Using App Permissions in Enterprise Teams

Last updated January 27, 2022

This feature is currently available in Heroku Enterprise.

Enterprise Team app permissions enable you to grant fine-grained permissions to team members on a per-app basis, ensuring that the right people have access to the right operations and resources.

App permissions provide access controls for:

  • Guarding and monitoring changes to production apps
  • Restricting which changes can be made to an app
  • Managing the types of resources that users can access

Viewing and setting app permissions

You can view and set user-specific permissions for a given app from the app’s Access tab:

App access page

By default, all team members have the view permission for all of the team’s apps. This permission allows team members to:

  • See basic information about the app
  • View the app’s Access tab, which displays app members and their respective permissions
  • View application activity, including builds and releases
  • See dynos and information about an app’s processes

In addition to the view permission, you can assign any combination of the following permissions to team members from the app’s Access tab:

  • deploy
  • operate
  • manage

You can also set app permissions with the heroku access set of CLI commands.

To set app permissions, you must either:

  • Already have the manage permission for the app
  • Have the admin role for your team

Team members with the admin role always have all permissions for all of the team’s apps. Learn more about Enterprise Team roles.

A complete list of the actions enabled by each app permission is available here. The following subsections provide high-level summaries of these actions.

The deploy permission

The deploy permission gives access to the application’s code and allows team members to:

  • Fetch code
  • Push code
  • View and edit config vars
  • Add and remove free add-ons
  • Run one-off dynos
  • Roll back releases

The operate permission

The operate permission gives access to the operational aspects of an application’s availability and resource consumption. It allows team members to:

  • View and edit config vars
  • Add and remove free and paid add-ons
  • Run one-off dynos
  • Manage add-on configurations
  • Restart the app
  • Roll back releases
  • Manage process scaling and stacks

The manage permission

The manage permission enables team members to control access to the application:

  • Add users to the app
  • Assign or edit permissions for any user on the app
  • Restrict access to the app
  • Rename or delete the app
  • Transfer the app
  • Manage custom domains

Adding and removing team apps

When a team member adds a new app or transfers an existing app into the team, they automatically receive all permissions for that app. Because this includes the manage permission, the team member can then add other members to the app and assign them the appropriate combination of permissions.

Apps belonging to a team can only be removed from the team (or deleted) by:

  • Team members with the manage permission for the app
  • Team members with the admin permission for the team

Feedback

Log in to submit feedback.