Best practices with using Advanced Permissions

Advanced Permissions allow you to specify different levels of permissions for users across your PagerDuty account and within your team. These levels of permissions include object-level permissions, team-level permissions, and account-level permissions. You can read more about advanced permissions here.

If you’re interested in adopting advanced permissions within your organization, consider the following best practices tips:

1. Follow the principle of least privilege: Grant users as much access as they need to be effective in their role. In practice, this means you’ll want to limit the number of users with a Global Admin or Manager base role, especially at larger organizations. Everybody else should have either an observer, responder , or restricted access base role with additional permissions given at either the team or object level.

2. Add all users and escalation policies to a team to set team roles: Team roles give users specific access to a team, especially when they have limited access at the account level (i.e. an observer, responder, or restricted access base role). Once a user is added to a team, any user on that team with a manager team role will be able to grant more (or less) permissions for each team member. For example, a user with an observer base role won’t have edit access to anything on your account unless they are added to a team and given a manager role on that team. With that level of permissions, they will be able to add/edit/delete configuration objects associated with that team.

3. Use object roles sparingly: Object roles should only be given to users when extremely granular levels of access need to be given to a user. For example, if a user needs edit access to one specific schedule and they have an observer base role, then you can given them a responder role on that specific schedule and they will be able to edit that schedule and nothing else. However, if a user needs edit access to an entire team’s objects, it would be an administrative burden to give them a manager object role on every single schedule, escalation policy, and service associated with that team. Instead, that user should be given a manager role on that team, which will by default give them edit access to all schedules, escalation policies, and services associated with that team.