Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Custom Role Docs #2552

Merged
merged 1 commit into from
May 21, 2024
Merged

Add Custom Role Docs #2552

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions docs/docs/account/user-permissions.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,3 +87,61 @@ If security of these resources is paramount to your organization, we recommend c
Enterprise organizations using GrowthBook can create Teams with distinct capabilities. When setting up a Team, you have the option to define both a global role and project-level roles, much like how you do for individual users. Once a Team is established, multiple users can be added to it. Any user added to a Team will automatically inherit all permissions assigned to that Team. This feature becomes particularly useful when combined with [GrowthBook's SCIM integration](https://docs.growthbook.io/integrations/scim), enabling automated user provisioning and de-provisioning.

To create a Team, you can go to `Settings` → `Team` via the Sidebar and then select the `Teams` tab at the top of the page. Here, you can create and configure various Teams, before adding members to a Team. When evaluating whether or not a user has permission to perform a certain action, we will merge the user's permissions with the permissions inherited from all the Teams the user is on. So if the user's global role is `Collaborator` but they're on a Team that grants them `Engineer` permissions, that user's permission will then be a merger of the `Collaborator` and `Engineer` roles.

### Custom roles

Enterprise organizations using GrowthBook also have the added flexibility of defining custom roles, which enable organizations to fine-tune a role's permissions. These custom roles can be used just like a standard role and can be applied to users and teams at both the global and project levels. A custom role can also be set as your organization's default role, so if you have auto-join enabled, new members will automatically receive the organization's default role, even if it is a custom role.

When creating a custom role, you can either create a role from scratch or duplicate an existing role and then update the role's description along with the policies, which control the role's permissions.

Once created, the name of a custom role cannot be changed. If you need to change the name, you will need to duplicate the role and set the new name before saving. Once saved, you'll need to update users to use this new role.

#### Policies & Permissions

When creating and editing custom roles, organizations have the ability to select specific policies for each role, where the policy contains the underlying permissions.

Below, we've outlined the current policies and their associated permissions. If your use case is not met with the current policies, please let us know by creating a [Github Issue](https://github.com/growthbook/growthbook/issues).

| Policy Group | Policy | Description | Permissions |
| --------------------- | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ |
| **Global** | ReadData | View all resources - features, metrics, experiments, data sources, etc. | readData |
| | Comments | Add comments to any resource | readData, addComments |
| **Features** | FeaturesFullAccess | Create, edit, and delete feature flags | readData, manageFeatureDrafts, manageFeatures, manageArchetype, canReview, |
| | ArchetypesFullAccess | Create, edit, and delete saved User Archetypes for feature flag debugging | readData, manageArchetype |
| | FeaturesBypassApprovals | Bypass required approval checks for feature flag changes | readData, manageFeatureDrafts, manageFeatures, canReview, bypassApprovalChecks |
| **Experiments** | ExperimentsFullAccess | Create, edit, and delete experiments. Does not include Visual Editor access. | readData, createAnalyses, runQueries |
| | VisualEditorFullAccess | Use the Visual Editor to implement experiment changes. | readData, manageVisualChanges |
| | superDeleteReports | Delete ad-hoc reports made by other users. Typically assigned to admins only. | readData, superDeleteReport |
| **Metrics & Data** | DataSourcesFullAccess | Create, edit, and delete data sources | readData, createDatasources, editDatasourceSettings, runQueries |
| | DataSourceConfiguration | Edit existing data source configuration settings (identifier types, experiment assignment queries) | readData, editDatasourceSettings, runQueries |
| | RunQueries | Execute queries against data sources. Required to refresh experiment results. | readData, runQueries |
| | MetricsFullAccess | Create, edit, and delete regular metrics (does not include Fact Metrics) | readData, createMetrics, runQueries |
| | FactTablesFullAccess | Create, edit, and delete fact tables, metrics, and filters. | readData, manageFactTables, manageFactMetrics, manageFactFilters, runQueries |
| | FactMetricsFullAccess | Create, edit, and delete fact metrics and filters. | readData, manageFactMetrics, manageFactFilters, runQueries |
| | DimensionsFullAccess | Create, edit, and delete dimensions | readData, createDimensions, runQueries |
| | SegmentsFullAccess | Create, edit, and delete segments | readData, createSegments, runQueries |
| **Management** | IdeasFullAccess | Create, edit, and delete ideas | readData, createIdeas |
| | PresentationsFullAccess | Create, edit, and delete presentations | readData, createPresentations |
| **SDK Configuration** | SDKPayloadPublish | Make changes that affect data sent to SDKs. For example: edit a saved group, toggle a feature flag, stop an experiment, etc. | readData, publishFeatures, runExperiments |
| | SDKConnectionsFullAccess | Create, edit, and delete SDK Connections | readData, manageSDKConnections, manageSDKWebhooks |
| | AttributesFullAccess | Create, edit, and delete targeting attributes | readData, manageTargetingAttributes |
| | EnvironmentsFullAccess | Create, edit, and delete environments | readData, manageEnvironments |
| | NamespacesFullAccess | Create, edit, and delete namespaces | readData, manageNamespaces |
| | SavedGroupsFullAccess | Create, edit, and delete saved groups | readData, manageSavedGroups |
| **Settings** | GeneralSettingsFullAccess | Edit organization general settings | readData, organizationSettings |
| | NorthStarMetricFullAccess | Configure North Star metrics | readData, manageNorthStarMetric |
| | TeamManagementFullAccess | Invite users, delete users, change user roles, add/remove users from teams. | readData, manageTeam |
| | CustomRolesFullAccess | Create, edit, and delete projects | readData, manageProjects |
| | ProjectsFullAccess | Create, edit, and delete tags | readData, manageTags |
| | TagsFullAccess | Create, edit, and delete API secret keys. Not required to create Personal Access Tokens. | readData, manageApiKeys |
| | APIKeysFullAccess | Set up and configure integrations - GitHub, Vercel, etc. | readData, manageIntegrations |
| | IntegrationsFullAccess | Create, edit, and delete event-based webhooks. Used for Slack/Discord notifications. | readData, manageEventWebhooks, viewAuditLog |
| | EventWebhooksFullAccess | View and edit license key. View invoices and update billing info. | readData, manageBilling |
| | BillingFullAccess | View and export audit logs | readData, viewAuditLog |
| | AuditLogsFullAccess | Create, edit, and delete custom roles | readData, manageTeam, manageCustomRoles |

#### Deactivating Roles

As we do not support the ability for an organization to delete a standard role, we have introduced the ability for enterprise organizations to deactivate both standard and custom roles. When a role is deactivated, we remove the role from the roles dropdown when adding a new user or updating an existing user's role. If you deactivate a role that is assigned to a user, the user will experience no changes to their permission level. The deactivation of the role simply removes it from the role options.

The only guardrail in place around deactivating roles is that you cannot deactivate your organization's default role.
Loading