Managing organizations and permissions

6 minute readAudit and compliance

The section describes how to manage organization and application permissions.

You must be an administrator to invite new users and manage permissions.

The organization and permission management system allows you to scale your feature flag settings for organizations and applications. Using the organization and permission management system, you can do the following:

  • View application permissions

  • Invite new users to an application

  • Manage access to environments within an application

  • Delete users from an application

  • View organization permissions

  • Invite new users to an organization

  • Grant administrator privileges for an organization

  • Delete users or administrators from an organization

Administrators and users can belong to one or more organizations. Users can be granted an administrator role within an application. User and administrator access can be set as read only or full access for each application environment.

The CloudBees Feature Management permission structure.
Figure 1. An example organization with one administrator and one user. Ulrich is an organization level user that is granted Admin permissions for Application C.

Organization administrators

The default role for the creator of any organization is administrator.

Organization administrators:

  • Can invite new members to an organization and modify their organization roles.

  • Are automatically granted administrator access within all applications.

  • Cannot be deleted from any application within the organization.

  • Can be granted full or read-only access within any application environment.

  • Can configure billing and SAML/SSO.

  • Can create or remove applications.

Organization users

The default role for any member invited to an organization is user.

Organization users:

  • Can be granted access to an application.

  • Can be deleted from an application.

  • Cannot invite new members to the organization or make any changes to permissions.

  • Can be granted full or read-only access to any application environment.

Application administrators

All organization administrators are also administrators at the application level for all applications. Organization users can be granted administration permissions within one or more applications.

Application administrators:

  • Can invite organization users to the application and modify their application roles.

  • Cannot manage organization administrator roles.

  • Can grant administrators and users full or read-only access to environments within the application.

  • Can perform all user capabilities.

Application users

The default role for any user invited to an application is user.

Application users:

  • Can be granted full or read-only access to any application environment that they are a member of.

  • Can view application-level permissions, but cannot make any changes.

  • Can create/modify/remove target groups, features, labels, environments, custom properties, and integrations.

Viewing application permissions

You can verify the level of access for any member in Permissions.

Users can view all members and permissions, but cannot make any changes. You must be an administrator to make changes to permissions.

To view application permissions:

  1. From the CloudBees Feature Management Home page, select your account from the top right corner, and then select the organization that you want to view.

  2. From the top left corner, select the application.

  3. From the left pane, select Permissions.

    The permissions screen lists all users, with the permissions granted for each.

Inviting a new user to an application

You can invite new users to your application and manage the access level for each environment. Inviting new users to an application also adds them to the organization.

You must be an administrator to invite new users.

To invite new users to an application:

  1. From the CloudBees Feature Management Home page, select your account from the top right corner, and then select the organization you want to invite a new user to.

  2. From the top left corner, select the application.

  3. From the left pane select Permissions.

  4. Select Invite New User from the top right corner of the screen, just below your account.

  5. Enter the email of the team member you would like to invite.

    If the user is already a member of your team in a different application, the user will appear in the drop-down menu for selection.

  6. Select the type of permission to grant to the user and the environment as follows:

    • Read only:

      • Can create feature flags.

      • Can submit approval requests.

    • Full access:

      • Can create/modify/delete feature flags.

      • Can create/accept/reject approval requests.

  7. Select Add User to add the user to the application.

    • The new user is added to the Permissions page.

    • An email is sent to the user inviting them to join the application, and the user has a pending label next to their name until they accept the invitation.

    • If the new user already belongs to another organization, they can access the new organization by selecting their account from the top right corner and then selecting the new organization.

      Selecting the new org.

Managing access to environments within an application

You can change the level of access a user has for each environment within an application.

You must be an organization administrator to manage access to environments within an application.

To change the access level for a user:

  1. From the CloudBees Feature Management Home page, select your account from the top right corner, and then select the organization.

  2. From the top left corner, select the application to manage its permissions.

  3. From the left pane select Permissions.

  4. Select the user from the list.

  5. Toggle the Access level for each permission to Read Only or Full Access as follows:

    • Read only:

      • Can create feature flags.

      • Can submit approval requests.

    • Full access:

      • Can create/modify/delete feature flags.

      • Can create/accept/reject approval requests.

  6. Select Add User to add the user to the application.

  7. Select Save Changes to update the user’s permissions.

Deleting a user from an application

Impact on existing feature flags after deleting a user from the application

There is no impact on the existing feature flags after a user is deleted from the application. You can still use the feature flags that the deleted user created. The default feature flag values can be used.

You can remove a user from an application. Removing users from an application does not remove them from the organization.

You must be an organization administrator to delete a user from the application. Organization administrators cannot be deleted from an application.

To delete the user from an application:

  1. From the CloudBees Feature Management Home page, select your account from the top right corner, and then select the organization.

  2. From the top left corner, select the application to delete the user from.

  3. From the left pane select Permissions.

  4. Select the user to remove from the application.

  5. Select Delete.

    If the Delete button is not displayed, the user is an organization-level administrator and they cannot be removed from an application.

Viewing organization permissions

You can verify the permissions granted to any user within the organization within Team Management.

You must be an administrator to make changes to organizations. Users can view all organization members and permissions, but they cannot make changes.

To view organizations:

  1. From the CloudBees Feature Management Home page, select your account from the top right corner, and then select the organization to invite the new user to.

  2. When you are in the correct organization, select your account from the top right corner again, and then select Team Management.

    All organization members are listed by Name, with their Email, multifactor authentication (MFA) status, and the level of Permission granted to the user.

Inviting a new user to an organization

Users must be invited to an application in order to become a member of an organization. Refer to Inviting a new user to an application for more instructions.

You must be an administrator to invite a new user.

Granting administrator privileges for an organization

You can grant administrator privileges to any user within the organization.

You must be an administrator to grant administration privileges.

To grant administrator privileges:

  1. From the CloudBees Feature Management Home page, select your account from the top right corner, and then select the organization.

  2. When you are in the correct organization, select your account from the top right corner again, and then select Team Management.

  3. Select the user to grant permissions to.

  4. Verify that you have selected the correct user at the top of the dialog, and then place a check in the box at the bottom next to Give admin privileges.

  5. Select Update.

Deleting a user or administrator from an organization

Impact on existing feature flags after deleting a user from the team

There is no impact on the existing feature flags after a user is deleted from the team. You can still use the feature flags that the deleted user created. The default feature flag values can be used.

You can delete a member from an organization and remove them from all applications.

You must be an administrator to delete a user from the organization.

To delete a user or administrator from the organization:

  1. From the CloudBees Feature Management Home page, select your account from the top right corner, and then select the organization.

  2. Select your account from the top right corner again, and then select Team Management.

  3. Select the user from Team Member Management and then select Delete from the bottom left corner.