Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRRetrieve an object from Amazon S3Store an object on Amazon S3Copy Docker images with CraneDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryGet artifact detailsRegister a build artifactRegister a deployed environment artifact
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineBuild and publish Docker images with KanikoRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Ansible PlaybookDeploy with Argo WorkflowsDeploy with AWS CodeDeployDeploy a binary with Amazon EC2Deploy to ECSRender an Amazon ECS task definitionDeploy with AWS Elastic BeanstalkDeploy with HerokuDeploy with OctopusDeploy with OpenShiftDeploy with SpinnakerDeploy with Tosca
Publish evidence items
Fetch secrets from CyberArk Conjur
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxCheckovCoverity on PolarisFind Security BugsGitHub Security ScannerGosecGrypeMendNexus IQnjsscanSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionGitleaksTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
Introduction
Manage workflows
Introductioncloudbees and other context objectsenvnameonpermissionsjobs.<job_id>.<job_id>.delegates.<job_id>.env.<job_id>.vars.<job_id>.secrets.<job_id>.environment.<job_id>.if.<job_id>.needs.<job_id>.outputs.<job_id>.permissionsjobs.<job_id>.uses.<job_id>.services.<job_id>.services.<service_id>.services.<service_id>.args.services.<service_id>.env.services.<service_id>.imagejobs.<job_id>.steps.<job_id>.steps[*].id.<job_id>.steps[*].env.<job_id>.steps[*].if.<job_id>.steps[*].name.<job_id>.steps[*].run.<job_id>.steps[*].shell.<job_id>.steps[*].uses.<job_id>.steps[*].with.<job_id>.steps[*].with.args.<job_id>.steps[*].with.entrypoint.<job_id>.steps[*].timeout-minutesjobs.<job_id>.timeout-minutes
An example workflow
Reusable workflows
Personal access tokens
Trigger a workflow using an API
IntroductionManual approval
Connect a repositoryCreate a workflowRun a scanPublish an image
Introduction
Get started with feature flags
Create flags in code
Manage multiple SDK keys in your application
Create and manage flags in the UI
Namespaces and labels
Configure feature flags
Feature management custom roles
Flag approval requests and reviews
Audit history
Configuration as code
Flag impressions and activity status
Flag health
Code references
Properties and custom properties
Target groups
Enabling secret mode
IntroductionAndroid / Android TV / Fire TVC/C++ (client-side)C/C++ (server-side)GoJavaJavaScript (browser) / Chromecast / TizenJavaScript SSR.NET/C#Node.jsiOS / tvOSPHPPythonReact NativeRuby
IntroductionClient-side AndroidClient-side C ClientClient-side C++ ClientClient-side JavaClient-side JavaScript (browser)Client-side .NET/C# clientClient-side Objective-CClient-side React NativeClient-side SwiftServer-side CServer-side C++Server-side GoServer-side JavaServer-side .NET/C#Server-side NodeJSServer-side PythonServer-side PHPServer-side RubyBoth client-side and server-side JavaScript SSR
IntroductionAndroid appAngular appDjango appGin appJava Spring Boot app.NET Core appReact appSwift iOS app

Custom roles for feature management

7 minute read

CloudBees platform includes predefined roles (Admin, User, and Approver) that grant broad, platform-wide permissions across all capability areas, including feature management. These roles are intended for general use but may be either too permissive or too restrictive for specific feature flag work.

To support more precise access control, you can create custom roles specific to feature management. Custom roles allow you to assign permissions based on team responsibilities, such as creating flags, managing target groups, submitting approval requests, or deploying changes.

In feature management, permissions are evaluated at both the application and environment levels. To manage feature flags or related resources, users must have the required permissions in both scopes.

Feature management permissions

Creating flags, managing target groups, and submitting approval requests, are controlled by specific permissions grouped into four categories as shown in the table below. Depending on the flag behavior, the required permissions may apply at the application level, the environment level, or both.

Table 1. Permission categories and associated permissions
Category Possible permissions What the permission allows

Approval requests

Create, Update, Delete

Submit, approve, or reject feature flag approval requests.

Custom property

Create, Update, Delete

Define and manage custom properties used in flag targeting rules.

Flags

Create, Update, Delete

Manage feature flags, including creating, updating, and deleting.

Target groups

Create, Update, Delete

Manage target groups at the application level.

No environment-level target group permission exists. However, if a target group is used in flags, Flag: Update is required on the application and in each environment where the group is used.

Feature management permission levels

Permissions for feature management are assigned at the category level, using one or more permission levels.

Table 2. Permission levels for feature management
Level Description

Read

Grants read access to feature management entities (flags, target groups, and custom properties). Granted to all users by default.

Create

Allows users to create new flags, target groups, approval requests, or custom properties.

Update

Allows users to edit an entity. For example, to update a flag’s configuration or target group conditions.

For approval requests, Update is required to approve a request. To reject or delete a request, use Delete.

Delete

Permits users to delete a flag, target group, or custom property. Also required to reject or delete an approval request.

Execute

While Execute can be selected in the UI, it is not used in feature management.

Quickstart example to create a custom role

The following steps explain how to create a custom role and assign permissions.

To create the role:

  1. Navigate to Tenant settings  Roles.

  2. Select Create role.

  3. To name the role:

    1. Select Pencil next to Custom role, and then enter a name for the role.

    2. Select Pencil next to Description to enter a description, such as a summary of permissions granted.

  4. Select the Feature management category.

    The Feature management section on the Custom Role page includes four categories of features possibly needing permissions, and varying permission levels.

    Custom role UI
    Figure 1. Custom role permissions user interface

  5. Apply the appropriate permissions.

  6. Select Save.

  7. Assign users or teams to the new custom role.

    • To grant the role, go to Admin settings  Tenant settings  Access control.

    • Once the permissions are applied to the custom role, you must assign the role to a user or team, and specify the scope (organization, application, or environment).

Permission evaluation

When a user attempts to perform a task, such as editing a flag, CloudBees platform evaluates the user’s:

  • Assigned roles.

  • Permission levels within the categories.

  • Role scopes at both the application and environment levels.

To proceed successfully, the user must hold the necessary permission at both scopes. If any required permission is missing at either level, the request is denied.

For example, when a target group is referenced by a flag in an environment, modifying that group requires the following:

  • Target groups: Update at the application level.

  • Flags: Update for:

    • The application level

    • Each environment where the flag uses the group.

Tutorials

These tutorials provide step-by-step instructions to create fully-configured custom roles for two common feature management personas: an administrator and an approver.

Each example guides you through creating the role, applying the principle of least privilege by assigning only the necessary permissions, and granting the role to a team for a specific application or environment scope.

Although these tutorials (and the example use cases below) explain how to assign a team to the new roles, you can also assign roles directly to individual users if needed.
Create an administrator role for feature management

By default, the pre-defined System Admin role in CloudBees platform grants full administrative access platform-wide and cannot be restricted to a specific capability area such as feature management.

To enforce the principle of least privilege and improve security, you can create a custom admin role specifically for feature management to limit administrative access to only those capabilities associated with feature flags.

This example creates a custom role named fm-admin-custom-role with full feature management permissions. It is assigned to a team, App2Admins, at both the application and environment levels.

To create the role:

  1. Navigate to Tenant settings  Roles.

  2. Select Create role.

  3. To name the role:

    1. Select Pencil next to Custom role, and then enter a name for the role.

    2. Select Pencil next to Description to enter a description, such as a summary of permissions granted.

  4. Select the Feature management category.

  5. Apply the required permissions as shown in this example:

    • Approval request:

      • Create to propose a request.

      • Update to approve a request.

      • Delete to reject or delete a request.

    • Flags:

      • Create, Update, and Delete to create, update, and manage flag settings.

    • Target group:

      • Create, Update, and Delete to manage audience targeting groups.

    • Custom property:

      • Create, Update, and Delete to manage flag rule conditions and context-based targeting.

        Feature management admin
        Figure 2. Feature management administrator custom role

  6. Select Save.

  7. To grant the role, go to Admin settings, Tenant settings  Access control.

    Grant role to a team
    Figure 3. Grant the new role to a team, and multiple scopes

  8. Select Team as the principal type.

  9. Select the App2Admins team as the team to which users who approve flag changes belong to.

  10. Select the first resource type Application.

  11. Select the application name, app-1.

  12. Select the role fm-admin-custom-role that holds the permissions.

  13. Perform the same steps to assign the role to another application, app-2.

  14. Perform the same steps to assign the role to the environment env-1.

    The custom role fm-admin-custom-role, which includes permissions to fully manage feature flags, is assigned to the team App2Admins rather than directly to individual users.

    To ensure permissions apply in the correct scope, the role is granted to App2Admins in the following resources:

    • The application scope for app-1

    • The application scope for app-2

    • The environment scope for env-1

      By assigning the role to the team in both scopes, all members of App2Admins, including any newly added team members, automatically inherit the necessary permissions to manage all aspects of feature flags.

This completes the steps to create a custom feature management administrator role.

Define a feature flag approver role

In this example, the goal is for a new employee to be able to create, approve, and reject approval requests for feature flags in app-1, specifically in the env-1 environment.

Instead of assigning permissions directly to the user, the recommended approach is to assign the permissions to a team, such as the App1Admins team. As a member of that team, they will automatically inherit the team’s permissions.

First, create a custom role with the necessary permissions. For this example, the name of the role is: fm-approver-custom-role:

To create the role:

  1. Navigate to Tenant settings  Roles.

  2. Select Create role.

  3. To name the role:

    1. Select Pencil next to Custom role, and then enter a name for the role.

    2. Select Pencil next to Description to enter a description, such as a summary of permissions granted.

  4. Select the Feature management category.

  5. Assign the following permissions:

    • Approval request: Read, Create, Update, and Delete

    • Custom property: Read

    • Flag: Read

    • Target group: Read

      Approval request permissions
      Figure 4. Example custom role: Flag approver role

      For minimum permissions:

      • Update is required to approve a request.

      • Delete is required to reject or delete a request.

      CloudBees recommends assigning only the minimal permissions necessary for each user’s responsibility.

  6. Select Save.

  7. To grant the role, go to Admin settings, Tenant settings  Access control.

    Grant role to a teams
    Figure 5. Example granting the new role to a team, and both scopes

  8. Select Team as the principal type.

  9. Select the App1Admins team as the team to which users who approve flag changes belong to.

  10. Select the first resource type Application.

  11. Select the application name, app-1.

  12. Select the role fm-approver-custom-role that holds the permissions.

  13. Perform the same steps to assign the role to the environment env-1.

    To ensure permissions apply in the correct scope, the role is granted to App1Admins in both of the following resources:

    • The application scope for app-1

    • The environment scope for env-1

By assigning the new custom fm-approver-custom-role to the App1Admin team in both scopes, all members of App1Admins, including any newly added team members, automatically inherit the necessary permissions to approve flag changes in that application and environment.

This completes the steps to create a custom feature flag approver role.

Example use cases

The following use cases provide permission templates for common feature management roles. Unlike the step-by-step tutorials, these examples focus on the "why" and "what" of each role’s permissions. Use them as a starting point to design custom roles that fit your organization’s specific needs.

Use case: Flag owner custom role

Use this role for users who are responsible for creating, managing, and deploying feature flags, but who do not need full access to approval requests, target groups, or custom properties.

To create the role:

  1. Navigate to Tenant settings  Roles.

  2. Select Create role.

  3. To name the role:

    1. Select Pencil next to Custom role, and then enter a name for the role.

    2. Select Pencil next to Description to enter a description, such as a summary of permissions granted.

  4. Select the Feature management category.

  5. Assign the following permissions:

    • Approval request: Read

    • Custom property: Read

    • Flag: Read, Create, Update, and Delete

    • Target group: Read

      Feature management flag owner
      Figure 6. Example flag owner custom role

  6. Select Save.

  7. To grant the role, go to Admin settings, Tenant settings  Access control.

This completes the steps to create a custom feature flag owner role.

Use case: Flag contributor custom role

Use this role if you want users to draft feature flag changes without the ability to save them directly. This is useful for developers or team members who need to suggest flag edits but should not have permission to apply changes.

Table 3. Permissions to make a change to a flag and submit it for approval
Role Feature management, Role permissions Can propose approval? Can approve/reject? Can edit flag configuration?

Flag change requester

Approval request: Read, Create
Flag: Read, Create

To create the role:

  1. Navigate to Tenant settings  Roles.

  2. Select Create role.

  3. To name the role:

    1. Select Pencil next to Custom role, and then enter a name for the role.

    2. Select Pencil next to Description to enter a description, such as a summary of permissions granted.

  4. Select the Feature management category.

  5. Assign the following permissions:

    • Approval request: Read, Create

    • Custom property: N/A

    • Flag: Read, Create

    • Target group: N/A

Custom flag contributor
Figure 7. Custom flag contributor role

  1. Select Save.

  2. To grant the role, go to Admin settings, Tenant settings  Access control.

This completes the steps to create a custom feature flag contributor role.

Related documentation

Configure feature flags
Flag approval requests and reviews