For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Sign inTry it free
DocsGuidesSDKsIntegrationsAPI docsTutorialsFlagship blog
DocsGuidesSDKsIntegrationsAPI docsTutorialsFlagship blog
  • Get started
    • Overview
    • Onboarding
    • Get started
    • Launch Insights
    • LaunchDarkly architecture
    • LaunchDarkly vocabulary
  • AgentControl
    • AgentControl
    • Manage AgentControl
  • Feature flags
    • Create flags
    • Target with flags
    • Flag templates
    • Manage flags
    • Code references
    • Contexts
    • Segments
  • Releases
    • Releasing features with LaunchDarkly
    • Release policies
    • Percentage rollouts
    • Progressive rollouts
    • Guarded rollouts
    • Feature monitoring
    • Release pipelines
    • Engineering insights
    • Release management tools
    • Applications and app versions
    • Change history
    • Restoring previous flag versions
  • Observability
    • Observability
    • Session replay
    • Error monitoring
    • Logs
    • Traces
    • Observability metrics
    • Product analytics events
    • LLM observability
    • Alerts
    • Dashboards
    • Service map
    • Vega for auto-remediation
    • Observability MCP server
    • Search specification
    • Observability settings
    • Observability integrations
  • Experimentation
    • Experimentation
    • Experiment metric types
    • Experiment configuration
    • Managing experiments
    • Analyzing experiments
    • Multi-armed bandits
    • Holdouts
  • Metrics and events
    • Metrics in LaunchDarkly
    • Creating metrics
    • Metric groups
    • Events
    • Autogenerated metrics
  • Warehouse native
    • Warehouse native metrics
    • Setting up external warehouses
    • Creating experiments using warehouse native metrics
  • Infrastructure
    • Connect apps and services to LaunchDarkly
    • LaunchDarkly in China and Pakistan
    • LaunchDarkly in the European Union (EU)
    • LaunchDarkly in federal environments
    • Public IP list
  • Your account
    • Projects
    • Views
    • Environments
    • Tags
    • Teams
    • Members
    • Roles
      • Member role concepts
      • Managing role assignments
      • Managing roles
        • Organization roles
        • Project roles
        • Creating roles and policies
        • Editing roles
        • Deleting roles
        • Example roles and policies
    • Account security
    • Feature previews
    • Billing and usage
    • Changelog
Sign inTry it free
LogoLogo
On this page
  • Overview
  • Role examples
  • Example: View-specific permissions
  • Example: Deny bypassing approvals in critical environments
  • Example: Grant access to flag toggles, but not flag rollout or targeting rules
  • Example: Grant all actions to just one flag
  • Example: Grant all actions to just one flag while showing only one project
  • Example: Restrict actions within production environments
  • Example: Allow access to flags, metrics, and segments in one project
  • Example: Deny access to the production environment
  • Base role templates
  • Reader role
  • Writer role
  • Admin Role
  • No access role
Your accountRolesManaging roles

Example roles and policies

Was this page helpful?
Previous

Account security

Next
Built with

Overview

This topic shows some examples of different roles and policies you can implement with policy statements for roles, integrations access, and Relay Proxy access.

LaunchDarkly provides several preset roles which include access to common sets of features. Customers on select plans can update these presets or create their own roles. If you are looking for example roles or policies, we recommend that you start by examining the preset organization and project roles provided by LaunchDarkly. You can also add policy statements to these roles, if the permissions they provide are not quite what works best for your organization. To learn more, read Member role concepts, Organization roles, and Project roles.

Role examples

Use these sets of policy statements as a starting point for creating or updating roles in your account.

Example: View-specific permissions

Expand Example: View-specific permissions

One way to organize access to flags is by adding flags to a view, which is a resource to logically group flags within a project. For example, you can create “frontend” and “backend” views to organize flags within your project, and separate access to flags in those views.

This policy allows access to all actions on flags in the “frontend” view in the “default” project. You can copy and modify this example to suit your needs:

Allow access to flags in the "frontend" view
1[
2  {
3    "effect": "allow",
4    "actions": ["*"],
5    "resources": ["proj/default:env/*:flag/*;view:frontend"]
6  }
7]

You can also modify this policy to specify the project and view using role attributes. This means you can reuse this role for different members working on different projects and views:

Allow access to flags in views specified by the "viewKey" role attribute
1[
2  {
3    "effect": "allow",
4    "actions": ["*"],
5    "resources": ["proj/${roleAttribute/projectKey}:env/*:flag/*;view:${roleAttribute/viewKey}"]
6  }
7]

In some cases, policies in which you specify the view using role attributes can only be created in the advanced editor. To learn more, read Use views in complex policy statements.

If you use views to restrict access to sets of flags or other resources, it may be helpful to require that those resources are associated with a view. One way to enforce this, for example, is to create a role that only allows the createFlag action within a particular view. For example, if you normally restrict flag creation to certain roles, you could update the policy statements for those roles to include a specific view.

Here’s how:

Only allow flag creation in the "frontend" view
1[
2  {
3    "effect": "allow",
4    "actions": ["createFlag"],
5    "resources": ["proj/default:env/*:flag/*;view:frontend"]
6  }
7]

When a member creates a feature flag, AgentControl config, or segment, they can associate it with multiple views in a single request. A createFlag statement scoped to one view does not prevent a member from listing additional views in the same API call. This means that a member may be able to add a flag to a view that they do not have access to, as long as they are also adding it to a view they do have permission to add flags to. Access to the flag after it exists is still governed by your other policy statements.

To learn more about views, read Views.

Example: Deny bypassing approvals in critical environments

Expand Example: Deny bypassing approvals in critical environments

This example policy uses the {property:value} pattern to deny actions on environments based on whether or not they are critical environments. You can mark any environment as critical when you create or update it. Production environments default to being marked as critical.

To manage environments based on the critical property, you must specify the property-based selector as part of the modifiers for the environment resource. Limiting resources to "proj/*:env/*;{critical:true}" accomplishes this.

Copy this policy and make any modifications to it to suit your needs:

Deny bypassing approvals in critical environments
1[
2  {
3    "effect": "allow",
4    "actions": ["*"],
5    "resources": ["proj/*:env/*:flag/*"]
6  },
7  {
8    "effect": "deny",
9    "actions": ["bypassRequiredApproval"],
10    "resources": ["proj/*:env/*;{critical:true}:flag/*"]
11  }
12]

Example: Grant access to flag toggles, but not flag rollout or targeting rules

Expand Example: Grant access to flag toggles, but not flag rollout or targeting rules

This example policy allows members of the Ops team to toggle on or off any flags in the production environment. They may not change percentage rollouts or targeting rules, or manage any environments or projects.

Copy this policy and make any modifications to it to suit your needs:

Ops team
1[
2  {
3    "effect": "allow",
4    "actions": ["updateOn"],
5    "resources": ["proj/*:env/production:flag/*"]
6  }
7]

Example: Grant all actions to just one flag

Expand Example: Grant all actions to just one flag

The policy below allows all actions to be done to a single specified flag, flag-1.

For a complete list of flag actions, read Feature flag actions.

Copy this policy and make any modifications to it to suit your needs:

One flag
1[
2  {
3    "effect": "allow",
4    "actions": ["*"],
5    "resources": ["proj/*:env/*:flag/flag-1"]
6  }
7]

Example: Grant all actions to just one flag while showing only one project

Expand Example: Grant all actions to just one flag while showing only one project

The policy below allows access only to a project a flag is in, and allows you to perform actions on that flag. In this example, both the project and the flag are specified using role attributes. When you assign this role to a member or team, you are prompted to fill in the projectKey and flagKey referenced in this role. This means you can reuse this role for different members working on different projects and flags.

Copy this policy and make any modifications to it to suit your needs:

One flag
1[
2  {
3    "effect": "allow",
4    "actions": ["viewProject"],
5    "resources": ["proj/${roleAttribute/projectKey}"]
6  },
7  {
8    "effect": "allow",
9    "actions": ["*"],
10    "resources": ["proj/${roleAttribute/projectKey}:env/*:flag/${roleAttribute/flagKey}"]
11  }
12]

Example: Restrict actions within production environments

Expand Example: Restrict actions within production environments

This policy allows using only these actions in the production environment:

  • updateFlagVariations
  • updateTags

This means you can take all other actions in any other non-production environment. In this example, the environment is set to the production environment, but the project is specified using a role attribute. When you assign this role to a member or team, you are prompted to fill in the projectKey referenced in this role. This means you can reuse this role for different members working on different projects.

Copy this policy and make any modifications to it to suit your needs:

Non-prod environments
1[
2  {
3    "effect": "allow",
4    "actions": ["viewProject"],
5    "resources": ["proj/${roleAttribute/projectKey}"]
6  },
7  {
8    "effect": "allow",
9    "actions": ["*"],
10    "resources": ["proj/${roleAttribute/projectKey}:env/*:flag/*"]
11  },
12  {
13    "effect": "deny",
14    "notActions": [
15      "updateFlagVariations",
16      "updateTags"
17      ],
18    "resources": ["proj/${roleAttribute/projectKey}:env/production:flag/*"]
19  }
20]

Example: Allow access to flags, metrics, and segments in one project

Expand Example: Allow access to flags, metrics, and segments in one project

In this example, the policy allows specific flag actions in one project, all segment actions in all projects, and all metric actions in all projects. The particular project is specified using a role attribute. When you assign this role to a member or team, you are prompted to fill in the projectKey referenced in this role.

Copy this policy and make any modifications to it to suit your needs:

Flags, metrics, and segments
1[
2  {
3    "effect": "allow",
4    "notActions": [
5      "createFlag",
6      "updateTargets",
7      "updateRules",
8      "createExperiment",
9      "deleteExperiment",
10      "updateScheduledChanges"
11    ],
12    "resources": ["proj/${roleAttribute/projectKey}:env/*:flag/*"]
13  },
14  {
15    "effect": "allow",
16    "actions": ["*"],
17    "resources": ["proj/*:env/*:segment/*"]
18  },
19  {
20    "effect": "allow",
21    "actions": ["*"],
22    "resources": ["proj/*:metric/*"]
23  }
24]

Example: Deny access to the production environment

Expand Example: Deny access to the production environment

In the next example, the environment key production represents the account’s production environment in all projects. This policy denies the member from modifying any feature flags in production:

Statement
1[
2  {
3    "effect": "deny",
4    "actions": ["*"],
5    "resources": ["proj/*:env/production:flag/*"]
6  }
7]

You can also name an “inverse” set of resources by using notResources in a statement. notResources explicitly allows all actions to feature flags across all environments except an environment you specify.

In the example below, the combination of notResources and the allow effect gives access to all environments except the production environment.

Here’s how:

notResources statement
1[
2  {
3    "effect": "allow",
4    "actions": ["*"],
5    "notResources": ["proj/*:env/production:flag/*"]
6  }
7]

Base role templates

Unlike the LaunchDarkly-provided preset roles, you cannot edit or view policy details of the base roles in the LaunchDarkly user interface. The sections below show the policy details for these roles. You can copy and modify these Reader, Writer, Admin, and No access role templates for your own roles if needed.

Reader role

Expand Reader role

Copy this Reader base role and make any modifications to it to suit your needs:

Reader role
1[
2  {
3    "effect": "allow",
4    "actions": ["viewProject"],
5    "resources": ["proj/*"]
6  },
7  {
8    "effect": "allow",
9    "actions": ["createAccessToken"],
10    "resources": ["member/*:token/*"]
11  }
12]

Writer role

Expand Writer role

Because permissions are set to deny by default, you must explicitly allow actions for the Writer role. The code snippet below is a replication of LaunchDarkly’s Writer base role. You can copy it and make adjustments as needed.

Copy this Writer base role and make any modifications to it to suit your needs:

Writer role
1[
2  {
3    "effect": "allow",
4    "actions": ["*"],
5    "resources": ["application/*"]
6  },
7  {
8    "effect": "allow",
9    "actions": ["*"],
10    "resources": ["code-reference-repository/*"]
11  },
12  {
13    "effect": "allow",
14    "actions": ["*"],
15    "resources": ["integration/*"]
16  },
17  {
18    "effect": "allow",
19    "actions": ["*"],
20    "resources": ["member/*:token/*"]
21  },
22  {
23    "effect": "allow",
24    "actions": ["*"],
25    "resources": ["proj/*"]
26  },
27  {
28    "effect": "allow",
29    "actions": ["*"],
30    "resources": [
31      "proj/*:env/*:aiconfig/*"
32    ]
33  },
34  {
35    "effect": "allow",
36    "actions": ["*"],
37    "resources": ["proj/*:env/*"]
38  },
39  {
40    "effect": "allow",
41    "actions": ["*"],
42    "resources": ["proj/*:env/*:destination/*"]
43  },
44    {
45    "effect": "allow",
46    "actions": ["*"],
47    "resources": ["proj/*:env/*:experiment/*"]
48  },
49  {
50    "effect": "allow",
51    "actions": ["*"],
52    "resources": ["proj/*:env/*:flag/*"]
53  },
54  {
55    "effect": "deny",
56    "actions": ["bypassRequiredApproval"],
57    "resources": ["proj/*:env/*:flag/*"]
58  },
59  {
60    "effect": "allow",
61    "actions": ["*"],
62    "resources": ["proj/*:env/*:holdout/*"]
63  },
64  {
65    "effect": "allow",
66    "actions": ["*"],
67    "resources": ["proj/*:env/*:segment/*"]
68  },
69  {
70    "effect": "allow",
71    "actions": ["*"],
72    "resources": ["proj/*:layer/*"]
73  },
74  {
75    "effect": "allow",
76    "actions": ["*"],
77    "resources": ["proj/*:metric/*"]
78  },
79  {
80    "effect": "allow",
81    "actions": ["*"],
82    "resources": ["proj/*:metric-group/*"]
83  },
84  {
85    "effect": "allow",
86    "actions": ["*"],
87    "resources": ["proj/*:view/*"]
88  },
89  {
90    "effect": "allow",
91    "actions": ["*"],
92    "resources": ["relay-proxy-config/*"]
93  },
94  {
95    "effect": "allow",
96    "actions": ["*"],
97    "resources": ["proj/*:release-policy/*"]
98  },
99  {
100    "effect": "allow",
101    "actions": ["*"],
102    "resources": ["service-token/*"]
103  },
104  {
105    "effect": "allow",
106    "actions": ["*"],
107    "resources": ["template/*"]
108  },
109  {
110    "effect": "allow",
111    "actions": ["*"],
112    "resources": ["webhook/*"]
113  }
114]

Admin Role

Expand Admin role

Because permissions are set to deny by default, you must explicitly allow actions for the Admin role. The code snippet below is a replication of LaunchDarkly’s Admin base role. You can copy it and make adjustments as needed.

Copy this Admin base role and make any modifications to it to suit your needs:

Admin role
1[
2  {
3    "effect": "allow",
4    "actions": ["*"],
5    "resources": ["acct"]
6  },
7  {
8    "effect": "allow",
9    "actions": ["*"],
10    "resources": ["application/*"]
11  },
12  {
13    "effect": "allow",
14    "actions": ["*"],
15    "resources": ["code-reference-repository/*"]
16  },
17  {
18    "effect": "allow",
19    "actions": ["*"],
20    "resources": ["domain-verification/*"]
21  },
22  {
23    "effect": "allow",
24    "actions": ["*"],
25    "resources": ["integration/*"]
26  },
27  {
28    "effect": "allow",
29    "actions": ["*"],
30    "resources": ["member/*"]
31  },
32  {
33    "effect": "allow",
34    "actions": ["*"],
35    "resources": ["member/*:token/*"]
36  },
37  {
38    "effect": "allow",
39    "actions": ["*"],
40    "resources": ["pending-request/*"]
41  },
42  {
43    "effect": "allow",
44    "actions": ["*"],
45    "resources": ["proj/*"]
46  },
47  {
48    "effect": "allow",
49    "actions": ["*"],
50    "resources": ["proj/*:env/*:aiconfig/*"]
51  },
52  {
53    "effect": "allow",
54    "actions": ["*"],
55    "resources": ["proj/*:context-kind/*"]
56  },
57  {
58    "effect": "allow",
59    "actions": ["*"],
60    "resources": ["proj/*:env/*"]
61  },
62  {
63    "effect": "allow",
64    "actions": ["*"],
65    "resources": ["proj/*:env/*:destination/*"]
66  },
67    {
68    "effect": "allow",
69    "actions": ["*"],
70    "resources": ["proj/*:env/*:experiment/*"]
71  },
72  {
73    "effect": "allow",
74    "actions": ["*"],
75    "resources": ["proj/*:env/*:flag/*"]
76  },
77  {
78    "effect": "allow",
79    "actions": ["*"],
80    "resources": ["proj/*:env/*:holdout/*"]
81  },
82  {
83    "effect": "allow",
84    "actions": ["*"],
85    "resources": ["proj/*:env/*:segment/*"]
86  },
87  {
88    "effect": "allow",
89    "actions": ["*"],
90    "resources": ["proj/*:layer/*"]
91  },
92  {
93    "effect": "allow",
94    "actions": ["*"],
95    "resources": ["proj/*:metric/*"]
96  },
97  {
98    "effect": "allow",
99    "actions": ["*"],
100    "resources": ["proj/*:metric-group/*"]
101  },
102  {
103    "effect": "allow",
104    "actions": ["*"],
105    "resources": ["proj/*:view/*"]
106  },
107  {
108    "effect": "allow",
109    "actions": ["*"],
110    "resources": ["proj/*:release-pipeline/*"]
111  },
112  {
113    "effect": "allow",
114    "actions": ["*"],
115    "resources": ["proj/*:release-policy/*"]
116  },
117  {
118    "effect": "allow",
119    "actions": ["*"],
120    "resources": ["member/*:token/*"]
121  },
122  {
123    "effect": "allow",
124    "actions": ["*"],
125    "resources": ["relay-proxy-config/*"]
126  },
127  {
128    "effect": "allow",
129    "actions": ["*"],
130    "resources": ["role/*"]
131  },
132  {
133    "effect": "allow",
134    "actions": ["*"],
135    "resources": ["service-token/*"]
136  },
137  {
138    "effect": "allow",
139    "actions": ["*"],
140    "resources": ["team/*"]
141  },
142  {
143    "effect": "allow",
144    "actions": ["*"],
145    "resources": ["template/*"]
146  },
147  {
148    "effect": "allow",
149    "actions": ["*"],
150    "resources": ["webhook/*"]
151  }
152]

No access role

Expand No access role

Permissions are set to deny by default. In other words, by default roles cannot take any actions on any resources. You must create a policy that provides the level of access you prefer. An empty policy is equivalent to the Member preset role or the No access base role.