Advanced Permissions

Overview of PagerDuty Advanced Permissions user roles

πŸ“˜

User Role Tiers

PagerDuty has two tiers of user roles depending on your account's plan. To determine which tier your role belongs to, click the User Icon in the upper right of your account and select My Profile. If you see a tab that says Permissions & Teams, please continue to use this article for reference. If you only see the User Settings tab, please visit our article on User Roles.

Advanced Permissions allow you to specify the team-wide role that a user has on any given team, and also the level of access a user has to incidents and configuration objects (services, escalation policies, and schedules).

Benefits of Advanced Permissions

  • Increased control and security β€” Teams will be able to decide who is allowed to respond to incidents and manage the configuration for their team. Individual users will also be able to create and manage their own personal API Access Keys.
  • Prevent human error β€” By empowering teams to control who has access to their incidents and configuration, accidents that might interfere with a team’s process can be mitigated.
  • Limit the visibility of sensitive information β€” Teams will be able to set themselves as β€œPrivate” if their incidents or configuration contain sensitive information.

πŸ“˜

Availability of Advanced Permissions

Advanced Permissions are available to customers on our Business and Digital Operations plans. Please contact our Sales Team if you would like to upgrade to a plan with this feature.

If you are already on a Business or Digital Operations plan but do not yet have advanced permissions enabled, contact PagerDuty Support to request enablement.

Otherwise, if advanced permissions are not available to you, you can still use Basic User Roles to control what level of access your users have in your PagerDuty account.

Overview

With advanced permissions, there are three different types of roles: base roles, team roles and object roles. Each role is unique and dictates what a user has access to.

Base Roles

All users in an account have a base role, and when a new user is added to an account, they must be assigned one. A base role indicates the default level of access a user has to incidents and configuration objects across the entire account.

Base roles can either be flexible or fixed. A fixed base role is a base role that cannot be granted more or less permissions via a team role or an object role. A flexible role is a base role that can be granted more or less permissions via a team role or an object role.

Each base role is described below with an indication if they are fixed or flexible in parenthesis:

  • Account Owner β€” (fixed) Full access to create, update, and delete objects, including a user’s permissions. Account owners can also access the Billing page. This role can only be granted to one person on an account.
  • Global Admin β€” (fixed) Full access to create, update, and delete objects, including a user’s permissions.
  • Manager β€” (flexible) Full access to create, update, and delete objects and all of their configuration. Depending on an Account Owner or Global Admin's discretion, these roles may be given lower access levels for specific objects.
  • Responder β€” (flexible) Can take action on incidents, create incidents for any team, and create overrides.
  • Observer β€” (flexible) Can view objects, but cannot make any modifications. If an Observer is assigned an incident, they will temporarily have Responder access to that incident only, and can respond and reassign. Observers are able to trigger incidents from the PagerDuty Slack app.
  • Full Stakeholder β€” (fixed) Can view objects, but cannot make any modifications. Cannot be assigned or respond to incidents.
  • Limited Stakeholder β€” (fixed) Can only view and subscribe to the status dashboard, view and edit their own user profile, and cannot view any other parts of PagerDuty. For more information, please read our section on Limited Stakeholders.
  • Restricted Access β€” (flexible) By default, they cannot view or edit any objects on the account until they are given a specific team or object role.

Here is a full list of actions to which each base role can take. For flexible roles, this table indicates the level of access each flexible base role has by default on an account before being given more or less permissions via a team or object role.

Flexible Fixed
Restricted access Observer Responder Manager Limited Stakeholder Full Stakeholder Global Admin Account Owner
Only has access to the status dashboard and their own user profile. Cannot view any other account objects. βœ“
Subscribe to incidents βœ“ βœ“ βœ“ βœ“ βœ“** βœ“** βœ“ βœ“
Create/delete personal REST API access keys/tokens matching permissions level βœ“ βœ“ βœ“ βœ“ βœ“ βœ“ βœ“
Respond to incidents assigned to them βœ“ βœ“ βœ“ βœ“ βœ“ βœ“
Be added on schedules and escalation policies βœ“ βœ“ βœ“ βœ“ βœ“ βœ“
View all public teams, services, schedules, escalation policies, analytics and postmortems across the entire account βœ“ βœ“ βœ“ βœ“ βœ“ βœ“
View alerts from services that they have access to in the Alerts table. (Permission to view services may be restricted by Team and/or Object roles.) βœ“ βœ“ βœ“ βœ“ βœ“ βœ“
Trigger and respond to incidents for any team βœ“ βœ“ βœ“ βœ“
Create/delete overrides on any schedule βœ“ βœ“ βœ“ βœ“
Create custom incident actions βœ“ βœ“ βœ“ βœ“ βœ“
Add/edit/delete any:
βˆ™ On-call schedules
βˆ™ Schedule overrides
βˆ™ Escalation policies
βˆ™ Services
βˆ™ Maintenance windows
βˆ™ Teams
βˆ™ Response plays
βˆ™ Business Services
βœ“ βœ“ βœ“
View/edit/delete all private teams and their services, schedules, and escalation policies across the entire account βœ“ βœ“
Create/delete global API access keys βœ“ βœ“
βˆ™ Manage users
βˆ™ Add new users
βˆ™ Delete users
βˆ™ Edit users’ profiles and passwords
βˆ™ Configure users' base roles, team roles, and object roles
βœ“ βœ“
βˆ™ Redact Incidents
βˆ™ Administer the account
βˆ™ Change the account owner
βˆ™ Edit billing information
βˆ™ Add/edit/delete single sign on (SSO) properties
βˆ™ Delete the account
βˆ™ Change pricing plans
βœ“

** Limited Stakeholder and Full Stakeholder subscriptions to incidents are only available on our new Business plan and Digital Operations plan. Please contact our Sales Team if you would like to upgrade to a plan with this feature.

To find your base role, click the User Icon, select My Profile, and then select the Permissions & Teams tab.

πŸ“˜

Team Responder Base Role (Legacy)

The Team Responder base role was deprecated as of 4/26/19. All users with this role have now been changed to a base account role of observer and their team roles will stay the same.

Team Roles

When a user is added to a team, they will also be given a team role. A user’s team role indicates the level of access that they have on that specific team. There are three different types of team roles:

  • Observer β€” Can only view the configuration objects and incidents associated with that team. If an Observer is assigned an incident, they will temporarily have Responder access to that incident only, and can respond and reassign.
  • Responder β€” Everything an observer team role can do, PLUS they can respond to incidents associated with that team, trigger incidents for that team, and create/delete overrides on any schedules associated with that team.
  • Manager β€” Everything a responder team role can do, PLUS they can add/edit/delete schedules, escalation policies, services and service maintenance windows associated with that team. They can also add existing users to their team, as well as edit and delete their team.

When a user is added to or associated with a team for the first time, their default team role will be dependent on their base role. Users can be added to a team manually or automatically by being added to an escalation policy that is associated with a team.

Base Role

Default Team Role When Added to a Team

Observer**

Observer

Stakeholder

Observer

Restricted Access**

Observer

Responder**

Responder

Manager**

Manager

Global Admin

Manager

Account Owner

Manager

** Users with flexible base roles (Restricted Access, Observer, Responder, Manager) can have their default team roles changed to grant them more more or less permissions on a specific team.

To find your team role, click the User Icon, select My Profile and then select the Permissions & Teams tab. Users may also have a primary team, which some organizations may need for billing purposes. Please read our section Manage Primary Team for more information.

Object Roles

Objects roles are specific levels of access given for specific configuration objects (a schedule, escalation policy, and/or service) to an individual user. There are three types of object roles: Observer, Responder, and Manager.

Schedule

Escalation Policy

Service

Observer

Can view

Can view

Can view and add notes to incidents triggered on this service

Responder

Can view schedules and create/delete overrides

Can view

Can view and respond to incidents triggered on this service

Manager

Can edit schedule and create/delete overrides

Can edit

Can edit, set maintenance windows, and respond to incidents triggered on this service

To find your object-level role(s), click the User Icon, select My Profile and then select the Permissions & Teams tab.

How Base, Team, and Object Roles Work Together

Base roles establish the level of access that a user has to everything across the entire account, whereas team and object roles gives users more or less access to specific configuration objects and incidents than what they would have access to at the account, or base role, level.

Managing Roles

Base, team, and object roles can be managed by different users on the account based on their level of permissions.

Manager (team role)

Manager (base role)

Global Admin (base role)

Account Owner (base role)

Can modify team roles of users on their team

βœ“

βœ“

βœ“

βœ“

Can modify team roles for any user on any team

βœ“

βœ“

βœ“

Can modify base roles for any user

βœ“

βœ“

Can modify object roles for any user

βœ“

βœ“

Updating Base Roles

Users with an Account Owner or Global Admin base role can update other users’ base roles.

To update a user’s base role, go to the Permissions & Teams tab on their user profile and click Edit next to their Base Role.

Updating Team Roles

Users with an Account Owner, Global Admin, or Manager base role can update other users’ team roles. Users with a Manager team role can also update the team roles of users, but only for users on their team.

Users with an Account Owner, Global Admin, or Manager base role can update a user’s team role from the user’s profile page. Go to the Permissions & Teams tab on the user’s profile and select their team role from the drop-down menu under Teams & Team Roles.

Users with a Manager team role are only able to update a user’s team role from their team’s page. Navigate to the People menu and select Teams, then click on your Team, select the Users tab and then select the appropriate role under the Team Role column for that user.

If a user is not yet part of a team, please visit our section on manually adding users to a team.

Updating Object Roles

Users with an Account Owner or Global Admin base role can update other users’ object roles. Note that object roles can only be given to users with a flexible base role (i.e. Restricted Access, Observer, Responder, Manager).

To update a user’s base role, go to the Permissions & Teams tab on their user profile and click Edit next to their Base Role.

Under Additional Permissions, assign an object role to a specific schedule, escalation policy, and/or service.

Team Privacy

With advanced permissions, teams have the option to be set to Private or Public. By default, all teams are public.

  • Public teams can be viewed and accessed by users outside of those teams.
  • Private teams cannot be viewed and accessed by users outside of those teams, except for users with Global Admin or Account Owner base roles (these users have access to all private teams).

When a team is set to private, users who are not part of that team:

Will NOT Be Able To

WILL Be Able To

  • View that team’s schedules, escalation policies, services, and incidents

  • Find that team’s service or escalation policy when creating a new incident

  • Find that team’s escalation policy when reassigning or adding responders to an incident

  • Find that team when adding subscribers to an incident

  • Find that team on the team lens drop-down, on the People Teams page, or on the profile page of a user associated with that team

  • Find the users associated with that private team on the People Users page

  • Find the users on that private team when creating, reassigning, adding responders, or adding subscribers to an incident

  • Find the users on that private team when creating a schedule override

Note: Team privacy does not currently apply to the following pages or configuration objects:

  • Response plays
  • Postmortems
  • Analytics

Updating Team Privacy

Users with an Account Owner, Global Admin, or Manager base role can set a team to public or private. Users with a Manager team role specific to a team can also set that team to public or private.

To update a team’s privacy, navigate to the People menu, select Teams and then click on your desired Team. Navigate to the Users tab on that team’s page and set the External Visibility to either public or private.

Responding to Incidents From Other Teams

The team that an incident is associated with is based on the service where the incident was triggered. For example, if an incident is triggered on a service associated with the Network Operations team, then the incident is associated with the Network Operations team. If the incident is reassigned to an escalation policy or user that belongs to a different team, then the incident will still be associated with the Network Operations team.

At this point, any users who are assigned to the incident will be able to respond to it, even if they are not associated with the Network Operations team. However, they won’t see the incident on their incidents dashboard if filtering by My Teams. Any users who are not* assigned to the incident AND who don’t have access to respond to incidents associated with the Network Operations team** will not be able to respond to the incident.

* These Users must be directly assigned to the incident to take action on it. They should show up under Assigned to when viewing the incident in the UI, or Assignees in the REST API.

** A user with an Observer or Restricted Access base role and no team role or object role specified for the Network Operations team or its objects.

With that being said, if there is a user who needs to be able to respond to incidents for all or multiple teams, make sure that the user has either of the following:

  • A Responder base role - this will allow them to respond to incidents associated with any team
  • A Responder or Manager role on any team for which they need to respond to incidents
  • A Responder or Manager object role on any service for which they need to respond to incidents

Rest API Access

All users can create personal REST API keys or tokens on the User Icon My Profile User Settings page of their user profile. Keys or tokens created this way will provide access to the REST API that matches the user’s permissions.

For example, a user with the base role of Manager can create a personal API key that will allow them to edit a schedule. However, they will not be able to add new users to the account because their level of access dictates that they cannot do this.

Global API access keys (which can be either full access or read only) can be created and managed by users with a Global Admin or Account Owner base role.

Migrating From Basic to Advanced Permission Roles

When an account migrates from Basic to Advanced Permissions, most basic user roles are automatically mapped to advanced permissions base roles.

Basic Permissions

Advanced Permissions

Account Owner

Account Owner

Admin

Global Admin

Stakeholder

Stakeholder

User

Manager

Limited User

Responder

πŸ“˜

Please note there is not an Observer role on Basic Permissions.

Roles in the REST API and SAML

When provisioning a user through the REST API or SAML, the user will by default be given the Manager (a.k.a. User) role, unless specified in the user's role property. The value set for it must be one of a set of fixed values that is recognized by our internal APIs, or our web services will respond with status 400 Invalid Request.

The values of the role field of user records, and also the permissions system, are as follows:

Title

Value

Flexible or Fixed

Global Admin

admin

Fixed

Full Stakeholder

read_only_user

Fixed

Limited Stakeholder

read_only_limited_user

Fixed

Manager / User

user

Flexible

Responder

limited_user

Flexible

Observer

observer

Flexible

Restricted Access

restricted_access

Flexible

Account Owner **

owner

Fixed

** Cannot be created through API / SAML

πŸ‘

Best Practices

For more information on Advanced Permissions best practices, please visit our Community post.

Updated 10 days ago

Advanced Permissions


Overview of PagerDuty Advanced Permissions user roles

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.