Permissions and User Roles for Standard and Enterprise Plans

Follow

Permissions allows administrators to manage how users interact with Services, Escalation Policies, and Schedules. This article covers the basic permissions of each user role, and how to set object-specific permissions. For advanced permissions using team roles, refer to Team-Based Permissions.

Custom Permissions are available to customers on our current Standard and Enterprise plans. Please contact our sales team if you would like to upgrade to a plan featuring custom Permissions.

If custom Permissions haven’t been enabled on your PagerDuty account, please reference this article for more information about basic user roles.

Permissions Overview

Under the Permissions schema, a user can either have a Fixed Role, or a Flexible Role with Base Permissions and Additional Permissions. Let's take a closer look at each:

Fixed Roles

User’s in a Fixed Role have the same level of access to all objects in the account, and they cannot be granted additional permissions or overridden.

Here's an overview of the three Fixed Roles and their access levels:

 

Stakeholder

Global Admin

Account Owner

View services, schedules, and escalation policies

Create/delete REST API keys matching permissions level

Configure other users' base roles and additional permissions

 

Add new users

 

Delete users

 

Edit other users’ profile/password

 

Add/edit/delete:

  • on-call schedules
  • escalation policies
  • services
  • teams
 

Trigger, acknowledge, reassign, and resolve incidents

 

Create/delete overrides on schedules

 

Create/manage maintenance windows

 

Enable and edit SSO properties

   

Change the account owner

   

Edit billing info

   

Delete the account

   

  • Account Owner — Full access to create, update, and delete objects, including a user’s permissions. This access cannot be restricted. Can also access the Billing page.
  • Global Admin — Full access to create, update, and delete objects, including a user’s permissions. This access cannot be restricted.
  • Stakeholder — Can view objects, but cannot make any modifications. Cannot be given Additional Permissions.

Flexible Roles

Flexible Roles give the Account Owner and Global Admins a way to create custom roles, and grant users the level of access they need to specific objects.

Flexible Roles start with selecting one of four Base Permissions, which act as a starting point for a role to build off of:

 

 

Observer

Responder/Team Responder*

Manager

Receive additional permissions

Create/delete REST API keys matching permissions level

View services, schedules, and escalation policies

View teams

Trigger, acknowledge, reassign, and resolve incidents

 

Create/delete overrides on schedules

 

Create/delete/edit on-call schedules

   

Create/delete/edit escalation policies

   

Create/delete/edit services

   

Create/delete/edit teams

   

Create/delete/edit maintenance windows

   

*Team Responders are only able to take action on objects associated with their team(s).

  • Manager — Full access to create, update, and delete objects and all of their configuration.
  • Responder — Can take action on incidents, create overrides, and set maintenance windows.
  • Team Responder — For objects belonging to their teams, able to take action on incidents, create overrides, and set maintenance windows.
  • Observer — Can view objects, but cannot make any modifications.

In addition to the base permissions listed above, the Account Owner or a Global Admin can grant additional permissions to give a user Manager, Responder, or Observer access (as outlined above) on one or more service (and its related incidents), escalation policy, and schedule.

Precedence of Permissions

If the user does not have a fixed role, i.e. global admin (in which case they would have permissions to everything) or a stakeholder (in which case they cannot have any object-specific permissions), the object-specific permissions take precedence over their default role.

For a full overview of how permissions are evaluated, including when team roles are involved, see Team-Based Permissions: Precedence of Permissions.

Permissions in the Web UI

You can access Permissions on the user profile page by clicking the Permissions tab. All users can review their permissions here, and this also where the Account Owner and Global Admins can set users’ permissions.

Setting a User’s Permissions

As an example, let’s say you’d like to give a user, Karen Vick, global Observer access, and Manager access on the Services that touch her job.

  1. Go to Karen’s profile page and click Edit.
  2. Under Select a Base Role, select Observer.
  3. Under Additional Permissions, select the services where you’d like the user to have Manager access.
  4. Click Save.

You’re done! Karen is now an Observer globally with Manager access on the Voice and Load Balancer services.

Additionally, users can have different access levels to various objects. The following screenshot shows Manager access on the Voice and Load Balancer services, and Responder access on the Operations schedule:

What Old Roles do the New Roles Correspond With?

If you’re used to user roles prior to Permissions, the table below shows what roles will be called going forward. When Permissions launches, user roles will automatically be mapped from the old one to the new one with its corresponding Base Permissions. The Account Owner or Global Admins can add Additional Permissions as required. 

Prior role name

Role name under Permissions

 

Account Owner

Account Owner

Fixed

Admin

Global Admin

Stakeholder

Stakeholder

User

Manager

Flexible

Limited User

Responder

Team Responder

Team Responder 

Rest API Access

Users can create personal REST API keys on their User Settings page. Keys created this way will provide access to the REST API that matches their permissions.

Have more questions? Submit a request

Comments