Managing Enterprise Team Users and Application Access
Last updated February 21, 2022
Table of Contents
This feature is currently available in Heroku Enterprise.
Roles and Permissions
Each user in an Enterprise Team has one of the following roles:
admin
member
viewer
collaborator
Enterprise Teams must have at least one user with the admin
role. You can assign multiple users to each role.
Admin
Users with the admin
role automatically have full app-level permissions for every app that belongs to the Enterprise Team.
In addition, users with the admin
role can:
- Grant or remove team roles from other users
- View resources
- Access billing
- Rename the Enterprise Team
- Transfer apps into or out of the Enterprise Team
Enterprise Teams must have at least one user with the admin
role. If a team has only one admin
user, their role can’t change until another admin
is added to the team.
Enterprise Team users with the admin
role can add, remove, and modify users from the team’s Access page in the Heroku Dashboard.
Users with the admin
role can also manage users with the Heroku CLI.
Member
Users with the member
role automatically have read-only access to every app that belongs to the Enterprise Team. These users are added to the team by an admin
user.
Additionally, users with the member
role can:
- List all apps in the Enterprise Team
- Access any app that is “unlocked” and view basic information, including who has what permissions on the app
- Receive app-level permissions for any app that belongs to the team
- Create new apps that belong to the Enterprise Team
- Transfer their personal apps into the Enterprise Team
- Perform any operation on apps they create or transfer into the team
- View resources for the Enterprise Team
- View the list of team members and their associated roles
Viewer
Users with the viewer
role have read-only access to every app that belongs to the Enterprise Team. These users are added to the team by an admin
user.
Additionally, users with the viewer
role can:
- List all apps in the Enterprise Team
- Access any app that is “unlocked” and view basic information, including who has what permissions on the app
- Receive app-level permissions for any app that belongs to the team
- View resources for the Enterprise Team
- View the list of team members and their associated roles
For more information on app-specific permissions, see Using App Permissions in Heroku Enterprise Teams
Collaborator
You can grant app-specific permissions to users who don’t belong to your Enterprise Team or collaborators. These permissions can be granted by either of the following:
- A user who has the
manage
permission for the app - A user who has the
admin
role for the Enterprise Team
These collaborator users cannot:
- List or access other apps that belong to the Enterprise Team
- View the list of Enterprise Team users
- Create or transfer apps to the Enterprise Team
An Enterprise Team admin
can add collaborators via the Enterprise Teams’s access tab by selecting the “Add user” option. When you add a user as a “collaborator”, you must select the app they will collaborate on. Adding a collaborator user from the Enterprise Teams’s access tab will only give them the “View” app permission. You can change this permission via the “Access” tab of the application.
Manage
Users with manage
permission on the app can add collaborator users by selecting “Add member” from the “Access” tab of the application:
Adding a User with the CLI
The following example shows how to add a new team user and assign them a role:
$ heroku members:add joe@acme.com --team acme-widgets --role member
Adding joe@acme.com to acme-widgets as member... done
Changing a User’s Role with the CLI
Change the role assigned to an existing team user with the members:set
command:
$ heroku members:set joe@acme.com --team acme-widgets --role admin
Adding joe@acme.com to acme-widgets as admin... done
The members:set
command can only be used to assign the admin
and member
roles. Non-team users who have app-specific permissions can’t be given another role until they are explicitly added to the team with members:add
.
For more information on changing user permissions for specific apps, see Using App Permissions in Heroku Enterprise Teams.
Removing a Team User with the CLI
Removing a user from your Enterprise Team prevents them from accessing the team and its associated apps.
You can remove admin
and member
users with the members:remove
command:
$ heroku members:remove joe@acme.com --team acme-widgets
Removing joe@acme.com from acme-widgets... done
If the user also has app-specific permissions, you can remove them from the app’s Access Page in the Heroku Dashboard.
Viewing Multi-factor Authentication Status
Multi-factor authentication (MFA) is a Heroku platform security feature. When a user enables MFA for their account, they must provide a verification code in addition to their username and password whenever they log in.
Users can enable on their individual accounts. When these users are part of an Enterprise Team, admins and other members of the Enterprise Team need visibility into their MFA status. This helps ensure continuous compliance with the company’s security and governance policies.
The Access page of an Enterprise Team indicates which users do not have MFA enabled for their Heroku account. The status is updated as soon as it changes:
This view makes it easy for team admins to enforce team security by removing team users or reducing their permissions until they enable MFA.
Locking an App
Enterprise Team admins and users with the manage
permission on an app can “lock” the app to freeze application access. This prevents any newly added team users from being able to view the app’s details. If an app is locked, new team users must be explicitly added to it and granted applicable permissions.
Locking an app can be useful when the app reaches a level of maturity (i.e., production status), as a safeguard against errant modification.
From the Heroku CLI
To lock an app using the CLI, use the apps:lock
command:
$ heroku apps:lock --app myapp
Locking myapp... done
You can view the locked status of your apps with the list
command:
$ heroku list --team acme
=== Apps in team acme
test
myapp (locked)
website-staging
website-prod (locked)
From the Heroku Dashboard
Visit your app’s Access page and click the Lock App
button in the upper-right corner. Locked apps are displayed with a lock icon in your team’s apps list.
Granting access to a locked app
Team admins and users with the manage
permission for a locked app can grant users app-specific permissions for that app.
Unlocking an app
Unlock a locked app with the apps:unlock
command:
$ heroku apps:unlock --app myapp
Unlocking myapp... done
You can also unlock the app from the app’s Access page in the Heroku Dashboard.