Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRRetrieve an object from Amazon S3Store an object on Amazon S3Copy Docker images with CraneDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryGet artifact detailsRegister a build artifactRegister a deployed environment artifact
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineBuild and publish Docker images with KanikoRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Ansible PlaybookDeploy with Argo WorkflowsDeploy with AWS CodeDeployDeploy a binary with Amazon EC2Deploy to ECSRender an Amazon ECS task definitionDeploy with AWS Elastic BeanstalkDeploy with HerokuDeploy with OctopusDeploy with OpenShiftDeploy with SpinnakerDeploy with Tosca
Publish evidence items
Fetch secrets from CyberArk Conjur
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxCheckovCoverity on PolarisFind Security BugsGitHub Security ScannerGosecGrypeMendNexus IQnjsscanSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionGitleaksTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
Introduction
Manage workflows
Introductioncloudbees and other context objectsenvnameonpermissionsjobs.<job_id>.<job_id>.delegates.<job_id>.env.<job_id>.environment.<job_id>.if.<job_id>.needs.<job_id>.outputs.<job_id>.permissionsjobs.<job_id>.uses.<job_id>.services.<job_id>.services.<service_id>.services.<service_id>.args.services.<service_id>.env.services.<service_id>.imagejobs.<job_id>.steps.<job_id>.steps[*].id.<job_id>.steps[*].env.<job_id>.steps[*].if.<job_id>.steps[*].name.<job_id>.steps[*].run.<job_id>.steps[*].shell.<job_id>.steps[*].uses.<job_id>.steps[*].with.<job_id>.steps[*].with.args.<job_id>.steps[*].with.entrypoint.<job_id>.steps[*].timeout-minutesjobs.<job_id>.timeout-minutes
An example workflow
Reusable workflows
Personal access tokens
Trigger a workflow using an API
IntroductionManual approval
Connect a repositoryCreate a workflowRun a scanPublish an image
Introduction
Learn about feature management
Create flags in code
Manage multiple SDK keys in your application
Create/manage flags in the UI
Namespaces and labels
Configure feature flags
Feature management custom roles
Flag approval requests and reviews
Audit history
Configuration as code
Flag impressions and activity status
Code references
Properties and custom properties
Target groups
Enabling secret mode
IntroductionAndroid / Android TV / Fire TVC/C++ (client-side)C/C++ (server-side)GoJavaJavaScript (browser) / Chromecast / TizenJavaScript SSR.NET/C#Node.jsiOS / tvOSPHPPythonReact NativeRuby
IntroductionClient-side AndroidClient-side C ClientClient-side C++ ClientClient-side JavaClient-side JavaScript (browser)Client-side .NET/C# clientClient-side Objective-CClient-side React NativeClient-side SwiftServer-side CServer-side C++Server-side GoServer-side JavaServer-side .NET/C#Server-side NodeJSServer-side PythonServer-side PHPServer-side RubyBoth client-side and server-side JavaScript SSR
IntroductionAndroid appAngular appDjango appGin app.NET Core appReact appSpring Boot app

Custom roles for feature management

4 minute read

Managing the appropriate level of access to feature flags, target groups, and custom properties is essential for safely releasing features and maintaining control over application behavior. This page explains how to use CloudBees platform’s role-based access control (RBAC) system to configure custom roles specifically for feature management. Use this content to create custom roles that define permissions for individuals or teams responsible for creating, managing, or deploying feature flags.

Use the examples on this page to create custom roles to manage feature flags. Assign custom roles with appropriate permission categories, privilege levels, and resource scopes to ensure that users have the right level of access, helping to reduce misconfigurations, support safe experimentation, and enforce governance policies.

For a general overview of how role-based access control (RBAC) works across the platform, including concepts such as predefined roles, permission categories, and privilege levels, refer to the Role-based access control documentation.

How to create an admin role

Use this example to set up a custom role for organization admins who may need full permissions for feature management approval requests, feature flags, target groups, and properties. This custom role grants full control across all feature management categories.

  1. Navigate to Tenant settings  Roles.

  2. Select Create role.

  3. Name the role (for example, FM Admin).

    1. Select Pencil next to Custom role, and then enter a name for the role.

    2. Select Pencil next to Description to enter a description, such as a summary of permissions granted.

  4. Select the category: Feature management.

  5. Example permissions for a custom admin role.

    • Approval request: This permission applies to feature flag management only.

      To manage approval requests, the minimum required permissions are:

      • Update - required to approve a request.

      • Delete - required to reject a request.

      The approver permissions in the example, shown in the table below include additional permissions.

      This role example includes full permissions to manage approval requests and manage flag configurations.

      CloudBees strongly recommends that the level of access be carefully tailored to each user.
      Table 1. Flag admin can manage flags and approvals (only pertains to flag approvals.)
      Role Feature management, Role permissions Can propose approval? Can approve/reject? Can edit flag configuration?

      Flag approver

      Approval request: Read, Create, Update, Delete, Execute
      At minimum a user will need: Update to approve, and Delete to reject
      Flag: Read, Create, Update, Delete, Execute

      Consider creating a custom role focused on approvals without flag edit permissions to maintain separation of duties and follow least-privilege best practices.

    • Flag: An admin will need all flag privilege levels to be able to read, create, update and turn on or off a flag. Assign all permissions: Read, Create, Update, Delete, and Execute flags.

    • Target group: An admin will need all of these permissions , Read, Create, Update, Delete, and Execute target groups.

    • Custom property permissions enable users assigned this role to Read, Create, Update, Delete, and Execute custom properties.

      Feature management admin
      Figure 1. Example custom role: Feature management administrator

  1. Select Save.

  2. To Grant the role select Tenant settings  Access control.

How to create a target group admin role

You may want to assign this role to a team responsible for managing audience targeting and rollout strategies.

  1. Follow the same [process as provided above], except for the permissions.

  2. Assign the following permissions:

    • Custom property: Read.

    • Flag: Read.

    • Target group: Read, Create, Update, Delete, and Execute.

      Feature management target group admin
      Figure 2. Example custom role: Feature management target group admin

  3. Select Save.

  4. Assign the role using Tenant settings  Access control.

How to create a flag owner role

You may want to assign a flag owner role to users who are responsible for creating, managing, and deploying feature flags, but who don’t need full access to approval requests, target groups or custom properties.

  1. Follow the same [process as provided above], except for the permissions.

  2. Assign the following permissions:

    • Approval request: Read

    • Custom property: Read.

    • Flag: Read, Create, Update, Delete, and Execute.

    • Target group: Read.

      Feature management flag owner
      Figure 3. Example custom role: Feature management flag owner

  3. Select Save.

  4. Assign the role using Tenant settings  Access control.

How to create a flag contributor role (no save)

You may need a contributor role that can edit a flag’s configuration, but cannot save the edit. This is useful for developers or team members who need to suggest changes but should not have the permission to implement them directly.

Table 2. Make a change to a flag, but cannot save.
Role Feature management, Role permissions Can propose approval? Can approve/reject? Can edit flag configuration?

Flag change requester

Approval request: Read, Create
Flag: Read, Create

  1. Follow the same [process as provided above], except for the permissions.

  2. Assign the following permissions:

    • Approval request: Read, Create

    • Custom property:

    • Flag: Read. Create

    • Target group:

Approval request permissions
Figure 4. Example custom role: Flag contributor (no save)

How to create an approver role

This example is for a custom role that can review flag edits and approve or reject the edits. This role cannot edit flags directly. This is useful for team leads, product owners, or QA specialists who need to review and approve changes before they are applied.

Table 3. Flag approver permissions.
Role Feature management, Role permissions Can propose approval? Can approve/reject? Can edit flag configuration?

Flag approver

Approval request: Read, Create, Update, Delete, Execute
Flag: Read

  1. Follow the same [process as provided above], except for the permissions.

  2. Assign the following permissions:

    • Approval request: Read, Create, Update, Delete, Execute

    • Custom property: Read.

    • Flag: Read.

    • Target group: Read.

      Approval request permissions
      Figure 5. Example custom role: Flag configuration change approver

      For the Approval request option, only users with Update permission can approve, and only users with Delete permission can reject flag approval proposals.

How to create a read-only role

You may want to allow users to review flag configurations without enabling them to make updates. This role is useful for product managers, analysts, or audit/compliance teams.

  1. Follow the same [process as provided above], except for the permissions.

  2. Assign the following permissions:

    • Approval request: Read.

    • Custom property: Read.

    • Flag: Read.

    • Target group: Read.

      Feature management read-only
      Figure 6. Example custom role: Feature management read-only

  3. Select Save.

  4. Assign the role using Tenant settings  Access control.

    The feature management read-only role must include Read privileges for approval request, flags, target groups, and custom properties. Without complete read access across these categories, the user may experience limited view of flag configurations, evaluation behavior, and visibility in the UI.

Related documentation

Configure feature flags
Flag approval requests and reviews