely. All users can target the environment until a new protection is added.

Supported Frameworks

Environment protection applies to both SQLMesh and dbt projects. The environment name must match what your project configuration uses as the target environment.

Key Takeaways

• ✅ Protection is an allowlist: add a protection, then add the users who are permitted
• ✅ Users not on the exception list are blocked from running against that environment
• ✅ Toggle protection off temporarily without losing your exception list
• ✅ Environment names are matched exactly - prod and Prod are different
• ✅ Works with both SQLMesh and dbt projects
• ✅ The Protection tab requires view_secrets permission to access

Related

• Organizations - User roles and permissions