No results for ""
EXPAND ALL
  • Home
  • API docs

Creating custom roles and policies

Read time: 5 minutes
Last edited: Nov 27, 2024

Overview

This topic explains how to create custom roles and policies in LaunchDarkly.

Create custom roles

Before you can give an account member custom permissions in LaunchDarkly, you must create a custom role to assign to them.

To create a custom role:

  1. Click the gear icon in the left sidenav to view Organization settings.
  2. Click Roles.
  3. Click Create role. The "New role" page appears:
The New role page.
The New role page.
  1. Enter a human-readable Name for the role.
  2. Enter a Key for the role.
  3. (Optional) Enter a Description to explain what the role does.
  4. Create a policy using the policy builder.
  5. Click Create role.
Custom role limits

By default, LaunchDarkly allows you to create 1,000 custom roles per account. You can create more upon request, free of charge. To learn more, read How to right size when you are over LaunchDarkly system resource count limits.

You can also use the REST API: Create custom role

Create policies for custom roles

Policies are sets of actions a custom role is allowed or not allowed to take on specified resources. You can use the Policy builder to add policy statements to new or existing custom roles.

By default, custom roles cannot take any actions on any resources. You must create a policy that provides the level of access you prefer.

This section only describes creating policy statements with the policy builder

You can also write your own policies with the advanced editor. To learn more, read Using the advanced editor. For examples, read Example policies and templates.

To create a policy:

  1. Complete steps 1-7 in Create custom roles.
  2. In the "Edit Policy" panel, click + Add statement.
  3. Use the Scope menu to specify the resources this policy affects.
  • Select the resource type.
  • In the Select an operation menu, select whether the scope of the statement should be all resources of this type, all resources except for a select few, or only a select few.
  • If necessary, choose these select few from the Select [resources] menu.
  • Some resources require you to specify other resources in order to be correctly identified.
    • For example, if you initially select the "flag" resource type, the policy builder prompts you to specify projects and environments before you can continue.
    • If you select the "project" resource type, no other information is needed.
    • To learn more, read Using resources.
The "Scope" and "Select [resources]" menus when defining a policy scoped to a select set of applications.
The "Scope" and "Select [resources]" menus when defining a policy scoped to a select set of applications.
  1. Use the Actions menu to specify whether to allow or deny actions on these resources.
  • Select "ALLOW" or "DENY."
  • In the Select an operation menu, select whether to allow or deny all actions, all actions except for a select few, or only a select few.
  • If necessary, choose these select few from the Select actions menu.
The "Actions" and "Select actions" menus when defining a policy.
The "Actions" and "Select actions" menus when defining a policy.
  1. (Optional) Repeat steps 2-4 to add additional statements to your policy.
  2. Click Create role.
Older custom roles may have read-only access to all resources by default

By default, new custom roles cannot take any actions on any resources. However, custom roles created prior to October 2024 had the option to use the built-in Reader role as their starting point, rather than starting with no access.


To check whether this applies to any of your existing custom roles, edit the custom role and look for the warning statement "This role currently has base permissions set to Reader. Members can view all LaunchDarkly content." Uncheck the box to update the role so that it starts with no access and only allows actions based on the statements in its policy.

The warning statement on an older custom role, indicating it includes Reader access.
The warning statement on an older custom role, indicating it includes Reader access.

View custom role details

You can view details about an existing custom role and its policies, including which projects and feature flags the role has permission to modify. You can also view each action the custom role can perform and what that action does.

To view details for custom roles from the Roles page:

  1. Click the gear icon in the left sidenav to view Organization settings.
  2. Click Roles.
  3. Find the role with details you wish to view and click View role. A summary of the role and its policy statements appears.
  4. (Optional) To make updates to the role or its policy statements, click the pencil icon to open the "Edit role" page.

You can also view details for custom roles from the Permissions tab for a given member:

  1. Navigate to the Members list.
  2. Click the name of a member.
  3. On the Permissions tab for the member, click the name of a custom role. The "Edit role" page appears.
A member's "Permissions" tab with custom role names called out.
A member's "Permissions" tab with custom role names called out.

You can also use the REST API: Get custom role

Add, view, and remove an account member's roles

To learn how to add a role to an account member, read Adding member roles.

To learn how to view the roles for an individual account member, read Viewing member roles.

To learn how to remove a role from an account member, read Removing member roles.

You can also use the REST API: Get account member