Scoped Permissions Setup Guide

Set up scoped access controls for your team — assign roles at the account, project, and environment level and restrict production-sensitive operations.

Prerequisites

Admin access to the Zenmanage account you are configuring
Team members already added to the account
Projects and environments created for your use case
An understanding of which environments are production-sensitive (those where changes affect live users)

How the permission model works

Zenmanage permissions are scoped at three levels. Access is inherited downward — a role granted at the account level applies everywhere unless overridden at a lower scope. A role granted only at the project level does not carry to other projects. A role granted only at the environment level does not carry to other environments in the same project.

Account scope

Org-wide defaults. Controls who can create projects, manage billing, and set account-level configurations. Use sparingly — most team members should not hold account-level write access.

Project scope

Access per feature-flag project. A developer scoped to one project cannot read, write, or modify flags in another project. Use this to separate concerns across teams or products.

Environment scope

Permission per environment within a project. A staging write role does not carry into production. This is the most important scope for production safety — set it deliberately.

Principle of least privilege

Grant the minimum access needed for each team member to do their job. Access can always be expanded. Starting with too much access and trying to reduce it later is harder operationally and carries more risk during the transition period.

Step 1 — Define account-level roles

Account-level roles control org-wide actions. These should be held only by the people who actively manage the account — typically platform leads, DevOps owners, or a small set of engineering managers.

1. Navigate to Account Settings → Team & Permissions. This is the central access management view for your organization.
2. Identify who needs account-level write access. Typically: the person who manages billing, creates or archives projects, and manages integrations. For most teams, this is one to three people.
3. Set all other team members to account-level read access by default. Read access lets them see projects and environments without being able to modify account settings.
4. Confirm that no role here grants automatic production write access to lower scopes. Project and environment permissions are set independently.

Step 2 — Assign project-level access

Project-level access controls who can see and modify flags within a given project. This is where you scope developers to the work they are actually responsible for.

1. Open the project you want to configure. Go to Project Settings → Access.
2. Add team members to the project with appropriate roles. A developer working on a feature in this project needs at minimum read access and typically write access across non-production environments.
3. Use groups for teams that share the same access pattern. If three developers all need the same project-level access, assign them as a group rather than individually. This makes future access changes a single operation.
4. Do not grant broad project-level write access as the default. Developers who only occasionally touch a project should be given read access until they have active work there.

Groups reduce access management overhead

Define groups that reflect your real team structure — by squad, by product area, or by service ownership. When someone joins or leaves a team, update their group membership once and all scoped permissions update automatically.

Step 3 — Configure environment-level restrictions

Environment-level restrictions are the most important boundary for production safety. This is where you explicitly control who can act on production — separate from whatever project-level access they hold.

1. Navigate to the project, then open the production environment settings. Each environment has its own access configuration.
2. Set production to restricted. By default, environment access inherits from project access. Explicitly override this for production environments so that project write access does not automatically become production write access.
3. Grant production write access only to the roles that actively manage production releases. This typically includes senior engineers, platform leads, and on-call owners — not all developers on the project.
4. Confirm staging and development environments can remain open. Developers should be able to work freely in non-production environments. The goal is production protection, not slowing down development work.
5. Repeat for every project that has a production environment. Environment restrictions are per-project — a setting on one project's production environment does not apply to others.

A staging write role does not carry into production

This is the key guarantee of environment-scoped access. A developer with full staging write access will receive an access denied response if they attempt a production change without explicit production-level authorization.

Step 4 — Restrict production-sensitive operations

Beyond environment-level access, specific operations on production carry higher risk than others. Zenmanage lets you restrict those individual operations to a named set of roles — so even a developer with production read access cannot trigger high-risk changes.

Operation	Why it is sensitive	Recommended restriction
Flag enable / disable	Immediately changes behavior for live users	Senior engineers, platform leads, on-call owner
Rollout percentage changes	Adjusts live traffic exposure; regressions can scale quickly	Rollout owners with active production access
Environment variable writes	Config changes affect all users in the environment immediately	Platform leads, infrastructure owners
Permission changes	Altering access roles affects who can act across the system	Account admins only

1. Open Production Environment Settings → Restricted Operations.
2. Enable restrictions on flag enable/disable and rollout changes as a baseline. These are the most common sources of unintended production impact.
3. Enable restrictions on environment variable writes if your team uses Zenmanage to manage environment configuration.
4. Assign the roles that are permitted to perform each restricted operation. Be specific — list named roles, not broad groups.

Restrictions are enforced at the point of change

A restricted operation attempted by an unauthorized role returns an access denied response in the UI and via the API. The change does not go through. There is no silent override path.

Common role patterns

These are starting-point role structures. Adjust to match your team's actual responsibilities and your organization's compliance requirements.

Feature developer

Account: read
Project (assigned projects only): write
Production environment: read (no write access)
Staging / dev environments: write

Release owner / on-call engineer

Account: read
Project (assigned projects): write
Production environment: write
Restricted operations: flag enable/disable, rollout changes

Platform / infrastructure lead

Account: write
All projects: write
All environments: write
Restricted operations: all, including environment variable writes

Compliance / audit reviewer

Account: read
All projects: read
All environments: read
Audit log: full access (read-only)

Once permissions are configured, verify that the audit log is capturing changes and that your team knows how to use it for incident review. See the Audit History Guide for investigation and review workflows. For a step-by-step adoption checklist, see the Permissions & Audit Adoption Checklist. For the full feature reference, see the Permissions & Audit capability page.

Next step

Take the next integration step in your own stack.

Start with the quickstart that matches your runtime, then return to the reference pages when you need exact request and payload details.

View quickstarts Start free trial