Managing app permissions

4 minute read
You must have the administrator role to invite new members to your app and to manage permissions in the app.

An application, or App in CloudBees Feature Management, is a group of flags and environments within an organization. Within the app, a team member can be assigned the role of a User or an Admin.

Accounts assigned the User role:

  • Can be granted Read only or Full access to each environment within the app.

  • Can access, but NOT modify, account permissions.

You can assign the User role to unlimited accounts in a given app.

Accounts assigned the Admin role:

  • Can invite organization members to the app.

  • Can access/modify/revoke account permissions within the app, including:

    • Can assign administrator or user roles to accounts within the app.

    • Can grant any app member Read only or Full access to each environment within the app.

    • Can revoke account access to the app.

You can assign the Admin role to unlimited accounts in a given app. By default, all CloudBees Feature Management organization administrators are also granted the Admin role within each app in the organization. Organization administrators cannot be granted the User role.

The CloudBees Feature Management permission structure.
Figure 1. An example organization. Ulrich is an organization member who is granted the administrator role for Application C.

Any account can be granted Read only or Full access to any application environment. Users with Read only access who want to modify flag configurations can submit approval requests. For more information, refer to Requesting approval for flag configurations.

Accounts assigned Read only:

  • Can create feature flags, but cannot activate targeting or configure flags without submitting an approval request.

  • Can submit approval requests for review by a team member with full access permissions.

Accounts assigned Full access:

  • Can create/modify/delete flags.

  • Can create/modify/delete target groups, features, labels, environments, custom properties, and integrations within the app.

  • Can submit approval requests for review by another team member with full access permissions.

  • Can approve/reject approval requests by another team member.

Accessing app permissions

You can verify the level of access for any team member in Permissions.

To access app permissions:

  1. From the CloudBees Feature Management Home page, select your email and avatar, and then select the organization. Disregard this step if you are a member of only one organization.

  2. Select All apps from the left pane, and then select the app.

  3. From the left pane, select Permissions.

The permissions screen lists all team members in the app, with the permissions granted for each.

Users
Figure 2. In an example app, team members, their roles, and their access to all environments are displayed on the permissions screen.

Inviting a new user

Application administrators can invite any existing organization member to a CloudBees Feature Management application.

You must be an organization administrator to invite new members outside the organization to the app. Inviting new team members to an app also adds them to the organization.

To invite a new user to a CloudBees Feature Management app:

  1. From the CloudBees Feature Management Home page, select your email and avatar, and then select the organization. Disregard this step if you are a member of only one organization.

  2. Select All apps from the left pane, and then select the app.

  3. From the left pane, select Permissions.

  4. Select Invite new user from the upper-right corner of the screen.

  5. Select or enter the new user’s email, and then press the Enter key (or Return key for Mac). Alternatively, you can select from the dropdown of organization member emails.

  6. Select an Application role.

  7. Select the Access level for each environment.

  8. Select Add user.

The new user is added to Permissions.

  • If the new user is not yet a member of the organization, they will receive an email invitation to join. Their name is marked (pending) in Permissions until they accept the invitation.

  • If the new user is an existing member of the organization, they can access their new app in Apps.

  • If the new user already belongs to another organization, they can access their new organization by first selecting their email and avatar from the top right corner, and then selecting the organization.

    Selecting an organization
    Figure 3. Selecting an organization

Managing app permissions

Application administrators can manage app permissions.

To change an app member’s permissions:

  1. From the CloudBees Feature Management Home page, select your email and avatar, and then select the organization. Disregard this step if you are a member of only one organization.

  2. Select All apps from the left pane, and then select the app.

  3. From the left pane, select Permissions.

  4. Select the account from the list, and then update the Application role.

  5. Select Save changes.

The member’s role is updated.

Managing environment permissions

Application administrators can manage environment permissions.

To change environment permissions:

  1. From the CloudBees Feature Management Home page, select your email and avatar, and then select the organization. Disregard this step if you are a member of only one organization.

  2. Select All apps from the left pane, and then select the app.

  3. From the left pane, select Permissions.

  4. Select the account from the list, and then switch the Access level for each environment to Read only or Full access.

  5. Select Save changes.

The member’s environment access is updated accordingly.

Revoking app access

If you are an application administrator, you can revoke organization member access to an app. Revoking app access does not remove a team member from the organization.

Existing feature flags are not impacted due to revoking app access. You can still use the feature flags created with the account that was revoked.

To revoke CloudBees Feature Management app access:

  1. From the CloudBees Feature Management Home page, select your email and avatar, and then select the organization. Disregard this step if you are a member of only one organization.

  2. Select All apps from the left pane, and then select the app.

  3. From the left pane, select Permissions.

  4. Select the account from the list, and then select Revoke access.

    If Revoke access is not displayed, the team member is an administrator in both the app and the organization, and their app access cannot be revoked.

The account is removed from the Permissions screen, and the team member can no longer sign in to the app.