Managing Enterprise Team Users and Application Access

Last updated January 31, 2020

This feature is currently available in Heroku Enterprise.

This article describes the user roles and commands you can use to manage users that belong to an Enterprise Team.

Roles and permissions

Each user in an Enterprise Team has one of the following roles:

  • admin
  • member
  • viewer
  • collaborator

Every Enterprise Team must have at least one user with the admin role. Aside from this requirement, you can assign any number of users to each role.

Admin

Users with the admin role automatically have full app-level permissions for every app that belongs to the Enterprise Team.

In addition, users with the admin role can:

  • Grant or remove team roles from other users
  • View resources
  • Access billing
  • Rename the Enterprise Team
  • Transfer apps into or out of the Enterprise Team

Every Enterprise Team must have at least one user with the admin role. As a result, if a team has only one admin user, that user’s role cannot be changed unless another admin is first added to the team.

Team users with the admin role can add, remove, and modify users from the team’s Access page in the Heroku Dashboard.

adminaddingusers

They can also manage users with the Heroku CLI.

Member

Users with the member role automatically have read-only access to every app that belongs to the Enterprise Team. These users are added to the team by an admin user.

Users with the member role can:

  • List all apps in the Enterprise Team
  • Access any app that is “unlocked” and view basic information, including who has what permissions on the app
  • Receive app-level permissions for any app that belongs to the team
  • Create new apps that belong to the Enterprise Team
  • Transfer their personal apps into the Enterprise Team
  • Perform any operation on apps they create or transfer into the team
  • View resources for the Enterprise Team
  • View the list of team members and their associated roles

Viewer

Users with the viewer role have read-only access to every app that belongs to the Enterprise Team. These users are added to the team by an admin user.

Users with the viewer role can:

  • List all apps in the Enterprise Team
  • Access any app that is “unlocked” and view basic information, including who has what permissions on the app
  • Receive app-level permissions for any app that belongs to the team
  • View resources for the Enterprise Team
  • View the list of team members and their associated roles

For more information on app-specific permissions, please see Using App Permissions in Heroku Enterprise Teams

Collaborator

You can grant app-specific permissions to users who don’t belong to your Enterprise Team or collaborators. These permissions can be granted by either of the following:

  • A user who has the manage permission for the app
  • A user who has the admin role for the Enterprise Team

These collaborator users cannot:

  • List or access other apps that belong to the Enterprise Team
  • View the list of Enterprise Team users
  • Create or transfer apps to the Enterprise Team

An Enterprise Team admin can add collaborators via the Enterprise Teams’s access tab, by selecting the “Add user” option. The only difference with adding users with adding “viewer”, “admin” and “member” users is that when adding a “collaborator” you need to select the app they will be collaborating on. Adding a collaborator user from the Enterprise Teams’s access tab will only give them the “View” app permission. You can change this permission via the “Access” tab of the application.

collabs

Users with manage permission on the app can add collaborator users by selecting “Add member” from under the “Access” tab of the application:

collabs

Adding a user with the CLI

Add a new team user and assign them a particular role like so:

$ heroku members:add joe@acme.com --team acme-widgets --role member
Adding joe@acme.com to acme-widgets as member... done

Changing a user’s role with the CLI

Change the role assigned to an existing team user with the members:set command:

$ heroku members:set joe@acme.com --team acme-widgets --role admin
Adding joe@acme.com to acme-widgets as admin... done

The members:set command can only be used to assign the admin and member roles. Non-team users who have app-specific permissions cannot be given another role until they are explicitly added to the team with members:add.

For more information on changing user permissions for specific apps, please see Using App Permissions in Heroku Enterprise Teams.

Removing a team user with the CLI

Removing a user from your Enterprise Team prevents them from accessing the team and its associated apps.

You can remove admin and member users with the members:remove command:

$ heroku members:remove joe@acme.com --team acme-widgets
Removing joe@acme.com from acme-widgets... done

If the user also has app-specific permissions, you can remove them from the app’s Access Page in the Heroku Dashboard.

Viewing two-factor authentication status

Two-factor authentication (2FA) is a Heroku platform security feature. When a user enables 2FA for their account, they must provide a verification code in addition to their username and password whenever they log in.

Users can enable and disable 2FA on their individual accounts. When these users are part of an Enterprise Team, admins and other members of the Enterprise Team need visibility into their 2FA status. This helps ensure continuous compliance with the company’s security and governance policies.

The Access page of an Enterprise Team indicates which users do not have 2FA enabled for their Heroku account. The status is updated as soon as it changes:

2fastatus

This view makes it easy for team admins to enforce team security by removing team users or reducing their permissions until they enable 2FA.

Locking an app

Enterprise Team admins and users with the manage permission on an app can “lock” the app to freeze application access. This prevents any newly added team users from being able to view the app’s details. If an app is locked, new team users must be explicitly added to it and granted applicable permissions.

Locking an app can be useful when the app reaches a level of maturity (i.e., production status), as a safeguard against errant modification.

From the Heroku CLI

To lock an app using the CLI, use the apps:lock command:

$ heroku apps:lock --app myapp
Locking myapp...  done

You can view the locked status of your apps with the list command:

$ heroku list --team acme
=== Apps in team acme
test
myapp (locked)
website-staging
website-prod (locked)

From the Heroku Dashboard

Visit your app’s Access page and click the Lock App button in the upper-right corner. Locked apps are displayed with a lock icon in your team’s apps list.

Granting access to a locked app

Team admins and users with the manage permission for a locked app can grant users app-specific permissions for that app.

Unlocking an app

Unlock a locked app with the apps:unlock command:

$ heroku apps:unlock --app myapp
Unlocking myapp...  done

You can also unlock the app from the app’s Access page in the Heroku Dashboard.

Feedback

Log in to submit feedback.