Your accountRolesManaging role assignments

Assigning roles to teams

Overview

This topic explains how to assign roles to teams in LaunchDarkly.

How team roles interact with individual member roles

Every organization using LaunchDarkly is made up of members. Members are people who work for your organization or use your organization’s LaunchDarkly account.

You assign roles directly to members when you invite them to LaunchDarkly. You must assign a role to each member when they are invited, even if that role allows no access.

After a member has been invited, you can assign additional roles to them at any time. You can assign the additional roles either directly to an account member, or to a team the account member is on.

A team can have one or more roles assigned to it. In cases where a team’s roles have conflicting permission levels, or a team’s role has conflicting permission levels with the permissions assigned to a member of that team, the more permissive set of permissions will be applied. For example, if a team has one role that allows access to a resource, and a member of that team has another role that restricts access to a resource, the team member will be able to access that resource.

Permissions are cumulative

If an account member has one or more roles, then the account member’s access is defined by those roles. If the roles have conflicting permissions levels, the more permissive level of access is applied. For example, if a member has one role that allows access to a resource, and another role that restricts access to a resource, the member is allowed access.

If a team has one or more roles, then for each account member on the team, the account member’s access is defined by both the member’s role and the roles assigned to the team.

For example, if a member has a Reader base role and is assigned another role through their team, then the member will continue to have read access to all resources through the Reader role, in addition to the access granted through their team. As another example, if a member is assigned the LaunchDarkly Member role directly, and is assigned the LaunchDarkly Developer role through their team, the Developer access is used in addition to Member access.

Assign roles to teams

You can assign roles to a team from the Access tab for the team you manage.

To assign a role to a team:

  1. Click the gear icon in the left sidenav to view Organization settings.

  2. Click Teams.

  3. Click on the name of the team. The team’s Members tab appears.

  4. Click on the team’s Access tab.

  5. Click Assign access. The “Assign access” dialog appears.

  6. Select the role you want to add to the team.

  7. If the role you are assigning uses any role attributes in its definition, enter the specific Resource that this team should have for each attribute. For example, if the role attribute is for a project, enter a project key. The team will then have access to that project based on the policy statements specified in the role.

    The "Assign access" dialog, assigning "Example role" to this team for the "docs-demo" project.

    The "Assign access" dialog, assigning "Example role" to this team for the "docs-demo" project.

  8. Click Assign access.

Remove a role from a team

To remove a role from a team:

  1. Click the gear icon in the left sidenav to view Organization settings.
  2. Click Teams.
  3. Click on the name of the team. The team’s Members tab appears.
  4. Click on the team’s Access tab.
  5. Find the role you want to remove in the list of roles.
  6. Click the three-dot overflow menu next to that role.
  7. Click Remove access. A confirmation dialog appears.
  8. Click Remove access in the dialog to confirm.