Managing Organization Users and Application Access

Last Updated: 19 February 2015

Table of Contents

This feature is currently available in Heroku Enterprise

Organization admins are responsible for adding and removing users, managing their access, and locking applications to prevent additional membership. This guide contains a description of the available user roles and commands to manage application access.

For fine-grained access controls, see Using App privileges in Heroku Organizations

Roles

Organization users can be assigned one of three roles: Admin, member or collaborator. An organization can have any number of each role, but must have at least one admin user.

Admin

The admin role allows users to:

  • List all apps in the organization
  • Join all apps in the organization, even if locked
  • Lock apps (that they’ve joined)
  • Add/remove admins & members in the organization
  • Add collaborators to apps
  • View resources for the organization
  • Access billing for the organization
  • Rename the organization
  • Transfer in or out, create, and delete apps in the org (deleting the app currently requires joining it first)
  • Deploy to all apps in the organization
  • Scale dynos for all apps in the organization
  • Add free and paid add-ons to apps

Each org must have at least one admin user. The last administrator in the organization cannot be removed to enforce this.

Admin users can only be added by other org admins.

Member

Assigning a user the member role gives them access to all apps within an organization. Members can:

  • List all apps in the organization
  • Join unlocked apps
  • View admins & members in the organization
  • Add collaborators to apps
  • View resources for the organization
  • Transfer personal apps into the org
  • Create apps in the org (but not delete them)
  • Deploy to all apps in the organization
  • Scale dynos for all apps in the organization
  • Add free and paid add-ons to apps

Member users can only be added by org admins.

Collaborator

A collaborator is not formally a user in the organization, but is a per-app role given to individuals that need access to a specific application.

Only for the apps in the organization they’ve been given direct access to, a collaborator can:

  • List those apps
  • Deploy
  • Scale dynos
  • Add and remove free add-ons

An app collaborator will be unable to:

  • List or join other org apps
  • View other org users
  • Create or transfer apps to the org
  • Add or remove paid add-ons

App collaborators can be added to an app by org admin or member users.

Adding users

Users can be managed from the Access page of an app in the org Dashboard.

You can also manage users using the Heroku CLI. Add a new org member with:

$ heroku members:add joe@acme.com --org acme-widgets
Adding joe@acme.com as member to organization acme-widgets... done

Add additional admin users using the same command with the --role flag:

$ heroku members:add joe@acme.com --org acme-widgets --role admin
Adding joe@acme.com as admin to organization acme-widgets... done

Because of their app-level access, collaborators are a special case and require a different command.

$ heroku sharing:add jill@daimyo-creative.com --app acme-website
Adding jill@creativeinc.com to acme-website as collaborator... done

Changing user roles

If you wish to change the role assigned to an existing org user, you can use the members:set command.

$ heroku members:set joe@acme.com --org acme-widgets --role admin
Setting role of joe@acme.com to admin in organization acme-widgets... done

The same rules apply here as when adding a user to an org: Only an admin user can set another user’s role to admin.

Note that members:set can only be used for the admin and member roles. Collaborators are not considered org users and cannot be given another role until they are explicitly added to the org with members:add.

Removing users

Removing a user will prevent them from being able to access the org and all apps within it. In the Dashboard, you can remove users in the Access page of an app.

From the CLI you can remove admin and member users with:

$ heroku members:remove joe@acme.com --org acme-widgets
Removing joe@acme.com from organization acme-widgets... done

To remove a collaborator from an app, use sharing:remove instead:

$ heroku sharing:remove joe@acme.com --app acme-website
Removing joe@acme.com from acme-website collaborators... done

Viewing 2FA status

Two-factor authentication is a Heroku platform security feature. When an user enables 2FA on their account, they are required to log on with a verification code in addition to their username and password, for additional security.

Users can enable and disable 2FA on their individual accounts. When these users are part of an organization, admins and other members of the org need visibility into their 2FA status. This helps ensure continuous compliance with the company’s security and governance policies.

The Access page of an organization highlights users who have either never enabled or have currently disabled two-factor authentication for their Heroku accounts. The status is updated as soon as it changes.

On seeing users with two-factor authentication disabled, admins of the org may choose to ensure compliance and maintain their security composure by removing those users from the org, changing their role or leaving them as collaborators only on specific less-sensitive apps.

Locking an app

Org members have access to all applications within an organization, but are unable to work on an application until they explicitly “join” the app themselves. Admin users can freeze application access by “locking” the app. This prevents any new members from joining the app.

Locking an app is traditionally performed when the app has reached some level of maturity, i.e. production status, as a safeguard to prevent errant modification.

To lock an app using the CLI, use the ‘lock’ command:

$ heroku lock --app myapp
Locking myapp...  done
Organization members must be invited this app.

You can view the locked status of your joined apps with list.

$ heroku list
=== Apps joined in organization acme
test
myapp (locked)
website-staging
website-prod (locked)

You can also lock an app in the dashboard by going to the Access page of an app and using the “Lock App” button:

Locked apps are displayed with a locked indicator in the apps list:

Granting access to locked apps

When an app is locked no new members are allowed to join the app. Members who try to join the app are informed that the app is locked.

However, users can be added to locked apps in the collaborator role. Admins can add an org user, or outside user, to a locked app by adding them as a collaborator:

$ heroku sharing:add joe@acme.com --app myapp
Adding joe@acme.com to myapp in acme-widgets... done

In the Dashboard, collaborators can be added to a locked app in the Access page of an app:

Unlocking apps

To open a locked app back up for general member access, use the unlock command from the CLI:

$ heroku unlock --app myapp
Unlocking myapp...  done
All organization members can join this app.

You can also unlock the app by going to the Access page of the app in the Dashboard: