Skip to main content

User & Team Permissions

In the context of GrowthBook, a user, or member, is an individual who has access to your organization's GrowthBook account. Each user is assigned a role that determines the level of access they have within the application. GrowthBook offers a range of roles, from No Access to Admin and even custom roles, each with a specific set of permissions (see below). GrowthBook's user permissions system allows organizations to define the level of access each user has within the application. This granular control ensures that users can only access the resources they need to perform their job, enhancing security and privacy.

Adding Users

Team members can be added to your GrowthBook account via the SettingsMembers page. From this main page, you'll see an "Invite Member" button on the right. If you do not see this button, you do not have permission to add members to your organization. Clicking on "Invite Member" will open a modal window from which you can choose some options for the new user.

Inviting members modal

Each GrowthBook user needs an email address, and you can select what global permissions you want to assign (See below for a full list of permission levels).

Inviting a new member to your organization will send an email to that user inviting them to join.

It is possible for a user to join more than one organization. If the user is a member to multiple organizations, they will see a drop-down next to their email address on the top right of the page, where they can select the organization they want to work in.

Environment Specific Limits

Environment Specific Limits

GrowthBook's user permissions also include environment specific limits. This permission level applies only to Engineer and Experimenter roles in Pro or Enterprise accounts. It allows you to limit the feature flags and experiments a user can manage to specific environments. For example, you can allow an Engineer to create and run experiments in a staging environment, but not in production.

Project Specific Permissions

Besides the global permissions, you can also assign project-specific permissions to users. This allows you to define a user's default role across all projects and select per-project overrides. For example, a new user could be a collaborator by default for all projects, but on the mobile project, they could be an experimenter so they can manage all feature flags and experiments assigned to that project.

How permissions are evaluated

GrowthBook evaluates user permissions based on whether an action is taking place within a specific project. If so, project-level permissions are checked first, followed by the user's global role. If the action is not within a project, only the user's global role is checked.

For organizations without a Pro or Enterprise account, user permissions are evaluated solely based on their global role.

note

If your organization has enabled the setting to allow verified users to automatically join your organization, they will receive the Collaborator role by default when they join. However, you can change your organizations' default role at the bottom of the Team page.

Self-registering and Automatic Approvals

If users create an account with a verified email address that matches the domain of your account owner, they will be presented with an option to join your organization. If you have not selected Automatically approve new verified users (which is the default), those users will be listed at the bottom of the page under a section called Pending Members. From this list, you'll have the option of approving or deleting these self-registered users.

Self-registering and Automatic Approvals Toggle

If you are the account owner, you will see a toggle at the top of the members' page that allows you to automatically approve new members who match your domain. This means that instead of being placed in your pending members list, they will automatically join your organization.

Removing Users

To remove a user from your organization, you can click on the three dots next to their name and select Remove User. This will remove the user from your organization and revoke their access to all projects and resources within your organization.

Permissions

Fine-tuning user permissions in an application like GrowthBook ensures a tailored experience, empowering organizations to grant precisely defined access levels. This granular control not only enhances security but also enables teams to collaborate efficiently while safeguarding sensitive features or data.

Organizations using GrowthBook have a number of different ways of defining a user's permission level, depending on the organization's plan.

Regardless of the plan, all organizations can assign a global role when inviting a user which defines their permissions across all projects. If you have a Pro or Enterprise account, you can also assign project-level roles for each user.

note

For example, you can assign a user the global role of Collaborator, allowing them to view features and experiments, add comments, and contribute ideas. You can then assign them an Experimenter role for a specific project, which allows them to create and run experiments, but only for that project.

And, for our Enterprise organizations, we offer the ability to create Teams, which are groups of users, all of which inherit the roles and permissions of the Team they're on.

The table below lists the roles available in GrowthBook and their associated permissions.

No AccessRead OnlyCollaboratorEngineerAnalystExperimenterAdmin
Feature Flags-ViewView
Comment
View
Comment
Add
Edit
View
Comment
View
Comment
Add
Edit
View
Comment
Add
Edit
Experiments-ViewView
Comment
View
Comment
Edit
View
Comment
Add
Edit
Run Queries
View
Comment
Add
Edit
Run Queries
View
Comment
Add
Edit
Run Queries
Metrics-ViewViewViewView
Add
Edit
View
Add
Edit
View
Add
Edit
Dimensions-ViewViewViewView
Add
Edit
View
Add
Edit
View
Add
Edit
Segments-ViewViewViewView
Add
Edit
View
Add
Edit
View
Add
Edit
Datasources-ViewViewViewView
Edit*
View
Edit*
View
Add
Edit
Ideas-ViewView
Add
Edit
View
Add
Edit
View
Add
Edit
View
Add
Edit
View
Add
Edit
SDK Connections-View
Add
View
Add
View
Add
Edit
View
Add
Edit
View
Add
Edit
View
Add
Edit
Attributes-ViewViewView
Add
Edit
ViewView
Add
Edit
View
Add
Edit
Namespaces-ViewViewView
Add
Edit
ViewView
Add
Edit
View
Add
Edit
Environments-ViewViewView
Add
Edit
ViewView
Add
Edit
View
Add
Edit
Saved Groups-ViewViewView
Add
Edit
ViewView
Add
Edit
View
Add
Edit
Tags---View
Add
Edit
View
Add
Edit
View
Add
Edit
View
Add
Edit
Slack Integration------View
Add
Edit
Manage Projects------Yes
Manage Team------Yes
Manage Plan------Yes
Manage Billing------Yes

*Limited to editing a subset of data source settings - identifier types, experiment assignment queries, Jupyter Notebook queries and Data Pipeline settings. Editing datasource name, projects, description, and connection parameters requires Admin permissions.

How does the No Access role work?

The No Access role is available to organizations enrolled in an Enterprise plan.

In some cases, an organization might want to hide certain projects from a user entirely. This is possible with the No Access role. The No Access role can either be applied as the user's global role, or it can be a project-specific role.

In the event you want a user to have access to a subset of projects, you can give them a global role of No Access and then give project-specific permissions for the projects you want them to be able to view.

If, however, you only want to hide a certain project from a user, you can assign their project-level role of No Access which will make it so the user isn't able to view the project.

If you need to apply these rules to many users as once, you can create a Team with the permissions needed, and then add users to that team. But, keep in mind, the user's permissions will be a combination of their user permissions, and the permissions of any team their on, so after adding the user to a team, you may want to reduce their user-level permissions to ensure their previous user-level permissions don't override the permissions inherited by the team(s) they're on.

note

Within GrowthBook, not all resources are project-specific. For example, Dimensions, Namespaces, and Presentations all live at the organization level. This means that all users, regardless of role, will be able to view these resources.

If security of these resources is paramount to your organization, we recommend creating a separate organization, and keeping the resources you want to hide in that organization.

Teams

Enterprise organizations using GrowthBook can create Teams with distinct capabilities. When setting up a Team, you have the option to define both a global role and project-level roles, much like how you do for individual users. Once a Team is established, multiple users can be added to it. Any user added to a Team will automatically inherit all permissions assigned to that Team. This feature becomes particularly useful when combined with GrowthBook's SCIM integration, enabling automated user provisioning and de-provisioning.

To create a Team, you can go to SettingsTeam via the Sidebar and then select the Teams tab at the top of the page. Here, you can create and configure various Teams, before adding members to a Team. When evaluating whether or not a user has permission to perform a certain action, we will merge the user's permissions with the permissions inherited from all the Teams the user is on. So if the user's global role is Collaborator but they're on a Team that grants them Engineer permissions, that user's permission will then be a merger of the Collaborator and Engineer roles.

Custom roles

Enterprise organizations using GrowthBook also have the added flexibility of defining custom roles, which enable organizations to fine-tune a role's permissions. These custom roles can be used just like a standard role and can be applied to users and teams at both the global and project levels. A custom role can also be set as your organization's default role, so if you have auto-join enabled, new members will automatically receive the organization's default role, even if it is a custom role.

When creating a custom role, you can either create a role from scratch or duplicate an existing role and then update the role's description along with the policies, which control the role's permissions.

Once created, the name of a custom role cannot be changed. If you need to change the name, you will need to duplicate the role and set the new name before saving. Once saved, you'll need to update users to use this new role.

Policies & Permissions

When creating and editing custom roles, organizations have the ability to select specific policies for each role, where the policy contains the underlying permissions.

Below, we've outlined the current policies and their associated permissions. If your use case is not met with the current policies, please let us know by creating a Github Issue.

Policy GroupPolicyDescriptionPermissions
GlobalReadDataView all resources - features, metrics, experiments, data sources, etc.readData
CommentsAdd comments to any resourcereadData, addComments
FeaturesFeaturesFullAccessCreate, edit, and delete feature flagsreadData, manageFeatureDrafts, manageFeatures, manageArchetype, canReview,
ArchetypesFullAccessCreate, edit, and delete saved User Archetypes for feature flag debuggingreadData, manageArchetype
FeaturesBypassApprovalsBypass required approval checks for feature flag changesreadData, manageFeatureDrafts, manageFeatures, canReview, bypassApprovalChecks
ExperimentsExperimentsFullAccessCreate, edit, and delete experiments. Does not include Visual Editor access.readData, createAnalyses, runQueries
VisualEditorFullAccessUse the Visual Editor to implement experiment changes.readData, manageVisualChanges
superDeleteReportsDelete custom reports made by other users. Typically assigned to admins only.readData, superDeleteReport
Metrics & DataDataSourcesFullAccessCreate, edit, and delete data sourcesreadData, createDatasources, editDatasourceSettings, runQueries
DataSourceConfigurationEdit existing data source configuration settings (identifier types, experiment assignment queries)readData, editDatasourceSettings, runQueries
RunQueriesExecute queries against data sources. Required to refresh experiment results.readData, runQueries
MetricsFullAccessCreate, edit, and delete regular metrics (does not include Fact Metrics)readData, createMetrics, runQueries
FactTablesFullAccessCreate, edit, and delete fact tables, metrics, and filters.readData, manageFactTables, manageFactMetrics, manageFactFilters, runQueries
FactMetricsFullAccessCreate, edit, and delete fact metrics and filters.readData, manageFactMetrics, manageFactFilters, runQueries
DimensionsFullAccessCreate, edit, and delete dimensionsreadData, createDimensions, runQueries
SegmentsFullAccessCreate, edit, and delete segmentsreadData, createSegments, runQueries
ManagementIdeasFullAccessCreate, edit, and delete ideasreadData, createIdeas
PresentationsFullAccessCreate, edit, and delete presentationsreadData, createPresentations
SDK ConfigurationSDKPayloadPublishMake changes that affect data sent to SDKs. For example: edit a saved group, toggle a feature flag, stop an experiment, etc.readData, publishFeatures, runExperiments
SDKConnectionsFullAccessCreate, edit, and delete SDK ConnectionsreadData, manageSDKConnections, manageSDKWebhooks
AttributesFullAccessCreate, edit, and delete targeting attributesreadData, manageTargetingAttributes
EnvironmentsFullAccessCreate, edit, and delete environmentsreadData, manageEnvironments
NamespacesFullAccessCreate, edit, and delete namespacesreadData, manageNamespaces
SavedGroupsFullAccessCreate, edit, and delete saved groupsreadData, manageSavedGroups
SettingsGeneralSettingsFullAccessEdit organization general settingsreadData, organizationSettings
NorthStarMetricFullAccessConfigure North Star metricsreadData, manageNorthStarMetric
TeamManagementFullAccessInvite users, delete users, change user roles, add/remove users from teams.readData, manageTeam
CustomRolesFullAccessCreate, edit, and delete projectsreadData, manageProjects
ProjectsFullAccessCreate, edit, and delete tagsreadData, manageTags
TagsFullAccessCreate, edit, and delete API secret keys. Not required to create Personal Access Tokens.readData, manageApiKeys
APIKeysFullAccessSet up and configure integrations - GitHub, Vercel, etc.readData, manageIntegrations
IntegrationsFullAccessCreate, edit, and delete event-based webhooks. Used for Slack/Discord notifications.readData, manageEventWebhooks, viewAuditLog
EventWebhooksFullAccessView and edit license key. View invoices and update billing info.readData, manageBilling
BillingFullAccessView and export audit logsreadData, viewAuditLog
AuditLogsFullAccessCreate, edit, and delete custom rolesreadData, manageTeam, manageCustomRoles

Deactivating Roles

As we do not support the ability for an organization to delete a standard role, we have introduced the ability for enterprise organizations to deactivate both standard and custom roles. When a role is deactivated, we remove the role from the roles dropdown when adding a new user or updating an existing user's role. If you deactivate a role that is assigned to a user, the user will experience no changes to their permission level. The deactivation of the role simply removes it from the role options.

The only guardrail in place around deactivating roles is that you cannot deactivate your organization's default role.