Users & Roles

An overview of managing users and role-based access control in env0

Create users in env0

When a new user logs into env0 for the first time, either by starting a trial or accepting an invitation to join an existing Organization, a user profile is created. Profile details are taken from the Google, Github, BitBucket, or Microsoft account that was used to log in. Users are identified by their email address.

📘

SAML

env0 supports managing your organization users using SAML for all our paid tiers. Visit our pricing page for more details.

When a user profile is created, a Default Organization is set up for them, and they become its administrator. This Default Organization is used for testing and evaluation. Users can be part of multiple Organizationsand can also accept invitations to join other organizations.

Manage Organization Users

Organization Administrators have the capability to oversee user management within the organization. This includes assigning users to roles directly or via teams, offering flexibility in how permissions are distributed across the organization, project, and environment.

To access the user management interface, navigate to the Users screen located under the Settings tab. This area is exclusively available to Organization Administrators.

📘

Note

Selecting an Active Project changes the context of the Users screen to project-specific user management, rather than organization-wide settings.

Organization Administrators can modify roles, invite new users, or remove existing users from the organization. Direct changes to a user's organization role or their removal from the organization are actions restricted to Organization Administrators only.

Invite Users to an Organization

Any Organization Administrator can invite other users to join their organization.

Click Invite User, enter a valid email address for the invited user, and then click Send Invitation.

A user can be invited to an organization whether or not they have an active env0 profile. A user is created in env0 for the invitee (if they are not already a user). The invitation email is sent to the user at their email address and the user status is set to Invited.

If the user is new to env0, a user profile is created when they log in for the first time.

The admin can track the user status in the Users screen, and see when the user has accepted the invitation and joined the organization.

Organization Administrators can revoke an invitation to a user at any time. Click on the garbage can icon next to the user in the Users tab. Once revoked, the user disappears from the list and they can no longer accept the invitation.

Organization Roles

There are two Organization-level roles in env0:

User
A User has no configuration privileges in the Organization scope. They cannot create or edit templates, variables or policies, Git tokens, or any other configuration at the Organization level, and cannot view the organization settings (such as users or API Keys).

A User can be associated with any Project in the Organization, with any role. They work within the limits of their assigned projects.

Administrator
Organization Administrators are the superuser of the system. They have full configuration privileges for all items in the Organization scope, including variables, templates, policies, tokens, and any other configuration.

They also have full access to the organization settings, including inviting and removing users, and generating API keys.

In addition, an organization administrator is associated with all projects in the Organization and has a Project Administrator role in each one of them. No user can change the association or role of the Organization Administrator.

Project Users

In order to have access to a project, users need to be associated with it.
Each user associated with a project has a specific project Role assigned to them.

Managing access to a project can be done in 2 ways:

  1. Managing a team's access to a project:
    If a user is a member of a team that is assigned to the project, the team's role will cascade onto the user. See the Teams section for more information.

  2. Manage a user's access directly:
    A user can also be given a specific role in a project outside of a team. This can be used to give a user additional permissions beyond those assigned by their team, or when the user is not part of any team. Managing users this way requires the Administrator role for that project.
    Go to Project Settings and then select the Users tab. There you'll see a list of all the organization users. Select users from this list to assign to this project. For each, set a role within the specific project.

If the user has multiple roles that originate from their teams or from their specific role for the project, the highest role will be the one to take effect.

Project Roles

A regular user cannot change their role within a project, or disassociate themselves from a project. They also cannot change the role of any other user with an Organization Admin role.
An Organization Admin is associated with all projects, with an administrator role.

The following roles exist in env0’s Projects scope:

Viewer
A Viewer can only look at environments in the projects to which they are assigned. They are also able to check their status.

  • They have no permission to create, change, or destroy environments
  • They do not have any access to view or change project settings

Planner
A Planner can initiate plans to create, change, or destroy environments, but they cannot approve plans or enable plan auto approval.

  • They have permission to plan a creation, change, or destruction of environments
  • Their actions require active approval from a Deployer or Admin to be applied

Deployer
A Deployer can create, change or destroy environments in the project to which they are assigned.

  • They can approve plans created by themselves or others
  • They can enable auto-approval of plans in environments
  • They cannot view or change project settings

Admin
Has full configuration privileges within a given Project.

  • They can create new environments
  • They can view and change all environment settings
  • They can approve plans created by themselves or others
  • They can enable the auto-approval of plans in environments
  • They can change project settings, including: associating users and templates to the project(s) and assigning user roles
  • They can lock and unlock environments

Environment Access

A user can be associated with a specific environment within a project.

One can also give one level of permission within a project, and a higher level of permission for an environment within that project.

The preset roles in the Environment scope mirror those of the Project scope - Viewer, Planner, Deployer, and Admin.

There are two permissions made specifically for environment-scope custom roles

  • VIEW ENVIRONMENT - When creating a custom role to assign to an environment scope, you must add this permission. Environment, Project, and Organization Viewers have this permission by default.
  • ASSIGN ROLE ON ENVIRONMENT - A user with a custom role with this permission has the ability to assign users and teams for environments. Environment, Project, and Organization Admins have this permission by default.Custom Roles

📘

Custom Roles

See more in Custom Roles

The VIEW PROJECT permission has all the privileges that VIEW ENVIRONMENT has.