Last updated July 13, 2020

If your add-on is attached to a Heroku app that has multiple collaborators, all of those collaborators can open the add-on’s dashboard via add-on SSO. Optionally, your add-on can define its own set of roles that it assigns to these collaborators. This enables the app’s owner to restrict access to certain dashboard features.

This article describes how to create and maintain roles for your add-on dashboard without violating the add-on ownership model.

Always set a default role for new SSO users

Whenever a collaborator opens your add-on’s dashboard via add-on SSO, the request to your system includes an email parameter. This is the email address associated with the collaborator’s Heroku account.

Assuming the SSO request authenticates successfully:

• If this is the first user ever to authenticate for this add-on instance, assign the user an “admin” role that has full dashboard permissions.
  • “Full dashboard permissions” should include the ability to change the role of other collaborators that authenticate in the future.
• If this is a new user that isn’t the very first user to authenticate, assign the user whatever “default” role makes sense for your add-on’s dashboard (this might be the same “admin” role as above).
• If this user has authenticated before, assign them whatever role is currently associated with their email address in your system.

After assigning a role to a user, make sure to persist it with the user’s email address in your system.

When your dashboard determines a user’s role, it can then present its UI in accordance with that role’s permissions.

Automatically determining roles for team-owned apps

If an app is owned by a Heroku Team, you can optionally use the endpoints described in Syncing User Access as an Ecosystem Partner to determine whether a particular user is an “admin” or a “member” of that team. If your add-on’s dashboard uses a similar two-role structure, you can simply determine an appropriate dashboard role from a user’s team role.