Best Practice for a "Read-Only" Pro User in a CI/CD Environment
Hello PA Team,
I'm looking for a best practice or architectural advice for a common CI/CD scenario that I'm struggling to implement.
I need to configure a Pro user profile for my production environment. This user should be able to:
View all content (models, reports, etc.).
Execute and schedule ETL processes for existing models (this is required for our CI/CD pipeline).
Be blocked from making any structural changes to the models or any other content. All development must happen on a separate dev environment.
What I've Tried (and why it failed):
I tried to achieve this using Profiles. I created a "Pro Read-Only" profile and attempted to disable all editing capabilities. However, I found this was too restrictive. If I disable the rights to edit the model, the user also seems to lose the ability to execute the ETL process.
I couldn't find a granular setting to "Allow Execute but Deny Edit".
My Question:
What is the recommended, official Pyramid best practice for setting up this kind of "read-only" administrative Pro user for a production environment? Is there a built-in mechanism for this that I'm missing?
Any guidance would be greatly appreciated.
Thanks.