Permissions
How permissions work at org, project, and environment levels
Permissions in Flipswitch follow a hierarchical model: organization → project → environment. Higher-level permissions grant access to lower levels.
Permission Format
Permissions follow the pattern: {resource}:{id}:{role}
org:admin # Organization admin
project:123:admin # Admin on project with ID 123
project:123:member # Member on project with ID 123
env:456:admin # Admin on environment with ID 456
env:456:member # Member on environment with ID 456Organization Level
| Permission | Can Do |
|---|---|
org:admin | Everything - manage users, groups, projects, billing |
org:member | View organization, view accessible projects |
Organization admins automatically have admin access to all projects and environments.
Project Level
| Permission | Can Do |
|---|---|
project:{id}:admin | Create/edit/delete flags, environments, segments |
project:{id}:member | View flags, view rules, view segments |
Project admins can manage all environments within the project.
Environment Level
| Permission | Can Do |
|---|---|
env:{id}:admin | Toggle flags, edit rules, create API keys |
env:{id}:member | View flag states, view rules |
Environment permissions are the most granular - useful for separating dev/staging/production access.
Inheritance
Higher-level admin permissions cascade down:
org:admin
└── implies project:*:admin
└── implies env:*:admin
project:123:admin
└── implies env:{all envs in project 123}:adminMember permissions don't cascade - they only grant read access at their level.
Effective Permissions
A user's effective permissions come from all their groups combined:
User: alice@example.com
Groups: ["Backend Team", "Production Ops"]
Backend Team permissions:
- org:member
- project:api:admin
Production Ops permissions:
- env:production:admin
Alice's effective permissions:
- org:member
- project:api:admin (includes all api environments)
- env:production:admin (for all projects)Common Configurations
Full Access for Small Teams
Group: "Team"
- org:adminEveryone can do everything. Simple, works for small teams.
Separated by Environment
Group: "Developers"
- project:*:member
- env:development:admin
- env:staging:admin
Group: "Ops"
- env:production:adminDevelopers can modify dev and staging. Only ops can touch production.
Read-Only Access
Group: "Stakeholders"
- org:member
- project:*:memberCan view everything, can't modify anything.
Project-Specific Teams
Group: "Web Team"
- project:web-app:admin
Group: "Mobile Team"
- project:mobile-app:admin
Group: "Shared Services"
- project:auth-service:admin
- project:notification-service:adminTeams only have access to their own projects.
Checking Permissions
In the dashboard, you can see a user's effective permissions:
- Go to Organization Settings > Members
- Click on a user
- View their groups and effective permissions
Troubleshooting
User can't access a project:
- Check they have at least
project:{id}:memberpermission - Check they're in a group with that permission
User can view but not modify:
- They have
memberbut notadminpermission - Add them to a group with
adminat the appropriate level
User can modify staging but not production:
- They have
env:staging:adminbut notenv:production:admin - This is usually intentional - production should have limited access