Managing Organization Users and Application Access

Last updated 19 December 2018

This feature is currently available in Heroku Enterprise.

CLI flag names have been upgraded from --org to --team. --org commands are still compatible during this deprecation period.

This guide contains a description of the available user roles and commands to manage membership in an organization.

Roles and app permissions

Organization users can be assigned one of two roles: Admin or member. An organization can have any number of each role, but must have at least one admin user. In addition to their member role in the organization, members can be assigned app permissions on specific apps owned by the organization.

Admin

The admin role allows users to:

  • Add/remove admins & members in the organization
  • Grant permissions on apps to org members and non-org users
  • View resources for the organization
  • Access billing for the organization
  • Rename the organization
  • List all apps in the organization
  • Access all apps in the organization, even if locked
  • Perform any operation (deploy, scale dynos, manage add-ons, delete etc.) on any app in the organization
  • Transfer in or out apps in the org

Org admins will default to having view, deploy, operate, and manage permissions on apps owned by their organization.

Each org must have at least one admin user. The last administrator in the organization cannot be removed to enforce this. Admin users can only be added by other org admins.

Member

Assigning a user the member role gives them read-only access to all apps within an organization. Member users can only be added by org admins. Members can:

  • List all apps in the organization
  • Access any app that is unlocked and view basic information including who has what permissions on the app
  • Be assigned permissions to deploy, operate or manage specific apps
  • Create apps in the org
  • Transfer personal apps into the org
  • Perform any operation on apps they create or transfer in
  • View resources for the organization
  • View admins & members in the organization

Org admins will default to having the view permission on apps owned by their organization.

For more information on using app permissions, please see Using App Permissions in Heroku Organizations

Non-org users

For users who are not formally members of the organization, per-app permissions may be granted so that they can access specific applications. An org admin or member with manage permissions on an app can give these individuals any combination of permissions on that app.

Such users who are not org members but have been granted permissions on specific apps will be unable to:

  • List or access other org apps
  • View other org users
  • Create or transfer apps to the org

Adding users to the organization

Users can be managed from the Access page of an app in the org Dashboard.

You can also manage users using the Heroku CLI. Add a new org member with:

$ heroku members:add joe@acme.com --org acme-widgets
Adding joe@acme.com as member to organization acme-widgets... done

Add additional admin users using the same command with the --role flag:

$ heroku members:add joe@acme.com --org acme-widgets --role admin
Adding joe@acme.com as admin to organization acme-widgets... done

Changing user roles and permissions

If you wish to change the role assigned to an existing org user, you can use the members:set command.

$ heroku members:set joe@acme.com --org acme-widgets --role admin
Setting role of joe@acme.com to admin in organization acme-widgets... done

The same rules apply here as when adding a user to an org: Only an admin user can set another user’s role to admin.

Note that members:set can only be used for the admin and member roles. Non-org users who have access to specific apps cannot be given another role until they are explicitly added to the org with members:add.

For more information on changing user’s permissions on specific apps please see Using App Permissions in Heroku Organizations

Removing users

Removing a user will prevent them from being able to access the org and all apps within it. In the Dashboard, you can remove users in the Access page of an app.

From the CLI you can remove admin and member users with:

$ heroku members:remove joe@acme.com --org acme-widgets
Removing joe@acme.com from organization acme-widgets... done

You can also remove a user’s permissions on a specific app in the app’s Access Page in the dashboard.

Viewing 2FA status

Two-factor authentication is a Heroku platform security feature. When an user enables 2FA on their account, they are required to log on with a verification code in addition to their username and password, for additional security.

Users can enable and disable 2FA on their individual accounts. When these users are part of an organization, admins and other members of the org need visibility into their 2FA status. This helps ensure continuous compliance with the company’s security and governance policies.

The Access page of an organization highlights users who have do not have two-factor authentication enabled for their Heroku accounts. The status is updated as soon as it changes.

On seeing users with two-factor authentication disabled, admins of the org may choose to ensure compliance and maintain their security composure by removing those users from the org, changing their role or leaving them as collaborators only on specific less-sensitive apps.

Locking an app

Org admins and users with ‘manage’ permission on an app can freeze application access by “locking” the app. This prevents any new members from being able to click on the app and access it. Once an app is locked, new members have to be explicitly added to it and granted any permission, including the ability to view basic details of the app.

Locking an app is traditionally performed when the app has reached some level of maturity, i.e. production status, as a safeguard to prevent errant modification.

To lock an app using the CLI, use the 'lock’ command:

$ heroku apps:lock --app myapp
Locking myapp...  done
Organization members must be invited this app.

You can view the locked status of your joined apps with list.

$ heroku list
=== Apps joined in organization acme
test
myapp (locked)
website-staging
website-prod (locked)

You can also lock an app in the dashboard by going to the Access page of an app and using the “Lock App” button. Only org admins and users with 'manage’ permission on the app can do this. Locked apps are displayed with a locked indicator in the apps list.

Granting access to locked apps

When an app is locked no new members can access the app even to view basic information. Members who click on the app or try to perform any action on it in the CLI are informed that the app is locked.

However, users can be added to locked apps and granted any set of permissions. Admins or users with 'manage’ permission on the app can add an org member, or outside user, to a locked app by adding them to the app and optionally granting them additional permissions.

Unlocking apps

To open a locked app back up for general member access, use the unlock command from the CLI:

$ heroku apps:unlock --app myapp
Unlocking myapp...  done
All organization members can join this app.

You can also unlock the app by going to the Access page of the app in the Dashboard.

Feedback

Log in to submit feedback.