FlipswitchDocs
Teams & Permissions

Permissions

How permissions work at org, project, and environment levels

Permissions in Flipswitch follow a hierarchical model: organization → project → environment. Higher-level permissions grant access to lower levels.

Permission Format

Permissions follow the pattern: {resource}:{id}:{role}

org:admin              # Organization admin
project:123:admin      # Admin on project with ID 123
project:123:member     # Member on project with ID 123
env:456:admin          # Admin on environment with ID 456
env:456:member         # Member on environment with ID 456

Organization Level

PermissionCan Do
org:adminEverything - manage users, groups, projects, billing
org:memberView organization, view accessible projects

Organization admins automatically have admin access to all projects and environments.

Project Level

PermissionCan Do
project:{id}:adminCreate/edit/delete flags, environments, segments
project:{id}:memberView flags, view rules, view segments

Project admins can manage all environments within the project.

Environment Level

PermissionCan Do
env:{id}:adminToggle flags, edit rules, create API keys
env:{id}:memberView flag states, view rules

Environment permissions are the most granular - useful for separating dev/staging/production access.

Inheritance

Higher-level admin permissions cascade down:

org:admin
  └── implies project:*:admin
        └── implies env:*:admin

project:123:admin
  └── implies env:{all envs in project 123}:admin

Member permissions don't cascade - they only grant read access at their level.

Effective Permissions

A user's effective permissions come from all their groups combined:

User: alice@example.com
Groups: ["Backend Team", "Production Ops"]

Backend Team permissions:
  - org:member
  - project:api:admin

Production Ops permissions:
  - env:production:admin

Alice's effective permissions:
  - org:member
  - project:api:admin (includes all api environments)
  - env:production:admin (for all projects)

Common Configurations

Full Access for Small Teams

Group: "Team"
  - org:admin

Everyone can do everything. Simple, works for small teams.

Separated by Environment

Group: "Developers"
  - project:*:member
  - env:development:admin
  - env:staging:admin

Group: "Ops"
  - env:production:admin

Developers can modify dev and staging. Only ops can touch production.

Read-Only Access

Group: "Stakeholders"
  - org:member
  - project:*:member

Can view everything, can't modify anything.

Project-Specific Teams

Group: "Web Team"
  - project:web-app:admin

Group: "Mobile Team"
  - project:mobile-app:admin

Group: "Shared Services"
  - project:auth-service:admin
  - project:notification-service:admin

Teams only have access to their own projects.

Checking Permissions

In the dashboard, you can see a user's effective permissions:

  1. Go to Organization Settings > Members
  2. Click on a user
  3. View their groups and effective permissions

Troubleshooting

User can't access a project:

  • Check they have at least project:{id}:member permission
  • Check they're in a group with that permission

User can view but not modify:

  • They have member but not admin permission
  • Add them to a group with admin at the appropriate level

User can modify staging but not production:

  • They have env:staging:admin but not env:production:admin
  • This is usually intentional - production should have limited access

Previous

Groups

Next

Invitations

On this page