Managing the appropriate level of access to feature flags, target groups, and custom properties is essential for safely releasing features and maintaining control over application behavior. This page explains how to use CloudBees platform’s role-based access control (RBAC) system to configure custom roles specifically for feature management. Use this content to create custom roles that define permissions for individuals or teams responsible for creating, managing, or deploying feature flags.
Use the examples on this page to create custom roles to manage feature flags. Assign custom roles with appropriate permission categories, privilege levels, and resource scopes to ensure that users have the right level of access, helping to reduce misconfigurations, support safe experimentation, and enforce governance policies.
For a general overview of how role-based access control (RBAC) works across the platform, including concepts such as predefined roles, permission categories, and privilege levels, refer to the Role-based access control documentation. |
How to create an admin role
Use this example to set up a custom role for organization admins who may need full permissions for feature management approval requests, feature flags, target groups, and properties. This custom role grants full control across all feature management categories.
-
Navigate to
. -
Select Create role.
-
Name the role (for example,
FM Admin
).-
Select
next to Custom role, and then enter a name for the role.
-
Select
next to Description to enter a description, such as a summary of permissions granted.
-
-
Select the category: Feature management.
-
Example permissions for a custom admin role.
-
Approval request: This permission applies to feature flag management only.
To manage approval requests, the minimum required permissions are:
-
Update - required to approve a request.
-
Delete - required to reject a request.
The approver permissions in the example, shown in the table below include additional permissions.
This role example includes full permissions to manage approval requests and manage flag configurations.
CloudBees strongly recommends that the level of access be carefully tailored to each user. Table 1. Flag admin can manage flags and approvals (only pertains to flag approvals.) Role Feature management, Role permissions Can propose approval? Can approve/reject? Can edit flag configuration? Flag approver
Approval request: Read, Create, Update, Delete, Execute
At minimum a user will need: Update to approve, and Delete to reject
Flag: Read, Create, Update, Delete, ExecuteConsider creating a custom role focused on approvals without flag edit permissions to maintain separation of duties and follow least-privilege best practices.
-
-
Flag: An admin will need all flag privilege levels to be able to read, create, update and turn on or off a flag. Assign all permissions: Read, Create, Update, Delete, and Execute flags.
-
Target group: An admin will need all of these permissions , Read, Create, Update, Delete, and Execute target groups.
-
Custom property permissions enable users assigned this role to Read, Create, Update, Delete, and Execute custom properties.
Figure 1. Example custom role: Feature management administrator
-
-
Select Save.
-
To Grant the role select .
How to create a target group admin role
You may want to assign this role to a team responsible for managing audience targeting and rollout strategies.
-
Follow the same [process as provided above], except for the permissions.
-
Assign the following permissions:
-
Custom property: Read.
-
Flag: Read.
-
Target group: Read, Create, Update, Delete, and Execute.
Figure 2. Example custom role: Feature management target group admin
-
-
Select Save.
-
Assign the role using
.
How to create a flag owner role
You may want to assign a flag owner role to users who are responsible for creating, managing, and deploying feature flags, but who don’t need full access to approval requests, target groups or custom properties.
-
Follow the same [process as provided above], except for the permissions.
-
Assign the following permissions:
-
Approval request: Read
-
Custom property: Read.
-
Flag: Read, Create, Update, Delete, and Execute.
-
Target group: Read.
Figure 3. Example custom role: Feature management flag owner
-
-
Select Save.
-
Assign the role using
.
How to create a flag contributor role (no save)
You may need a contributor role that can edit a flag’s configuration, but cannot save the edit. This is useful for developers or team members who need to suggest changes but should not have the permission to implement them directly.
Role | Feature management, Role permissions | Can propose approval? | Can approve/reject? | Can edit flag configuration? |
---|---|---|---|---|
Flag change requester |
Approval request: Read, Create |
-
Follow the same [process as provided above], except for the permissions.
-
Assign the following permissions:
-
Approval request: Read, Create
-
Custom property:
-
Flag: Read. Create
-
Target group:
-

How to create an approver role
This example is for a custom role that can review flag edits and approve or reject the edits. This role cannot edit flags directly. This is useful for team leads, product owners, or QA specialists who need to review and approve changes before they are applied.
Role | Feature management, Role permissions | Can propose approval? | Can approve/reject? | Can edit flag configuration? |
---|---|---|---|---|
Flag approver |
Approval request: Read, Create, Update, Delete, Execute |
-
Follow the same [process as provided above], except for the permissions.
-
Assign the following permissions:
-
Approval request: Read, Create, Update, Delete, Execute
-
Custom property: Read.
-
Flag: Read.
-
Target group: Read.
Figure 5. Example custom role: Flag configuration change approverFor the Approval request option, only users with Update permission can approve, and only users with Delete permission can reject flag approval proposals.
-
How to create a read-only role
You may want to allow users to review flag configurations without enabling them to make updates. This role is useful for product managers, analysts, or audit/compliance teams.
-
Follow the same [process as provided above], except for the permissions.
-
Assign the following permissions:
-
Approval request: Read.
-
Custom property: Read.
-
Flag: Read.
-
Target group: Read.
Figure 6. Example custom role: Feature management read-only
-
-
Select Save.
-
Assign the role using
.The feature management read-only role must include Read privileges for approval request, flags, target groups, and custom properties. Without complete read access across these categories, the user may experience limited view of flag configurations, evaluation behavior, and visibility in the UI.