No results for ""
EXPAND ALL
  • Home
  • Getting started
  • Integrations
  • SDKs
  • Guides
  • API docs
launchdarkly.com

GIVE DOCS FEEDBACK

Building teams in LaunchDarkly

Read time: 7 minutes
Last edited: Jan 11, 2024

Overview

Teams help large organizations to more easily manage their members and access in LaunchDarkly. This guide explains the best practices for getting started using teams in LaunchDarkly, and shows you how to create private teams.

Prerequisites

In order to complete this guide, you must have the following prerequisites:

  • An Admin or Owner role in your LaunchDarkly account, or a custom role with team management permissions.
Teams is an Enterprise feature

Teams is available to customers on an Enterprise plan. To learn more, read about our pricing. To upgrade your plan, contact Sales.

Concepts

This guide relies on the following concepts:

Members

Account members are people who work at your organization or have access rights to your organization's LaunchDarkly environment for another reason, such as contractors or part-time employees.

To learn more about members, read LaunchDarkly account members.

Teams

Teams are groups of your organization's members. A LaunchDarkly account administrator can give specific permissions to teams with custom roles that let them perform actions on different resources, such as projects or flags.

To learn more about teams, read Teams.

LaunchDarkly's built-in roles

Every LaunchDarkly account has four built-in roles: Reader, Writer, Admin, and Owner. Customers on an Enterprise plan also have a restricted No access role. Every account member must have at least either one of these built-in roles or a custom role. If you need to, you can also assign account members multiple custom roles to give them the exact set of permissions they need.

To learn more about built-in roles, read LaunchDarkly’s built-in roles.

Custom roles

Custom roles give you precise access control to everything in LaunchDarkly, including feature flags, projects, environments, metrics, and teams, so you can enforce access policies that meet your exact process needs.

To learn more about custom roles, read Custom roles.

Getting started with teams

Depending on your organization’s level of experience with LaunchDarkly, you can get started with teams in one of two ways. Here are the two levels:

  1. You're new to LaunchDarkly: You are one of the first members of your organization to use LaunchDarkly. Your colleagues have not yet been invited to LaunchDarkly or have not been actively using LaunchDarkly yet.
  2. You already use LaunchDarkly: Your organization is already actively using LaunchDarkly and you want to start using teams.

You're new to LaunchDarkly

If you are one of the first members of your organization to use LaunchDarkly and you need to invite others to LaunchDarkly, then take this approach.

To invite new account members, follow the steps outlined in Adding members to LaunchDarkly. When you invite new members, you must assign a built-in role or at least one custom role to each member.

Follow these guidelines when you assign a role:

  • Developers who not need write privileges to everything in your LaunchDarkly account can be assigned the built-in Reader role. This grants read access to everything in your LaunchDarkly account, but write and modification access to nothing. Alternatively, if your organization has security requirements in place to limit initial access assigned to individual members, you can set the built-in role to No access. This role will not allow a member to view or modify anything in your LaunchDarkly account. Then, create a new team. Create a custom role that grants write access only to specific projects, environments, or flags that the team needs to do their jobs. Assign the custom role and the account members to the team. Team members inherit the custom roles assigned to the team. To learn how to create a team and assign members and custom roles to it, read Creating a team and Managing teams.

  • Administrators who require admin access to your LaunchDarkly account can be assigned an Admin built-in role when you invite them to LaunchDarkly. They will not lose this access if they are also added to a team in LaunchDarkly, because access granted to an individual member is aggregated with access granted to a team. To learn more, read Understanding how team roles interact with individual member roles.

You already use LaunchDarkly

If your organization is already actively using LaunchDarkly and you want to migrate into using teams, then take one of these approaches:

  1. Retain existing access: Use these recommendations for account members who should retain the same level of access as they currently have based on their individual member roles.
  2. Update access to be more restrictive: Use these recommendations in cases where you want to give a set of account members more focused, restrictive access than they currently have based on their individual member roles.

Retaining existing access

To change the access for a set of account members to be controlled by membership in a team, rather than individual roles, follow this procedure:

  1. Create a new team for a set of account members, and add their leads as team maintainers. To learn how, read Creating a team and Adding a team maintainer.

  2. Add the existing account members to the team. Then, assign a custom role with the same level of access as the original member role to the team. Follow the steps outlined in Managing teams to assign members and custom roles to the team. If you’re an admin, you can add members to teams in bulk to streamline the process. If you need to create a new custom role before assigning it to the team, follow the steps outlined in Creating custom roles and policies.

  3. Update each of the team member’s member roles to a role with less access, such as the No access or Reader built-in roles, or a custom role with limited access. Follow the steps outlined in Changing an individual member's roles to update a member’s role. If you’re an admin, you can change multiple members’ roles in bulk to streamline the process.

We recommend the above approach because access granted to an individual member is aggregated with access granted to a team. This means individual member access should be kept at a minimum in order to layer on team access. To learn more, read Understanding how team roles interact with individual member roles.

Updating access to be more restrictive

If you want to further restrict a team's current permissions, audit their existing permissions in LaunchDarkly and determine where you can restrict the scope. For example, if all developers were previously assigned the built-in Writer role, you may want to create teams and assign more granular custom roles that only grant write permissions to certain projects, environments, or flags. This approach can be helpful from both a security and organizational perspective.

After you’ve completed the audit, we recommend taking the following steps:

  1. Create a new team for each group identified. Optionally, add the team leads as team maintainers. To learn how, read Creating a team and Adding a team maintainer.
  2. Add the members to the appropriate team. Then, assign a custom role with a more focused level of access to the team. Follow the steps outlined in Managing teams to assign members and custom roles to the team. If you need to create a new custom role before assigning it to the team, follow the steps outlined in Creating custom roles and policies.

Alternatively, you can update each of the team member's roles to a role with less access, such as the No access or Reader built-in roles, or a custom role with limited access. To learn more, read Configuring roles with no access.

To update a member’s role:

  1. Navigate to Account settings and click into the Members tab.
  2. Find the member in the list of account members.
  3. Click the member's name. The member's Permissions tab appears.
  4. Click Edit member roles.
  5. In the dialog, select the role you wish to assign.
  6. Click Save role.

Creating private teams

Sometimes a team and project should be kept private due to security or other organizational policies. In order to achieve this, all member and team custom roles for members who are not a part of the private team need to include a policy that restricts view access to the private team and project.

The following code sample restricts view and edit access to a project called project-1 and a team called team-1:

[
  {
    "effect": "deny",
    "actions": ["viewProject"],
    "resources": ["proj/project-1"]
  },
  {
    "effect": "deny",
    "actions": ["viewTeam"],
    "resources": ["team/team-1"]
  }
]

Alternatively, to prevent members from viewing content in LaunchDarkly unless you give them access, you can uncheck the box below when you create a custom role. When this box is unchecked, you do not need to explicitly deny view access to projects because the custom role starts with no view or write access to anything in LaunchDarkly. Instead you must explicitly allow view or write access to relevant projects and other LaunchDarkly resources.

The "By default, members can view all LaunchDarkly content" checkbox from the "Create custom role" panel.
The "By default, members can view all LaunchDarkly content" checkbox from the "Create custom role" panel.

Conclusion

In this guide, you learned some key concepts that provide a foundation for using teams, best practices for getting started using teams whether you're new to LaunchDarkly or have been using LaunchDarkly for some time, and how to create private teams.

Want to know more? Start a trial.

Your 14-day trial begins as soon as you sign up. Learn to use LaunchDarkly with the app's built-in quick start guide. You'll discover how easy it is to manage the whole feature lifecycle from concept to launch to control.

Want to try it out? Start a trial.