Advanced Permissions
Overview of PagerDuty Advanced Permissions user roles
Advanced Permissions allow administrators to specify the Team-wide role that a user has on any given Team, as well as the level of access a user has to incidents and configuration objects (services, escalation policies, and schedules).
User Role Tiers
PagerDuty has two tiers of user roles depending on your account's plan. To determine which tier your role belongs to, navigate to User Icon My Profile. If you see a tab that says Permissions & Teams, your account has Advanced Permissions and you should continue to use this article for reference. If you only see the User Settings tab, please visit our article on User Roles.
Benefits of Advanced Permissions
- Increased control and security: Teams will be able to decide who is allowed to respond to incidents and manage their Team's configuration. Individual users will also be able to create and manage personal API Access Keys.
- Prevent human error: By empowering Teams to control who has access to their incidents and configuration, accidents that might interfere with a Team’s process can be mitigated.
- Limit the visibility of sensitive information: Teams will be able to set themselves as private if their incidents or configuration contain sensitive information.
Pricing Plans
- Advanced Permissions are available to customers on our Business and Digital Operations plans. Please contact our Sales Team if you would like to upgrade to a plan with this feature.
- If you are already on a Business or Digital Operations plan but do not yet have Advanced Permissions enabled, contact PagerDuty Support to request enablement.
Role Types
With Advanced Permissions, there are three different types of roles:
Each role is unique and dictates what a user has access to.
Base Roles
All users in an account have a base role, and when a new user is added to an account, they must be assigned one. A base role indicates the default level of access a user has to incidents and configuration objects across the entire account.
Base roles can either be flexible or fixed:
- Fixed Base Roles: A fixed base role is one that cannot be granted more or fewer permissions via a Team role or an object role.
- Flexible Base Roles: A flexible base role is one that can be granted more or fewer permissions via a Team role or an object role.
Each base role is described below with an indication if they are fixed or flexible in parenthesis:
- Account Owner (fixed): Full access to create, update, and delete objects, including a user’s permissions. Account owners can also access the Billing page. This role can only be granted to one person on an account.
- Global Admin (fixed): Full access to create, update, and delete objects, including a user’s permissions. Global Admins can also purchase additional user licenses via the Users page.
- Manager (flexible): Full access to create, update, and delete objects and all of their configuration. Depending on an Account Owner or Global Admin's discretion, these roles may be given lower access levels for specific objects.
- Responder (flexible): Can take action on incidents, create incidents for any Team, and create overrides.
- Observer (flexible): Can view objects, but cannot make any modifications. If an Observer is assigned an incident, they will temporarily have Responder access to that incident only and can respond and reassign. Observers can trigger incidents from the PagerDuty Slack app.
- Full Stakeholder (fixed): Can view objects, but cannot make any modifications. Cannot be assigned or respond to incidents. For more information, please read our section on Full Stakeholders.
- Limited Stakeholder (fixed): Can only view and subscribe to the status dashboard, view and edit their user profile, and cannot view any other parts of PagerDuty. For more information, please read our section on Limited Stakeholders.
- Restricted Access (flexible): By default, they cannot view or edit any objects on the account until they are given a specific team or object role.
To find your own base role, navigate to User Icon My Profile Permissions & Teams tab.
Base Role Actions
Below are two general lists of actions each base role can take divided by flexible and fixed roles. For flexible base roles, the table indicates the level of access each role has by default on an account before being given more or fewer permissions via a Team or object role.
Feature Permissions
The lists below are not exhaustive, and you can check the Required User Permissions callouts on each feature's article to find out what permissions are required.
Flexible Base Roles
| Restricted access | Observer | Responder | Manager | |
|---|---|---|---|---|
| Subscribe to incidents | ✓ | ✓ | ✓ | ✓ |
| Create/delete personal REST API access keys/tokens matching permissions level | ✓ | ✓ | ✓ | ✓ |
| Respond to incidents assigned to them | ✓ | ✓ | ✓ | ✓ |
| Can be added on schedules and escalation policies | ✓ | ✓ | ✓ | ✓ |
| View all public Teams, services, schedules, escalation policies, analytics and postmortems across the entire account | ✓ | ✓ | ✓ | View alerts from services that they have access to in the Alerts table. (Permission to view services may be restricted by Team and/or Object roles.) | ✓ | ✓ | ✓ |
| Trigger and respond to incidents for any Team | ✓ | ✓ | ||
| Create/delete overrides on any schedule | ✓ | ✓ | ||
| Create custom incident actions | ✓ | |||
| Add/edit/delete any: ∙ On-call schedules ∙ Schedule overrides ∙ Escalation policies ∙ Services ∙ Maintenance windows ∙ Teams ∙ Response plays ∙ Business Services ∙ Business Services on incidents |
✓ | |||
| View/edit/delete all private Teams and their services, schedules, and escalation policies across the entire account | ||||
| Create/delete global API access keys | ||||
| ∙ Manage users ∙ Add new users ∙ Delete users ∙ Edit users’ profiles and passwords ∙ Configure users' base roles, Team roles, and object roles |
||||
|
∙ Redact Incidents ∙ Administer the account ∙ Change the account owner ∙ Edit billing information ∙ Add/edit/delete single sign on (SSO) properties ∙ Delete the account ∙ Change pricing plans |
Fixed Base Roles
| Limited Stakeholder | Full Stakeholder | Global Admin | Account Owner | |
|---|---|---|---|---|
| Only has access to the status dashboard and their own user profile. Cannot view any other account objects. | ✓ | |||
| Subscribe to incidents | ✓** | ✓** | ✓ | ✓ |
| Create/delete personal REST API access keys/tokens matching permissions level | ✓ | ✓ | ✓ | |
| Respond to incidents assigned to them | ✓ | ✓ | ||
| Can be added on schedules and escalation policies | ✓ | ✓ | ||
| View all public Teams, services, schedules, escalation policies, analytics and postmortems across the entire account | ✓ | ✓ | ✓ | View alerts from services that they have access to in the Alerts table. (Permission to view services may be restricted by Team and/or Object roles.) | ✓ | ✓ | ✓ |
| Trigger and respond to incidents for any Team | ✓ | ✓ | ||
| Create/delete overrides on any schedule | ✓ | ✓ | ||
| Create custom incident actions | ✓ | ✓ | ||
| Add/edit/delete any: ∙ On-call schedules ∙ Schedule overrides ∙ Escalation policies ∙ Services ∙ Maintenance windows ∙ Teams ∙ Response plays ∙ Business Services ∙ Business Services on incidents |
✓ | ✓ | ||
| View/edit/delete all private Teams and their services, schedules, and escalation policies across the entire account | ✓ | ✓ | ||
| Create/delete global API access keys | ✓ | ✓ | ||
| ∙ Manage users ∙ Add new users ∙ Delete users ∙ Edit users’ profiles and passwords ∙ Configure users' base roles, Team roles, and object roles |
✓ | ✓ | ||
|
∙ Redact Incidents ∙ Administer the account ∙ Change the account owner ∙ Edit billing information ∙ Add/edit/delete single sign on (SSO) properties ∙ Delete the account ∙ Change pricing plans |
✓ |
** Limited Stakeholder and Full Stakeholder subscriptions to Status Dashboard incidents are only available on Business and Digital Operations plans. Please contact our Sales Team if you would like to upgrade to a plan with this feature. Note: These roles can only subscribe to prioritized incidents appearing on the Status Dashboard.
Team Responder Base Role (Legacy)
The Team Responder base role was deprecated on 4/26/19. All users with this role have now been changed to an Observer base role and their Team roles will stay the same.
Full Stakeholder Users
Stakeholders can view objects in an account, but cannot make modifications. The intended use case for a Stakeholder is to be added as a Subscriber to an incident — they will receive updates about the incident, but cannot take any action.
Stakeholder users are available by default on our Digital Operations plan and can be purchased as add-on users on Professional and Business plans. Stakeholder licenses are not billed the same as full users. Please contact your account representative for more information.
Limited Stakeholder Users
The Limited Stakeholder role provides users access to view and subscribe to the status dashboard, view their user profile, and does not show any other parts of PagerDuty, whether they are using the web app or the mobile app. This access level is great for teams who don't need to see all of the alerts, schedules, and responder details in your account. Subscriptions to incidents are only available for Limited Stakeholders on our Business and Digital Operations plans. Please contact our Sales Team if you would like to upgrade to a plan with this feature.
Team Roles
When a user is added to a Team, they will also be given a Team role. A user’s Team role indicates the level of access that they have on that specific Team. There are three types of Team roles:
- Observer: Can only view the configuration objects and incidents associated with that Team. If an Observer is assigned an incident, they will temporarily have Responder access to that incident only and can respond and reassign.
- Responder: Everything an Observer Team role can do, PLUS they can respond to incidents associated with that Team, trigger incidents for that Team, and create/delete overrides on any schedules associated with that Team.
- Manager: Everything a Responder Team role can do, PLUS they can add/edit/delete schedules, escalation policies, services and service maintenance windows associated with that Team. They can also add existing users to their Team, as well as edit and delete their Team.
When a user is added to or associated with a Team for the first time, their default Team role will be dependent on their base role. Users can be added to a Team manually or automatically by being added to an escalation policy that is associated with a Team.
| Base Role | Default Team Role When Added to a Team |
|---|---|
| Observer** | Observer |
| Stakeholder | Observer |
| Restricted Access** | Observer |
| Responder** | Responder |
| Manager** | Manager |
| Global Admin | Manager |
| Account Owner | Manager |
** Users with flexible base roles (Restricted Access, Observer, Responder, Manager) can have their default Team roles changed to grant them more or fewer permissions on a specific Team.
To find your own Team role, navigate to User Icon My Profile Permissions & Teams tab. Users may also have a primary Team, which some organizations may need for billing purposes. Please read our section Manage Primary Team for more information.
Object Roles
Objects roles are levels of access given for specific configuration objects (a schedule, escalation policy, and/or service) to an individual user. There are three types of object roles: Observer, Responder, and Manager.
| Schedule | Escalation Policy | Service | |
|---|---|---|---|
| Observer | Can view | Can view | Can view and add notes to incidents triggered on this service |
| Responder | Can view schedules and create/delete overrides | Can view | Can view and respond to incidents triggered on this service |
| Manager | Can edit schedule and create/delete overrides | Can edit | Can edit, set maintenance windows, and respond to incidents triggered on this service |
To find your own object-level role(s), navigate to User Icon My Profile Permissions & Teams tab.
How Base, Team, and Object Roles Work Together
Base roles establish the level of access that a user has to everything across the entire account, whereas Team and object roles give users more or less access to specific configuration objects and incidents than what they would have access to at the account (i.e., base role) level.
Manage Roles
Please see our Manage Users article for more information on managing Advanced Permissions user roles.
Team Privacy
With Advanced Permissions, Teams have the option to be set to Private or Public. Please read our Teams article for more information on Team privacy.
Respond to Incidents From Other Teams
Please read our Teams article for more information on responding to incidents from other Teams.
Migration Role Mapping
When an account migrates from Basic to Advanced Permissions, most basic user roles are automatically mapped to advanced permissions base roles.
| Basic Permissions | Advanced Permissions |
|---|---|
| Account Owner | Account Owner |
| Admin | Global Admin |
| Stakeholder | Stakeholder |
| User | Manager |
| Limited User | Responder |
Note
Please note there is not an Observer role with Basic Permissions.
Roles in the REST API and SAML
When provisioning a user through the REST API or SAML, the user will by default be given the Manager (a.k.a. user) role, unless specified in the user's role property. The value set for it must be one of a set of fixed values that are recognized by our internal APIs, or our web services will respond with the status 400 Invalid Request.
The values of the role field of user records, and also the permissions system, are as follows:
| Title | Value | Flexible or Fixed |
|---|---|---|
| Global Admin | admin | Fixed |
| Full Stakeholder | read_only_user | Fixed |
| Limited Stakeholder | read_only_limited_user | Fixed |
| Manager / User | user | Flexible |
| Responder | limited_user | Flexible |
| Observer | observer | Flexible |
| Restricted Access | restricted_access | Flexible |
| Account Owner ** | owner | Fixed |
** Cannot be created through API / SAML
Updated 3 months ago