Permissions within Teams
complete
d
danielle
Teams should have more granular permissions that determine who has access to specific features within that team. For example: only let some people suspend/delete services.
Log In
Stephen Barlow
Admin team members can now designate individual environments of a Render project as
protected
, which prevents non-Admin members from performing potentially destructive actions within that environment (such as deleting a service or modifying environment variables).For details, see the docs: https://docs.render.com/projects#protected-access
k
kate
complete
With the launch of Protected Environments in April, Danielle's original request is complete! That said, there's a lot more we want to do to make permissions and access controls even more powerful on Render. There are a ton of interesting features and use cases in the comments - please feel free to open new Canny requests for your specific access and control needs!
M
Malak Janus
I really need to be able to add clients as collaborators to a project instead of paying for a whole new team. :( I'm effectively paying for my own seat multiple times. :(
Stephen Barlow
Admin team members can now designate individual environments of a Render project as
protected
, which prevents non-Admin members from performing potentially destructive actions within that environment (such as deleting a service or modifying environment variables).For details, see the docs: https://docs.render.com/projects#protected-access
m
mitch
Bumping this!!! Would be useful especially for database deletions. Feels scary that databases can just be deleted.
M
Mike Wille
I see comments about project based permissions. That would be great, but...
For us, only a limited number of people on the dev team have access to production. Say 3 out of 10. If we were to use environments, we would want to say that only these particular people have access to Production and everyone has access to Staging/QA.
Currently we are are at:
Production Project <- Production Team (3 people)
QA Project <- QA Team (10 people)
As noted, double billed for 3 people. But the real concern is operational...
Project Based would give us:
Company <- Company Team(10 people)
Production Project <- 3 members of Company Team
QA Project <- 10 members of Company Team
Environment Based
would be even better:Company <- Company Team(10 people)
Application Project <- Assign Company Team
Production Environment <- Assign 3 members of Company Team
QA Environment <- Assign all members of Company Team
Coming from Heroku Shield, this last one is what we had.
And of course, having fine grained roles beyond Amin/Developer would allow us to give the ability for on call support staff to restart production services and view logs but not do anything else like make changes or view data. (Also, what we had with Heroku)
D
Dejan Svetec
Are there any plans to further extend this feature? I was hoping to also see project-based permissions, such as the ability to choose which users have access to specific projects.
Anurag Goel
in progress
Stephen Barlow
We've released two member roles for Render teams:
Admin
and Developer
.- Adminhas full access to the team’s resources and organizational settings (such as member management, billing management, and 2FA enforcement).
- Developerhas access to the team’s resources (services, environment groups, etc.), butnotto organizational settings.
For teams created before today (12 October 2023), all
existing
members have been assigned the Admin
role to preserve their capabilities from before this release. Starting today, the creator of a team is automatically assigned
Admin
, and any newly invited team members are automatically assigned Developer
.Admin
members can set the role for other members from the Team Settings page. For more, see the docs: https://render.com/docs/teams#manage-team-membersThis release lays a foundation for the potential future addition of more roles. As such, we will not mark this item as Complete.
S
Sahil Shah
+1
C
Christopher Grande
I'd add a "Backup Admin" type team member, that can be added, but won't be billed until they login and activate their account.
Load More
→