Example policies and templates
Read time: 11 minutes
Last edited: Mar 06, 2024
Overview
This topic shows some examples of different types of policies you can implement with policy filters for custom roles, integrations access, and Relay Proxy access.
It also provides templates you can copy and modify for your own custom roles, including Reader, Writer, and Admin roles.
Use the viewProject action to allow or deny members viewing access to one or more projects. To learn more, read Creating private projects with custom roles.
Custom role examples
Use these custom role policy examples as a starting point for creating your own custom roles.
Example: Granting access to specific environments and flags
Expand Example: Granting access to specific environments and flags, by tag
This example policy uses the * wildcard to allow members of the QA team to administer environments that have tags beginning with qa_, such as qa_test, qa_production, and so on. This policy also allows members to manage flags in environments that have tags beginning with qa_.
To manage flags in environments tagged qa_*, you must specify the flag-level resource you want to control. Limiting resources to "proj/*:env/*;qa_*" lets you manage the environment itself.
When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.
Copy this role and make any modifications to it to suit your needs:
[{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*;qa_*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*;qa_*:flag/*"]}]
Expand Example: Granting access to specific environments and flags, by tag and property-based selector
Here are two example policies that uses the {property:value} pattern to allow actions on environments based on whether or not they are critical environments. You can mark any environment as critical when you create or update it. Production environments default to being marked as critical.
To manage environments based on the critical property, you must specify the property-based selector as part of the modifiers for the environment resource. Limiting resources to "proj/*:env/*;{critical:true}" accomplishes this.
In the first example, the policy allows members of the DevOps team to administer environments that are marked as critical and tagged as fedramp-enabled. This policy also allows members to manage flags in environments that are marked as critical and tagged as fedramp-enabled.
When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.
Copy this role and make any modifications to it to suit your needs:
[{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*;fedramp-enabled,{critical:true}"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*;fedramp-enabled,{critical:true}:flag/*"]}]
In the second example, the policy allows members of the Support Team to perform all actions on all environments not marked as critical with flags tagged with support.
When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.
Copy this role and make any modifications to it to suit your needs:
[{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*;{critical:false}:flag/*;support"]}]
Expand Example: Denying access to bypass approvals in critical environments
This example policy uses the {property:value} pattern to deny actions on environments based on whether or not they are critical environments. You can mark any environment as critical when you create or update it. Production environments default to being marked as critical.
To manage environments based on the critical property, you must specify the property-based selector as part of the modifiers for the environment resource. Limiting resources to "proj/*:env/*;{critical:true}" accomplishes this.
When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.
Copy this role and make any modifications to it to suit your needs:
[{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:flag/*"]},{"effect": "deny","actions": ["bypassRequiredApproval"],"resources": ["proj/*:env/*;{critical:true}:flag/*"]}]
Example: Tag-specific permissions
Expand Example: Tag-specific permissions
One way to organize access to resources is by tagging individual resources, and then creating custom roles with access based on those tags. For example, you can create a dev tag for your environments and use it in a policy to allow access only to development environments. You can add tags to projects, environments, segments, flags, and metrics.
When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.
Copy this role and make any modifications to it to suit your needs:
[{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:flag/*;dev"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*;dev"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*;dev"]}]
Anyone with this custom role can edit resources that have a dev tag.
For more tag policy examples, read Using tags in custom role policies.
Example: Granting access to flag toggles, but not flag rollout or targeting rules
Expand Example: Granting access to flag toggles, but not flag rollout or targeting rules
This example policy allows members of the Ops team to toggle on or off any flags in the production environment. They may not change percentage rollouts or targeting rules, or manage any environments or projects.
When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.
Policies require you to use project and environment keys, not names. If you use their names, the policies will not affect anything.
Copy this role and make any modifications to it to suit your needs:
[{"effect": "allow","actions": ["updateOn"],"resources": ["proj/*:env/production:flag/*"]}]
Example: Granting all actions to just one flag
Expand Example: Granting all actions to just one flag
The policy below allows all actions to be done to a single specified flag, flag-1. When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.
For a complete list of flag actions, read Feature flag actions.
Copy this role and make any modifications to it to suit your needs:
[{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:flag/flag-1"]}]
Example: Granting all actions to just one flag while showing only one project
Expand Example: Granting all actions to just one flag while showing only one project
The policy below restricts access to a project a flag is in, while still allowing you to perform actions on that flag. In this example, the flag is called flag-1.
When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.
Copy this role and make any modifications to it to suit your needs:
[{"effect": "deny","actions": ["viewProject"],"notResources": ["proj/project-1"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:flag/flag-1"]}]
In the example above, we use notResources to allow role recipients to view and modify project-1 exclusively. We do this by specifying which projects the member cannot view, with one exception.
This lets you restrict access to only one project without having to explicitly deny access to every project except that one.
Example: Restricting actions within production environments
Expand Example: Restricting actions within production environments
This policy allows using only these actions in the production-1 environment:
updateFlagVariationsupdateTags
This means they can take all other actions in any other non-production environment. When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.
Copy this role and make any modifications to it to suit your needs:
[{"effect": "deny","actions": ["viewProject"],"notResources": ["proj/project-1"]},{"effect": "allow","actions": ["*"],"resources": ["proj/project-1:env/*:flag/*"]},{"effect": "deny","notActions": ["updateFlagVariations","updateTags"],"resources": ["proj/project-1:env/production-1:flag/*"]}]
The second statement in the code snippet above allows all actions in all environments and to all flags in the project named project-1. You must specifically allow access, or the roles default to the Reader role.
Example: Allowing access to flags, metrics, and segments in one project
Expand Example: Allowing access to flags, metrics, and segments in one project
In this example, we deny all actions to all projects, but allow specific flag actions in one project, all segment actions in all projects, and all metric actions in all projects. When you restrict all actions this comprehensively, you must add each action for flags, segments, and metrics explicitly.
When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked.
Copy this role and make any modifications to it to suit your needs:
[{"effect": "deny","notActions": ["viewProject"],"resources": ["proj/*"]},{"effect": "allow","notActions": ["createFlag","updateTargets","updateRules","createExperiment","deleteExperiment","updateScheduledChanges"],"resources": ["proj/project-1:env/*:flag/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:segment/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:metric/*"]}]
Example: Denying access to a project but allowing access to a flag
Expand Example: Denying access to a project but allowing access to a flag
The following example policy denies access to the account-management project, while allowing all actions on the checkout-flow flag in all projects and environments.
Here's the example policy:
[{"effect": "deny","actions": ["viewProject"],"resources": ["proj/account-management"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:flag/checkout-flow"]}]
Example: Denying access to the production environment
Expand Example: Denying access to the production environment
In the next example, the environment key production represents the account's Production environment. This statement denies the member from modifying any feature flags in production:
[{"effect": "deny","actions": ["*"],"resources": ["proj/*:env/production:flag/*"]}]
You can also name an "inverse" set of resources by using notResources in a statement. notResources explicitly allows all actions to feature flags across all environments except an environment you specify.
In the example below, the combination of notResources and the allow effect gives access to all environments except the production environment.
Here's how:
[{"effect": "allow","actions": ["*"],"notResources": ["proj/*:env/production:flag/*"]}]
Custom role templates
You can copy and modify these Reader, Writer, and Admin role templates for your own custom roles.
Built-in Reader role
Expand Built-in Reader role
When you recreate this custom role, keep the By default, members can view all LaunchDarkly content box checked. If you uncheck this box, the role will not have read access to any resources.
Copy this Reader role and make any modifications to it to suit your needs:
[{"effect": "allow","actions": ["viewProject"],"resources": ["proj/*"]},{"effect": "allow","actions": ["createAccessToken"],"resources": ["member/*:token/*"]},]
Built-in Writer role
Expand Built-in Writer role
Because permissions are set to deny by default, you must explicitly allow actions for the Writer role. The code snippet below is a replication of LaunchDarkly's built-in Writer role. You can copy it and make adjustments as needed.
If you compare the code snippet below to the Reader role, you'll find that every resource level is addressed except for member/*, member/*:token/*, role/*, and acct. By default, those resources are already set to deny, so you don't have to specifically deny them again.
Copy this Writer role and make any modifications to it to suit your needs:
[{"effect": "allow","actions": ["*"],"resources": ["application/*"]},{"effect": "allow","actions": ["*"],"resources": ["code-reference-repository/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:experiment/*"]},{"effect": "allow","actions": ["*"],"resources": ["integration/*"]},{"effect": "allow","actions": ["*"],"resources": ["member/*:token/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:destination/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:flag/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:segment/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:metric/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:metric-group/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:metric-group/*"]},{"effect": "allow","actions": ["*"],"resources": ["relay-proxy-config/*"]},{"effect": "allow","actions": ["*"],"resources": ["service-token/*"]},{"effect": "allow","actions": ["*"],"resources": ["template/*"]},{"effect": "allow","actions": ["*"],"resources": ["webhook/*"]}]
Built-in Admin Role
Expand Built-in Admin role
Because permissions are set to deny by default, you must explicitly allow actions for the Admin role. The code snippet below is a replication of LaunchDarkly's built-in Admin role. You can copy it and make adjustments as needed.
Copy this Admin role and make any modifications to it to suit your needs:
[{"effect": "allow","actions": ["*"],"resources": ["acct"]},{"effect": "allow","actions": ["*"],"resources": ["application/*"]},{"effect": "allow","actions": ["*"],"resources": ["code-reference-repository/*"]},{"effect": "allow","actions": ["*"],"resources": ["domain-verification/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:experiment/*"]},{"effect": "allow","actions": ["*"],"resources": ["integration/*"]},{"effect": "allow","actions": ["*"],"resources": ["member/*"]},{"effect": "allow","actions": ["*"],"resources": ["member/*:token/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:context-kind/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:destination/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:flag/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:env/*:segment/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:metric/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:metric-group/*"]},{"effect": "allow","actions": ["*"],"resources": ["proj/*:release-pipeline/*"]},{"effect": "allow","actions": ["*"],"resources": ["member/*:token/*"]},{"effect": "allow","actions": ["*"],"resources": ["relay-proxy-config/*"]},{"effect": "allow","actions": ["*"],"resources": ["role/*"]},{"effect": "allow","actions": ["*"],"resources": ["service-token/*"]},{"effect": "allow","actions": ["*"],"resources": ["team/*"]},{"effect": "allow","actions": ["*"],"resources": ["template/*"]},{"effect": "allow","actions": ["*"],"resources": ["webhook/*"]}]
No access role
Expand No access role
Permissions are set to deny by default except for the viewProject and createAccessToken actions. You must explicitly deny the viewProject action for the No access role. Denying the the viewProject action also prevents a member from creating access tokens, because a member must be able to view a project before they can edit a token.
The code snippet below is a replication of LaunchDarkly's built-in No access role. You can copy it and make adjustments as needed.
Copy this No access role and make any modifications to it to suit your needs:
[{"effect": "deny","actions": ["viewProject"],"resources": ["proj/*"]}]