Skip Navigation
Show nav
Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
    • .NET
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
Hide categories

Categories

  • Heroku Architecture
    • Compute (Dynos)
      • Dyno Management
      • Dyno Concepts
      • Dyno Behavior
      • Dyno Reference
      • Dyno Troubleshooting
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Developer Tools
    • Command Line
    • Heroku VS Code Extension
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery & Integration (Heroku Flow)
    • Continuous Integration
  • Language Support
    • Node.js
      • Troubleshooting Node.js Apps
      • Working with Node.js
      • Node.js Behavior in Heroku
    • Ruby
      • Rails Support
      • Working with Bundler
      • Working with Ruby
      • Ruby Behavior in Heroku
      • Troubleshooting Ruby Apps
    • Python
      • Working with Python
      • Background Jobs in Python
      • Python Behavior in Heroku
      • Working with Django
    • Java
      • Java Behavior in Heroku
      • Working with Java
      • Working with Maven
      • Working with Spring Boot
      • Troubleshooting Java Apps
    • PHP
      • Working with PHP
      • PHP Behavior in Heroku
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
    • .NET
      • Working with .NET
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
      • Migrating to Heroku Postgres
    • Heroku Key-Value Store
    • Apache Kafka on Heroku
    • Other Data Stores
  • AI
    • Working with AI
    • Heroku Inference
      • Inference API
      • Quick Start Guides
      • Inference Essentials
      • AI Models
    • Vector Database
    • Model Context Protocol
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
      • Single Sign-on (SSO)
    • Private Spaces
      • Infrastructure Networking
    • Compliance
  • Heroku Enterprise
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Extending Heroku
  • Building Add-ons
  • Add-on Development Tasks
  • Implementing Roles for Heroku Users in Add-on SSO Dashboards

Implementing Roles for Heroku Users in Add-on SSO Dashboards

English — 日本語に切り替える

Last updated February 06, 2024

Table of Contents

  • Always set a default role for new SSO users
  • Automatically determining roles for team-owned apps

If your add-on is attached to a Heroku app that has multiple collaborators, all of those collaborators can open the add-on’s dashboard via add-on SSO. Optionally, your add-on can define its own set of roles that it assigns to these collaborators. This enables the app’s owner to restrict access to certain dashboard features.

This article describes how to create and maintain roles for your add-on dashboard without violating the add-on ownership model.

Most importantly, never create a username and/or password in your system for a Heroku add-on user. Always authenticate add-on users via add-on SSO.

Always set a default role for new SSO users

Whenever a collaborator opens your add-on’s dashboard via add-on SSO, the request to your system includes an email parameter. This is the email address associated with the collaborator’s Heroku account.

Assuming the SSO request authenticates successfully:

  • If this is the first user ever to authenticate for this add-on instance, assign the user an “admin” role that has full dashboard permissions.
    • “Full dashboard permissions” should include the ability to change the role of other collaborators that authenticate in the future.
  • If this is a new user that isn’t the very first user to authenticate, assign the user whatever “default” role makes sense for your add-on’s dashboard (this might be the same “admin” role as above).
  • If this user has authenticated before, assign them whatever role is currently associated with their email address in your system.

After assigning a role to a user, make sure to persist it with the user’s email address in your system.

When your dashboard determines a user’s role, it can then present its UI in accordance with that role’s permissions.

It’s recommended that your system always require at least one active user to have the “admin” role for a given add-on instance. Otherwise, a scenario can more commonly arise where no users have full dashboard access.

Note that even if your system does enforce this requirement, all users with the “admin” role might later be removed from the add-on’s associated app. In this case, the app’s owner will need to file a support ticket that you as the add-on provider will be assigned.

Automatically determining roles for team-owned apps

If an app is owned by a Heroku Team, you can optionally use the endpoints described in Syncing User Access as an Ecosystem Partner to determine whether a particular user is an “admin” or a “member” of that team. If your add-on’s dashboard uses a similar two-role structure, you can simply determine an appropriate dashboard role from a user’s team role.

Keep reading

  • Add-on Development Tasks

Feedback

Log in to submit feedback.

Writing to Application Logs as an Add-on Partner Inspecting Heroku Pipelines as an Add-on Partner

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure
  • .NET

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing
  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Github
  • LinkedIn
  • © 2025 Salesforce, Inc. All rights reserved. Various trademarks held by their respective owners. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States
  • heroku.com
  • Legal
  • Terms of Service
  • Privacy Information
  • Responsible Disclosure
  • Trust
  • Contact
  • Cookie Preferences
  • Your Privacy Choices