Skip Navigation
Show nav
Heroku Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
View categories

Categories

  • Heroku Architecture
    • Dynos (app containers)
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Command Line
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery
    • Continuous Integration
  • Language Support
    • Node.js
    • Ruby
      • Working with Bundler
      • Rails Support
    • Python
      • Background Jobs in Python
      • Working with Django
    • Java
      • Working with Maven
      • Java Database Operations
      • Working with Spring Boot
      • Java Advanced Topics
    • PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
    • Heroku Data For Redis
    • Apache Kafka on Heroku
    • Other Data Stores
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
    • Compliance
  • Heroku Enterprise
    • Private Spaces
      • Infrastructure Networking
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
    • Single Sign-on (SSO)
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Heroku Enterprise
  • Enterprise Teams
  • Managing Enterprise Team Users and Application Access

Managing Enterprise Team Users and Application Access

English — 日本語に切り替える

Last updated January 10, 2023

Table of Contents

  • Roles and Permissions
  • Add, Remove, or Modify Enterprise Team Users in the Heroku Dashboard
  • Add a User with the CLI
  • Change a User’s Role with the CLI
  • Remove a Team User with the CLI
  • Viewing Multi-Factor Authentication Status
  • Viewing Single Sign-On Status
  • Locking an App

This feature is available in Heroku Enterprise.

Roles and Permissions

Each user in an Enterprise Team has one of the following roles:

  • admin
  • member
  • viewer
  • collaborator

Enterprise Teams must have at least one user with the admin role. If a team has only one admin user, their role can’t change until another admin is added to the team.

Admins can manage users and application access. Admins can assign specific permissions to multiple users and allow them to perform a set of actions based on their role. See Enterprise Teams Permissions and Allowed Actions for the permissions available to each role.

In addition to admins, team users with the manage permission on an app can add and manage other users to that particular app

Add, Remove, or Modify Enterprise Team Users in the Heroku Dashboard

Enterprise Team users with the admin role can add, remove, and modify users from the team’s Access page in the Heroku Dashboard.

adminaddingusers

Adding Collaborators

Enterprise Team users with the admin role can add or remove collaborators from the team’s Access page in the Heroku Dashboard.

When adding a user as a collaborator, you must select the app to collaborate on. Adding a collaborator user from the Enterprise Teams’s access tab only gives them the “View” app permission. You can change this permission via the Access tab of the application. Note that you can only enforce security features, such as SSO, on team members that are part of the Enterprise Account, they can’t be applied to collaborator logins. collabs

Users with manage permission on the app can also add collaborator users by selecting Add member from the Access tab of the application:

collabs

Add a User with the CLI

The following example shows how to add a team user and assign them a role:

$ heroku members:add joe@acme.com --team acme-widgets --role member
Adding joe@acme.com to acme-widgets as member... done

Change a User’s Role with the CLI

Change the role assigned to an existing team user with the members:set command:

$ heroku members:set joe@acme.com --team acme-widgets --role admin
Adding joe@acme.com to acme-widgets as admin... done

The members:set command can only be used to assign the admin and member roles. Non-team users who have app-specific permissions can’t be given another role until they are explicitly added to the team with members:add.

For more information on changing user permissions for specific apps, see Using App Permissions in Heroku Enterprise Teams.

Remove a Team User with the CLI

Removing a user from your Enterprise Team prevents them from accessing the team and its associated apps.

You can remove admin and member users with the members:remove command:

$ heroku members:remove joe@acme.com --team acme-widgets
Removing joe@acme.com from acme-widgets... done

If the user also has app-specific permissions, you can remove them from the app’s Access Page in the Heroku Dashboard.

Viewing Multi-Factor Authentication Status

Multi-factor authentication (MFA) is a mandatory Heroku platform security feature. A user must provide a verification code in addition to their username and password whenever they log in.

Users can manage MFA on their individual accounts. When these users are part of an Enterprise Team, admins and other members of the Enterprise Team need visibility into their MFA status. This visibility helps ensure continuous compliance with the company’s security and governance policies.

The Access page of an Enterprise Team indicates which users have MFA or SSO for their Heroku account. The status is updated as soon as it changes:

Mfastatus

Heroku has limited visibility into MFA status when SSO is configured with a third-party IdP. Ensure MFA is enforced by the IdP.

Viewing Single Sign-On Status

Single sign-on (SSO) is a Heroku platform security feature for delegating authentication to the team’s centralized, company-controlled single sign-on. When an admin has enabled SSO for their team, users get redirected to their company’s IdP whenever they log in.

Users with SSO enabled must enforce MFA at the IdP-level. It’s the administrator’s responsibility to ensure that MFA is enabled at the IdP-level for their users to ensure logins via SSO are compliant per the MFA requirement.

The Access page of an Enterprise Team indicates which users have SSO enabled for their Heroku account and whether MFA is enabled at the IdP-level, where the status is limited by third-party providers: SSOstatus

Locking an App

Enterprise Team admins and users with the manage permission on an app can “lock” the app to freeze application access. This feature prevents any newly added team users from being able to view the app’s details. If an app is locked, new team users must be explicitly added to it and granted applicable permissions.

Locking an app can be useful when the app reaches a level of maturity (i.e., production status), as a safeguard against errant modification.

From the Heroku CLI

To lock an app using the CLI, use the apps:lock command:

$ heroku apps:lock --app myapp
Locking myapp...  done

You can view the locked status of your apps with the list command:

$ heroku list --team acme
=== Apps in team acme
test
myapp (locked)
website-staging
website-prod (locked)

From the Heroku Dashboard

Visit your app’s Access page and click the Lock App button in the upper-right corner. Locked apps are displayed with a lock icon in your team’s apps list.

Granting Access to a Locked App

Team admins and users with the manage permission for a locked app can grant users app-specific permissions for that app.

Unlocking an App

Unlock a locked app with the apps:unlock command:

$ heroku apps:unlock --app myapp
Unlocking myapp...  done

You can also unlock the app from the app’s Access page in the Heroku Dashboard.

Keep reading

  • Enterprise Teams

Feedback

Log in to submit feedback.

Using App Permissions in Enterprise Teams Setting Up Your Heroku Enterprise Team for Identity Federation

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Podcasts
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing

Subscribe to our monthly newsletter

Your email address:

  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Heroku Podcasts
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Facebook
  • Instagram
  • Github
  • LinkedIn
  • YouTube
Heroku is acompany

 © Salesforce.com

  • heroku.com
  • Terms of Service
  • Privacy
  • Cookies
  • Cookie Preferences