Advanced Permissions

Overview of PagerDuty Advanced Permissions user roles

Administrators can use Advanced Permissions to specify a user’s Team role, as well as their level of access to incidents and configuration objects such as services, escalation policies and schedules.

📘

User Role Tiers

PagerDuty has two tiers of user roles depending on your account's plan. To determine which tier your role belongs to, navigate to User Icon My Profile. If you see a tab that says Permissions & Teams, your account has Advanced Permissions and you should continue to use this article for reference. If you only see the User Settings tab, please visit our article on User Roles.

Account with Advanced Permissions

Account with Advanced Permissions

Benefits of Advanced Permissions

  • Increased control and security: Teams will be able to decide who is allowed to respond to incidents and manage their Team's configuration. Individual users will also be able to create and manage personal API Access Keys.
  • Prevent human error: By empowering Teams to control who has access to their incidents and configuration, accidents that might interfere with a Team’s process can be mitigated.
  • Limit the visibility of sensitive information: Teams can be set to private if their incidents or configuration contain sensitive information.

📘

Pricing Plans

  • Advanced Permissions are available to customers on our Business and Digital Operations plans. Please contact our Sales Team if you would like to upgrade to a plan with this feature.
  • If you are already on a Business or Digital Operations plan but do not yet have Advanced Permissions enabled, contact PagerDuty Support to request enablement.

Role Types

With Advanced Permissions, there are three different types of roles:

Each role is unique and dictates what a user has access to.

Base Roles

All users in an account have a base role, and when a new user is added to an account, they must be assigned one. A base role indicates the default level of access a user has to incidents and configuration objects across the entire account.

Base roles can either be flexible or fixed:

  • Fixed Base Roles: A fixed base role is one that cannot be granted more or fewer permissions via a Team role or an object role.
  • Flexible Base Roles: A flexible base role is one that can be granted more or fewer permissions via a Team role or an object role.
Role NameRole TypeDescription
Account OwnerFixedFull access to create, update, and delete objects, including other users' permissions. Account Owners can also access the Billing page. There can only be one Account Owner user per account.
Global AdminFixedFull access to create, update, and delete objects, including users permissions. Global Admins can also purchase additional user licenses via the Users page.
ManagerFlexibleFull access to create, update, and delete objects and administer their configuration settings. At the Account Owner or Global Admins' discretion, these roles may be given lower access levels for specific objects.
ResponderFlexibleCan take action on incidents, create incidents for any Team, and create schedule overrides.
ObserverFlexibleCan view objects, but cannot make modifications. If an Observer is assigned an incident, they will temporarily have Responder access to that incident only, and can respond to the incident or reassign it. Observers can trigger incidents from the PagerDuty Slack app.
Full StakeholderFixedCan view objects, but cannot make modifications. Cannot be assigned or respond to incidents. For more information, please read our section on Full Stakeholders.
Limited StakeholderFixedCan only view and subscribe to internal status pages, view and edit their user profile. Limited Stakeholders cannot view any other parts of PagerDuty. For more information, please read our section on Limited Stakeholders.
Restricted AccessFlexibleMust be given a specific Team or object role before they can view objects in the account.

To find your own base role, navigate to User Icon My Profile Permissions & Teams tab.

Base Role Actions

Below are two general lists of actions each base role can take divided by flexible and fixed roles. For flexible base roles, the table indicates the level of access each role has by default on an account before being given more or fewer permissions via a Team or object role.

🚧

Feature Permissions

The lists below are not exhaustive, and you can check the Required User Permissions callouts on each feature's article to find out what permissions are required.

Flexible Base Roles

Restricted access Observer Responder Manager
Subscribe to incidents
Create/delete personal REST API access keys/tokens matching permissions level
Respond to incidents assigned to them
Can be added on schedules and escalation policies
View all public Teams, services, schedules, escalation policies, analytics and postmortems across the entire account
View alerts from services that they have access to in the Alerts table. (Permission to view services may be restricted by Team and/or Object roles.)
Trigger and respond to incidents for any Team
Create/delete overrides on any schedule
Create custom incident actions
Add/edit/delete any:
∙ On-call schedules
∙ Schedule overrides
∙ Escalation policies
∙ Services
∙ Maintenance windows
∙ Teams
∙ Response plays
∙ Business Services
∙ Business Services on incidents
Edit and update webhooks and extensions
View/edit/delete all private Teams and their services, schedules, and escalation policies across the entire account
Create/delete global API access keys
∙ Manage users
∙ Add new users
∙ Delete users
∙ Edit users’ profiles and passwords
∙ Configure users' base roles, Team roles, and object roles
∙ Redact Incidents
∙ Administer the account
∙ Change the account owner
∙ Edit billing information
∙ Add/edit/delete single sign on (SSO) properties
∙ Delete the account
∙ Change pricing plans

Fixed Base Roles

Limited Stakeholder Full Stakeholder Global Admin Account Owner
Only has access to internal status pages and their own user profile
∙ Cannot view any other account objects
Subscribe to incidents ✓** ✓**
Create/delete personal REST API access keys/tokens matching permissions level
Respond to incidents assigned to them
Can be added on schedules and escalation policies
View all public Teams, services, schedules, escalation policies, analytics and postmortems across the entire account
View alerts from services that they have access to in the Alerts table. (Permission to view services may be restricted by Team and/or Object roles.)
Trigger and respond to incidents for any Team
Create/delete overrides on any schedule
Create custom incident actions
Add/edit/delete any:
∙ On-call schedules
∙ Schedule overrides
∙ Escalation policies
∙ Services
∙ Maintenance windows
∙ Teams
∙ Response plays
∙ Business Services
∙ Business Services on incidents
Edit and update webhooks and extensions
View/edit/delete all private Teams and their services, schedules, and escalation policies across the entire account
Create/delete global API access keys
∙ Manage users
∙ Add new users
∙ Delete users
∙ Edit users’ profiles and passwords
∙ Configure users' base roles, Team roles, and object roles
∙ Redact Incidents
∙ Administer the account
∙ Change the account owner
∙ Edit billing information
∙ Add/edit/delete single sign on (SSO) properties
∙ Delete the account
∙ Change pricing plans

* Limited Stakeholder and Full Stakeholder subscriptions to internal status pages are only available on Business and Digital Operations plans. Please contact our Sales Team if you would like to upgrade to a plan with this feature. Note: These roles can only subscribe to prioritized incidents appearing on internal status pages.

📘

Team Responder Base Role (Legacy)

The Team Responder base role was deprecated on April 26, 2019. All users with this role have now been changed to an Observer base role and their Team roles will stay the same.

Full Stakeholder Users

Stakeholders can view objects in an account, but cannot make modifications. The intended use case for a Stakeholder is to be added as a Subscriber to an incident. Stakeholders will receive updates about incidents they have subscribed to, but cannot take any action.

Stakeholder users are available by default on our Digital Operations plan and can be purchased as add-on users on Professional and Business plans. Stakeholder licenses are not billed the same as full users. Please contact your account representative for more information.

Limited Stakeholder Users

Limited Stakeholders can view and subscribe to internal status pages, and view their user profile. Limited Stakeholders cannot view any other parts of PagerDuty, whether they are using the web app or the mobile app. This access level is great for users who don't need to see all of the alerts, schedules, and responder details in your account. Subscriptions to incidents are only available for Limited Stakeholders on our Business and Digital Operations plans. Please contact our Sales Team if you would like to upgrade to a plan with this feature.

Team Roles

When a user is added to a Team, they will also be given a Team role. A user’s Team role indicates the level of access that they have to objects associated with that specific Team. There are three types of Team roles:

ObserverResponderManager
View configuration objects and incidents associated with their Team
When assigned an incident, can respond to and reassign it
Respond to incidents associated with their Team
Trigger incident for their Team
Create/delete override on schedule associated with their Team
Add/edit/delete schedules, escalation policies, services and maintenance windows associated with their Team
Add existing users to their Team
Edit and delete their Team
Edit and update webhooks and extensions

When a user is added to or associated with a Team for the first time, their default Team role will depend on their base role. Users can be added to a Team either manually, or automatically when their escalation policy is associated with a Team.

Base RoleDefault Team Role When Added to a Team
Observer*Observer
StakeholderObserver
Restricted Access*Observer
Responder*Responder
Manager*Manager
Global AdminManager
Account OwnerManager

* Administrators can adjust users’ default Team roles to grant them more or fewer permissions on a specific Team.

To find your own Team role, navigate to User Icon My Profile Permissions & Teams tab. Users may also have a primary Team, which some organizations may need for billing purposes. Please read our section Manage Primary Team for more information.

Object Roles

Objects roles are levels of access given for specific configuration objects (a schedule, escalation policy, and/or service) to an individual user. There are three types of object roles: Observer, Responder, and Manager.

ScheduleEscalation PolicyService
ObserverCan viewCan viewCan view and add notes to incidents triggered on this service
ResponderCan view schedules and create/delete overridesCan viewCan view and respond to incidents triggered on this service
ManagerCan edit schedule and create/delete overridesCan editCan edit, set maintenance windows, and respond to incidents triggered on this service

To find your own object-level role(s), navigate to User Icon My Profile Permissions & Teams tab.

How Base, Team, and Object Roles Work Together

Base roles establish the level of access that a user has to everything across the entire account. In addition, Team and object roles give users more or less access to specific objects (i.e., schedules, escalation policies, services) and incidents than their base role alone would allow.

Diagram detailing how base, Team, and object roles work together

Manage Roles

Please see our Manage Users article for more information on managing Advanced Permissions user roles.

Team Privacy

With Advanced Permissions, Teams can be set to Private or Public. Please read our Teams article for more information on Team privacy.

Respond to Incidents From Other Teams

Please read our Teams article for more information on responding to incidents from other Teams.

Migration Role Mapping

When an account migrates from Basic to Advanced Permissions, most basic user roles are automatically mapped to Advanced Permissions base roles.

Basic PermissionsAdvanced Permissions
Account OwnerAccount Owner
AdminGlobal Admin
StakeholderStakeholder
UserManager
Limited UserResponder

📘

Note

Please note there is not an Observer role with Basic Permissions.

Roles in the REST API and SAML

When provisioning a user through the REST API or SAML, the user will by default be given the Manager (i.e., user) role, unless specified in the user's role property. The value must be one of a set of fixed values that our internal APIs recognize. Invalid requests will receive a response with the status 400 Invalid Request.

Values for user records’ role field correspond with role types above:

Role NameValueRole Type
Global AdminadminFixed
Full Stakeholderread_only_userFixed
Limited Stakeholderread_only_limited_userFixed
Manager / UseruserFlexible
Responderlimited_userFlexible
ObserverobserverFlexible
Restricted Accessrestricted_accessFlexible
Account Owner *ownerFixed

* Cannot be created through the REST API or SAML provisioning