App Permissions and Allowed Actions
Last updated July 10, 2025
This feature is currently available in Heroku Enterprise.
Heroku app permissions enable fine-grained access control for each app. Permissions are assigned per user, per app, and any combination of permissions can be granted to both team members and collaborators.
For how to assign these permissions in a team or to a collaborator, see Managing App Permissions.
App Permissions Matrix
Action | View | Deploy | Operate | Manage |
---|---|---|---|---|
General app and access info | ||||
View basic app info and activity stream* | X | |||
Rename app | X | |||
Delete app | X | |||
Add/remove non-org user to app | X | |||
Manage permissions for other users on app | X | |||
Lock/unlock | X | |||
Transfer the app | X | |||
Code and config | ||||
View code (git pull) | X | |||
Push code (new release) | X | |||
View config variable values | X | X | ||
Edit config variables | X | X | ||
Add-ons | ||||
View list of add-ons on an app | X | X | ||
View app specific add-on resource configuration | X | X | ||
SSO access to add-on admin pages | X | X | ||
Add new free add-on resources to app | X | X | ||
Add new paid add-on resources to app | X | |||
Remove free add-on resources from app | X | X | ||
Remove paid add-on resources from app | X | |||
Change free add-on tier | X | X | ||
Change paid add-on tier | X | |||
App execution | ||||
View app dyno usage | X | |||
View logging drain config | X | |||
Add/remove logging drains | X | |||
View logs | X | |||
View process status | X | |||
See current dynos, workers | X | |||
View metrics | X | |||
Set up threshold alerts | X | |||
View releases | X | |||
Restart app | X | |||
Rollback releases | X | X | ||
Migrate stack | X | |||
See current stack | X | |||
View maintenance mode | X | |||
Turn on and off maintenance mode | X | X | ||
Run one-off commands (including rake and console) | X | X | ||
Scale processes | X | X | ||
Resize processes | X | X | ||
Configuration | ||||
View custom domains | X | |||
View SSL endpoint | X | |||
Set custom domains | X | |||
Add SSL certificate | X | |||
Remove SSL certificate | X |
*Release-related info, such as add-on information and config vars (but not values), are always visible in an app’s activity stream.
Default Behaviors
- All team members have the
view
permission for all of the team’s apps. - Team members, viewers, and collaborators only have the permissions explicitly granted to them for each app.
- When a new app is created or transferred into a team, the creator receives all permissions for that app.
- Only users with the “Manage” permission (or team Admins) can add/remove users or collaborators or change permissions on an app.
- Apps can only be removed from a team or deleted by users with the “Manage” permission or by team Admins.
Collaborators
A collaborator is a user who is granted access to a specific app, but is not the owner or a member of the team that owns the app. Collaborators can be assigned any combination of app-level permissions (View, Deploy, Operate, Manage) for that app, just like team members.
- Collaborators only see the apps they are invited to.
- They can’t access to other team apps, team settings, or billing.
- Collaborators are managed from the app’s Access tab.