Add-on Controls for Enterprise Teams

Last updated August 03, 2020

This feature is currently available in Heroku Enterprise.

Add-on controls let team admins control which add-ons can be used with apps in the team. Enabling the add-on controls feature restricts non-admin team members from installing add-ons that are not on the approved add-ons allowlist.

Setting up the add-ons allowlist

To set up the add-ons allowlist:

  1. Navigate to the team Settings page. Add-on Controls contains the approved list of allowlisted add-ons.
  2. In the search box, type the name of the add-on you would like to approve.
  3. Click the add-on to add it to the allowlist.

Add-ons Controls Dashboard

After the add-on allowlisting restrictions are enabled, the approved add-ons on this list are the only ones members can install to apps in the team.

To enforce the add-on controls, click Enable Add-ons Allowlisting Restrictions.

Enabling the controls does not cause any currently provisioned add-ons to stop working, but it prevents add-ons that are not on the allowlist from being installed from now on.

Handling allowlist exceptions and overrides

Allowlist exceptions are add-ons that are currently in use by at least one app in your team, but are not on the add-ons allowlist.

The primary reason for an add-on to appear on this list is that it was installed before the add-on controls were enabled.

A second reason that an add-on may appear as a allowlist exception is that it has been installed by an admin. Admins have the ability to override add-on controls by installing an add-on using the CLI. The ability to override add-on controls allows admins to try out an add-on before placing it on the allowlist, or to grant a “one-off” installation request by personally installing an add-on to the relevant app. In either case, this usage is tracked and the add-on will appear on the allowlist exceptions list.

To learn more about the usage of the add-on, click on the number of installs (displayed to the right side of the add-on name). This reveals information about which apps have the add-on installed and the date of installation.

Installing allowlisted add-ons

Team members can determine which add-ons are available for install by attempting to provision the add-on in Dashboard. Add-ons that are allowlisted can be installed, and ones that are not allowlisted will say so.

One of these five add-ons can not be installed.

Add-on installation restrictions

Add-ons that are not allowlisted for use are marked as restricted and cannot be installed. As an team member, if you see a restricted add-on that you would like to use, talk to your admin about getting it allowlisted.

On a user’s personal apps that are not part of the team, all add-ons will still be installable.

Feedback on add-on controls

As always, we welcome any feedback you have on this feature. Please reach out to us at ecosystem-feedback@heroku.com or contact us via support.

Feedback

Log in to submit feedback.