App Permissions and Allowed Actions
Last updated May 14, 2024
This feature is currently available in Heroku Enterprise.
App permissions enable fine grained access controls for Heroku Enterprise Accounts. This article lists the different actions users can take when granted different permissions on apps. Permissions are independently assigned and any combination of permissions can be assigned to a user on an app. For more information on app permissions see Using App Permissions in Heroku Enterprise Teams.
| Action | View | Deploy | Operate | Manage |
|---|---|---|---|---|
| General app and access info | ||||
| View basic app info and activity stream* | X | |||
| Rename app | X | |||
| Delete app | X | |||
| Add/remove non-org user to app | X | |||
| Manage permissions for other users on app | X | |||
| Lock/unlock | X | |||
| Transfer the app | X | |||
| Code and config | ||||
| View code (git pull) | X | |||
| Push code (new release) | X | |||
| View config variable values | X | X | ||
| Edit config variables | X | X | ||
| Add-ons | ||||
| View list of add-ons on an app | X | X | ||
| View app specific add-on resource configuration | X | X | ||
| SSO access to add-on admin pages | X | X | ||
| Add new free add-on resources to app | X | X | ||
| Add new paid add-on resources to app | X | |||
| Remove free add-on resources from app | X | X | ||
| Remove paid add-on resources from app | X | |||
| Change free add-on tier | X | X | ||
| Change paid add-on tier | X | |||
| App execution | ||||
| View app dyno usage | X | |||
| View logging drain config | X | |||
| Add/remove logging drains | X | |||
| View logs | X | |||
| View process status | X | |||
| See current dynos, workers | X | |||
| View metrics | X | |||
| Set up threshold alerts | X | |||
| View releases | X | |||
| Restart app | X | |||
| Rollback releases | X | X | ||
| Migrate stack | X | |||
| See current stack | X | |||
| View maintenance mode | X | |||
| Turn on and off maintenance mode | X | X | ||
| Run one-off commands (including rake and console) | X | X | ||
| Scale processes | X | X | ||
| Resize processes | X | X | ||
| Configuration | ||||
| View custom domains | X | |||
| View SSL endpoint | X | |||
| Set custom domains | X | |||
| Add SSL certificate | X | |||
| Remove SSL certificate | X | |||
*Release-related info, such as add-on information and config vars (but not values), are always visible in an app’s activity stream.
- Permissions are independently assigned for a user on an app. For example, manage permission does not automatically include operate or deploy permission.
- Permissions can be granted in any combination. For example, a user can be granted operate and manage permission.
- If a user is granted the manage permissions, they can grant themselves additional permissions on the app.
- The view permission is assigned by default for all org members on unlocked apps in the organization. It is also assigned when a user is explicitly added to a locked app.
Related Articles: