Advanced Permissions allow you to specify different levels of permissions for users across your PagerDuty account and within your team. These levels of permissions include object-level permissions, team-level permissions, and account-level permissions. You can read more about advanced permissions here.
If you’re interested in adopting advanced permissions within your organization, consider the following best practices tips:
1. Follow the principle of least privilege: Grant users as much access as they need to be effective in their role. In practice, this means you’ll want to limit the number of users with a Global Admin or Manager base role, especially at larger organizations. Everybody else should have either an observer, responder , or restricted access base role with additional permissions given at either the team or object level.
2. Add all users and escalation policies to a team to set team roles: Team roles give users specific access to a team, especially when they have limited access at the account level (i.e. an observer, responder, or restricted access base role). Once a user is added to a team, any user on that team with a manager team role will be able to grant more (or less) permissions for each team member. For example, a user with an observer base role won’t have edit access to anything on your account unless they are added to a team and given a manager role on that team. With that level of permissions, they will be able to add/edit/delete configuration objects associated with that team.
3. Use object roles sparingly: Object roles should only be given to users when extremely granular levels of access need to be given to a user. For example, if a user needs edit access to one specific schedule and they have an observer base role, then you can given them a responder role on that specific schedule and they will be able to edit that schedule and nothing else. However, if a user needs edit access to an entire team’s objects, it would be an administrative burden to give them a manager object role on every single schedule, escalation policy, and service associated with that team. Instead, that user should be given a manager role on that team, which will by default give them edit access to all schedules, escalation policies, and services associated with that team.