Users & Roles

An overview of managing users and role-based access control in env0

Create users in env0

When a new user logs into env0 for the first time, either by starting a trial or accepting an invitation to join an existing Organization, a user profile is created. Profile details are taken from the Google, Github, BitBucket or Microsoft account that was used to log in. Users are identified by their email address.



env0 supports managing your organization users using SAML for all our paid tiers, see our pricing for more details.

A user belongs to one or more Organizations.

When a user profile is created, a Default Organization is created for that user. The user is an administrator for this organization. This organization can be used for evaluation and testing by the user.

Users can accept invitations to join other organizations and become members of them as well.

Manage Users of an Organization

Organization Administrators have the capability to oversee user management within the organization. This management includes assigning users to roles directly or through teams, offering flexibility in how permissions are distributed across the organization, project, and environment scopes.

To access the user management interface, navigate to the Users screen located under the Settings tab. This area is exclusively available to Organization Administrators.



Selecting an Active Project changes the context of the Users screen to project-specific user management, rather than organization-wide settings.

Organization Administrators are empowered to modify roles, invite new users, or remove existing users from the organization. Direct changes to a user's organization role or their removal from the organization are actions restricted to Organization Administrators only.

Invite Users to an Organization

Any Organization Administrators can invite other users to join their organization.

Click Invite User, enter a valid email address for the invited user, and then click Send Invitation.

A user can be invited to an organization whether or not they have an active env0 profile. A user is created in env0 for the invitee (if they are not already a user). The invitation email is sent to the user at their email address and the user status is set to Invited.

If the user is new to env0, a user profile is created when they log in for the first time.

The admin can track the user status in the Users screen, and see when the user has accepted the invitation and joined the organization.

At any time, Organization Administrators can revoke an invitation to a user. Click on the garbage can icon next to the user in the Users tab. Once revoked, the user disappears from the list and they can no longer accept the invitation.

Organization Roles

env0 has two roles in the Organization scope:

A User has no configuration privileges in the Organization scope. They cannot create or edit templates, variables or policies, git tokens, or any other configuration at the Organization level, and cannot view the organization settings (such as users or API Keys).

A User can be associated with any Project in the organization, with any role. They work in the projects with which they are associated.

An Organization Administrator is the superuser of the system. They have full configuration privileges to all items in the Organization scope, including variables, templates, policies, tokens, and any other configuration.

They also have full access to the organization settings, including inviting and removing users, and generating API keys.

In addition, an organization administrator is associated with all projects in the Organization, and has a Project Administrator role in each one of them. No user can change the association or role of the Organization Administrator.

Manage Users of a Project

In order to have access to a project, users need to be associated with it.
Each user associated with a project has a specific project Role assigned to them.

Managing access to a project can be done in 2 ways:

  1. Managing a team's access to a project:
    If a user is a member of a team that is assigned to the project, the team's role will cascade onto the user. See Teams Section for more information.

  2. Manage a user's access directly:
    A user can also be given a specific role in a project outside of a team. This can be used to give a user additional permissions that he does not have from his team's role, or when the user is not part of any team. Managing users this way requires the Administrator role for that project.
    Go to "Project Settings" and then select the Users tab. There you'll see a list of all the organization users. Select users from this list to assign to this project, and, for each, set a role within the specific project.

If the user has multiple roles that originate from his teams or from his own specific role for the project, the highest role will be the one to take effect.

Project Roles

A regular user cannot change their role within a project, or disassociate themselves from a project. They also cannot change the role of any other user with an Organization Admin role.
An Organization Admin is associated with all projects, with an administrator role.

env0 has these roles in Projects scope:

A Viewer can only look at environments in the projects to which they are assigned. They are also able to check their status.

  • They have no permission to create, change, or destroy environments.
  • They do not have any access to view or change project settings.

A Planner can create, change or destroy environments, but they cannot approve plans nor can they enable auto approval of plans.

  • They have permission to plan a creation, change, or destruction of environments.
  • Their actions require active approval from a Deployer or Admin to be executed.

A Deployer can create, change or destroy environments in the project to which they are assigned.

  • They can approve plans created by themselves or others.
  • They can enable the auto-approval of plans in environments.
  • They cannot view or change project settings.

Has full configuration privileges within a given Project.

  • They can create new environments.
  • They can view and change all environment settings.
  • They can approve plans created by themselves or others.
  • They can enable the auto-approval of plans in environments.
  • They can change project settings, including: associating users and templates to the project(s) and assigning user roles.
  • They can lock and unlock environments

Manage Users

A user can be associated with a specific environment within a project.

One can also give one level of permission within a project, and a higher level of permission for an environment within that project specifically.

Only custom roles are supported for environment scope, so you wouldn't have the Admin, Deployer, Planner and Viewer options like you have in the above scopes.

There are 2 permissions made specifically for environment-scoped custom roles

  • VIEW ENVIRONMENT - When creating a custom role to assign for an environment scope, you must add this permission to it. Project and Org Viewers have this permission by default.
  • ASSIGN ROLE ON ENVIRONMENT - A user with a custom role with this permission, has the ability to assign users and teams for environments. Project and Org Admins have this permission by default.


Custom Roles

The VIEW PROJECT permission has all privileges that VIEW ENVIRONMENT has.