Skip to main content

Role-based access control

info

Role-based access control requires an Enterprise subscription.

Role-based access control (RBAC) provides fine-grained access management of Flagsmith resources. Using RBAC, you can ensure users only have the access they need within your Flagsmith organisation.

For example, RBAC allows you to achieve the following scenarios:

  • Only allow certain users to modify your production environments.
  • Grant a default set of permissions to all users that join your Flagsmith organisation.
  • Lock down an Admin API key to a specific set of permissions.
  • Provide Flagsmith permissions based on your enterprise identity provider's groups when using SAML single sign-on.

To add users to your Flagsmith organisation or to manage user permissions, click on your organisation name in the top left and open the Users and Permissions tab.

Core concepts

The diagram below shows an overview of how permissions are assigned within your Flagsmith organisation:

Roles

A role is a set of permissions that, when assigned, allows performing specific actions on your organisation, projects or project environments.

Built-in roles are predefined by Flagsmith and cannot be modified. All users in your organisation have one of the following built-in roles:

  • Organisation Administrator grants full access to everything in your Flagsmith organisation.
  • User grants no access and requires you to assign permissions using custom roles and/or groups.

Custom roles can be assigned to users, groups or Admin API keys. Any number of custom roles can be created and assigned.

Creating, modifying or assigning roles requires organisation administrator permissions.

Groups

A group is a collection of users. If a custom role is assigned to a group, the role's permissions will be granted to all group members. Users can belong to any number of groups.

Creating or modifying existing groups requires organisation administrator permissions.

Permissions to add or remove users from groups can be granted in two ways:

  • The manage group membership permission allows modifying any group's membership
  • A group admin can manage membership only for that group

Add users to your organisation

You can add users to your organisation by sending them an invitation email from Flagsmith, or by sharing an invitation link directly with them. Both options require organisation administrator permissions, and are available from Users and Permissions > Members.

Users can also join your organisation directly by logging in to Flagsmith using single sign-on.

Email invites

info

If you are self-hosting Flagsmith, you must configure an email provider before using email invites.

To send invitation emails to specific users, click on Invite members. Then, fill in the email address and built-in role of each user you want to invite.

When a user accepts their email invitation, they will be prompted to sign up for a Flagsmith account, or they can choose to log in if they already have an account with the same email address.

Users who have not yet accepted their invitations are listed in the "Pending invites" section at the bottom of this page. From here you can also resend or revoke any pending invitations.

warning

Anyone with an invitation link can join your Flagsmith organisation at any time. Share these links with caution and regenerate them if they are compromised.

Direct links to join your organisation can be found in the Team Members section of this page. One direct link is available for each built-in role that users will have when joining your organisation.

Provision permissions

If a user joins your organisation with the built-in User role, they will not have any permissions to view or change anything in your Flagsmith organisation. You can provide default fine-grained permissions to users with any of these options:

  • Add users by default to a group. When creating or editing a group, select the Add new users by default option. When a user logs in for the first time to your organisation, they will automatically be added to all groups that have this option enabled.
  • Use existing groups from your enterprise identity provider. Any time a user logs in using single sign-on, they will be made a member of any groups with matching external IDs.

Deprecated features

Groups can grant permissions directly to their members in the same way that roles do. This functionality was deprecated in Flagsmith 2.137.0. To grant permissions to all members of a group, create a role with the desired permissions and assign it to the group instead.

Assigning roles to groups has several benefits over assigning permissions directly to a group:

  • Roles can be assigned to Admin API keys, but Admin API keys cannot belong to groups.
  • If you need multiple groups or users with similar permissions, the common permissions can be defined in a role and assigned to multiple groups or users instead of being duplicated.
  • Having roles as the single place where permissions are defined makes auditing permissions easier.

Permissions reference

Permissions can be assigned at four levels: user group, organisation, project, and environment.

User group

PermissionAbility
Group AdminAllows adding or removing users from this group.

Organisation

PermissionAbility
Create ProjectAllows creating projects in the organisation. Users are automatically granted Administrator permissions on any projects they create.
Manage User GroupsAllows adding or removing users from any group.

Project

PermissionAbility
AdministratorGrants full read and write access to all environments, features and segments.
View ProjectAllows viewing this project. The project is hidden from users without this permission.
Create EnvironmentAllows creating new environments in this project. Users are automatically granted Administrator permissions on any environments they create.
Create FeatureAllows creating new features in all environments.
Delete FeatureAllows deleting features from all environments.
Manage SegmentsGrants write access to segments in this project.
View audit logAllows viewing all audit log entries for this project.

Environment

PermissionAbility
AdministratorGrants full read and write access to all feature states, overrides, identities and change requests in this environment.
View EnvironmentAllows viewing this environment. The environment is hidden from users without this permission.
Update Feature StateAllows updating updating any feature state or values in this environment.
Manage IdentitiesGrants read and write access to identities in this environment.
Manage Segment OverridesGrants write access to segment overrides in this environment.
Create Change RequestAllows creating change requests for features in this environment.
Approve Change RequestAllows approving or denying change requests in this environment.
View IdentitiesGrants read-only access to identities in this environment.

Tags

When tags are applied to a role, the permissions, Delete Feature and Update Feature States, are restricted to the features that share the same tag. This allows for greater granularity in permission management, enabling organizations to have better control over sets of features. By implementing a tagging system, users can only modify features relevant to their work, thereby reducing the risk of unauthorized changes in other areas of the system.