No results for ""
EXPAND ALL
  • Home
  • API docs

GIVE DOCS FEEDBACK

Example policies and templates

Read time: 11 minutes
Last edited: May 20, 2024

Overview

This topic shows some examples of different types of policies you can implement with policy filters for custom roles, integrations access, and Relay Proxy access.

It also provides templates you can copy and modify for your own custom roles, including Reader, Writer, and Admin roles.

Creating private projects with custom roles

Use the viewProject action to allow or deny members viewing access to one or more projects. To learn more, read Creating private projects with custom roles.

Custom role examples

Use these custom role policy examples as a starting point for creating your own custom roles.

Example: Grant access to specific environments and flags

Expand Example: Grant access to specific environments and flags, by tag

This example policy uses the * wildcard to allow members of the QA team to administer environments that have tags beginning with qa_, such as qa_test, qa_production, and so on. This policy also allows members to manage flags in environments that have tags beginning with qa_.

To manage flags in environments tagged qa_*, you must specify the flag-level resource you want to control. Limiting resources to "proj/*:env/*;qa_*" lets you manage the environment itself.

When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.

Copy this role and make any modifications to it to suit your needs:

[
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*;qa_*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*;qa_*:flag/*"]
}
]
Expand Example: Grant access to specific environments and flags, by tag and property-based selector

Here are two example policies that uses the {property:value} pattern to allow actions on environments based on whether or not they are critical environments. You can mark any environment as critical when you create or update it. Production environments default to being marked as critical.

To manage environments based on the critical property, you must specify the property-based selector as part of the modifiers for the environment resource. Limiting resources to "proj/*:env/*;{critical:true}" accomplishes this.

In the first example, the policy allows members of the DevOps team to administer environments that are marked as critical and tagged as fedramp-enabled. This policy also allows members to manage flags in environments that are marked as critical and tagged as fedramp-enabled.

When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.

Copy this role and make any modifications to it to suit your needs:

[
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*;fedramp-enabled,{critical:true}"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*;fedramp-enabled,{critical:true}:flag/*"]
}
]

In the second example, the policy allows members of the Support Team to perform all actions on all environments not marked as critical with flags tagged with support.

When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.

Copy this role and make any modifications to it to suit your needs:

[{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*;{critical:false}:flag/*;support"]
}]
Expand Example: Deny access to bypass approvals in critical environments

This example policy uses the {property:value} pattern to deny actions on environments based on whether or not they are critical environments. You can mark any environment as critical when you create or update it. Production environments default to being marked as critical.

To manage environments based on the critical property, you must specify the property-based selector as part of the modifiers for the environment resource. Limiting resources to "proj/*:env/*;{critical:true}" accomplishes this.

When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.

Copy this role and make any modifications to it to suit your needs:

[
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:flag/*"]
},
{
"effect": "deny",
"actions": ["bypassRequiredApproval"],
"resources": ["proj/*:env/*;{critical:true}:flag/*"]
}
]

Example: Tag-specific permissions

Expand Example: Tag-specific permissions

One way to organize access to resources is by tagging individual resources, and then creating custom roles with access based on those tags. For example, you can create a dev tag for your environments and use it in a policy to allow access only to development environments. You can add tags to projects, environments, segments, flags, and metrics.

When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.

Copy this role and make any modifications to it to suit your needs:

[
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:flag/*;dev"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*;dev"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*;dev"]
}
]

Anyone with this custom role can edit resources that have a dev tag.

For more tag policy examples, read Tags in custom role policies.

Example: Grant access to flag toggles, but not flag rollout or targeting rules

Expand Example: Grant access to flag toggles, but not flag rollout or targeting rules

This example policy allows members of the Ops team to toggle on or off any flags in the production environment. They may not change percentage rollouts or targeting rules, or manage any environments or projects.

When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.

Do not use display names for projects and environments in policies

Policies require you to use project and environment keys, not names. If you use their names, the policies will not affect anything.

Copy this role and make any modifications to it to suit your needs:

[
{
"effect": "allow",
"actions": ["updateOn"],
"resources": ["proj/*:env/production:flag/*"]
}
]

Example: Grant all actions to just one flag

Expand Example: Grant all actions to just one flag

The policy below allows all actions to be done to a single specified flag, flag-1. When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.

For a complete list of flag actions, read Feature flag actions.

Copy this role and make any modifications to it to suit your needs:

[
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:flag/flag-1"]
}
]

Example: Grant all actions to just one flag while showing only one project

Expand Example: Grant all actions to just one flag while showing only one project

The policy below restricts access to a project a flag is in, while still allowing you to perform actions on that flag. In this example, the flag is called flag-1.

When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.

Copy this role and make any modifications to it to suit your needs:

[
{
"effect": "deny",
"actions": ["viewProject"],
"notResources": ["proj/project-1"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:flag/flag-1"]
}
]

In the example above, we use notResources to allow role recipients to view and modify project-1 exclusively. We do this by specifying which projects the member cannot view, with one exception.

This lets you restrict access to only one project without having to explicitly deny access to every project except that one.

Example: Restrict actions within production environments

Expand Example: Restrict actions within production environments

This policy allows using only these actions in the production-1 environment:

  • updateFlagVariations
  • updateTags

This means they can take all other actions in any other non-production environment. When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.

Copy this role and make any modifications to it to suit your needs:

[
{
"effect": "deny",
"actions": ["viewProject"],
"notResources": ["proj/project-1"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/project-1:env/*:flag/*"]
},
{
"effect": "deny",
"notActions": [
"updateFlagVariations",
"updateTags"
],
"resources": ["proj/project-1:env/production-1:flag/*"]
}
]

The second statement in the code snippet above allows all actions in all environments and to all flags in the project named project-1. You must specifically allow access, or the roles default to the Reader role.

Example: Allow access to flags, metrics, and segments in one project

Expand Example: Allow access to flags, metrics, and segments in one project

In this example, we deny all actions to all projects, but allow specific flag actions in one project, all segment actions in all projects, and all metric actions in all projects. When you restrict all actions this comprehensively, you must add each action for flags, segments, and metrics explicitly.

When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.

Copy this role and make any modifications to it to suit your needs:

[
{
"effect": "deny",
"notActions": ["viewProject"],
"resources": ["proj/*"]
},
{
"effect": "allow",
"notActions": [
"createFlag",
"updateTargets",
"updateRules",
"createExperiment",
"deleteExperiment",
"updateScheduledChanges"
],
"resources": ["proj/project-1:env/*:flag/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:segment/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:metric/*"]
}
]

Example: Deny access to a project but allow access to a flag

Expand Example: Deny access to a project but allow access to a flag

The following example policy denies access to the account-management project, while allowing all actions on the checkout-flow flag in all projects and environments.

Here's the example policy:

[
{
"effect": "deny",
"actions": ["viewProject"],
"resources": ["proj/account-management"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:flag/checkout-flow"]
}
]

Example: Deny access to the production environment

Expand Example: Deny access to the production environment

In the next example, the environment key production represents the account's Production environment. This statement denies the member from modifying any feature flags in production:

[
{
"effect": "deny",
"actions": ["*"],
"resources": ["proj/*:env/production:flag/*"]
}
]

You can also name an "inverse" set of resources by using notResources in a statement. notResources explicitly allows all actions to feature flags across all environments except an environment you specify.

In the example below, the combination of notResources and the allow effect gives access to all environments except the production environment.

Here's how:

[
{
"effect": "allow",
"actions": ["*"],
"notResources": ["proj/*:env/production:flag/*"]
}
]

Custom role templates

You can copy and modify these Reader, Writer, and Admin role templates for your own custom roles.

Built-in Reader role

Expand Built-in Reader role

When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked. If you uncheck this box, the role will not have read access to any resources.

Copy this Reader role and make any modifications to it to suit your needs:

[
{
"effect": "allow",
"actions": ["viewProject"],
"resources": ["proj/*"]
},
{
"effect": "allow",
"actions": ["createAccessToken"],
"resources": ["member/*:token/*"]
},
]

Built-in Writer role

Expand Built-in Writer role

Because permissions are set to deny by default, you must explicitly allow actions for the Writer role. The code snippet below is a replication of LaunchDarkly's built-in Writer role. You can copy it and make adjustments as needed.

If you compare the code snippet below to the Reader role, you'll find that every resource level is addressed except for member/*, member/*:token/*, role/*, and acct. By default, those resources are already set to deny, so you don't have to specifically deny them again.

Copy this Writer role and make any modifications to it to suit your needs:

[
{
"effect": "allow",
"actions": ["*"],
"resources": ["application/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["code-reference-repository/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:experiment/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["integration/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["member/*:token/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:destination/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:flag/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:segment/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:metric/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:metric-group/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:metric-group/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["relay-proxy-config/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["service-token/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["template/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["webhook/*"]
}
]

Built-in Admin Role

Expand Built-in Admin role

Because permissions are set to deny by default, you must explicitly allow actions for the Admin role. The code snippet below is a replication of LaunchDarkly's built-in Admin role. You can copy it and make adjustments as needed.

Copy this Admin role and make any modifications to it to suit your needs:

[
{
"effect": "allow",
"actions": ["*"],
"resources": ["acct"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["application/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["code-reference-repository/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["domain-verification/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:experiment/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["integration/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["member/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["member/*:token/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["pending-requests"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:context-kind/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:destination/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:flag/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:env/*:segment/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:metric/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:metric-group/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["proj/*:release-pipeline/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["member/*:token/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["relay-proxy-config/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["role/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["service-token/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["team/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["template/*"]
},
{
"effect": "allow",
"actions": ["*"],
"resources": ["webhook/*"]
}
]

No access role

Expand No access role

Permissions are set to deny by default except for the viewProject and createAccessToken actions. You must explicitly deny the viewProject action for the No access role. Denying the the viewProject action also prevents a member from creating access tokens, because a member must be able to view a project before they can edit a token.

The code snippet below is a replication of LaunchDarkly's built-in No access role. You can copy it and make adjustments as needed.

Copy this No access role and make any modifications to it to suit your needs:

[
{
"effect": "deny",
"actions": ["viewProject"],
"resources": ["proj/*"]
}
]