Home / Product / Permissions & Audit

Capability

Permissions & Audit

Scoped access. Attributable changes. Ship to production with the controls you actually need.

The problem with blanket access

Most teams shipping features in production operate with more access than they need and less visibility than they should have. Developers with account-wide write access can change environment variables in production when their work only touches a staging flag. There is no practical barrier between a test change and a live customer impact.

When something goes wrong, the audit trail is either absent or too coarse to answer the questions that matter: who changed what, in which environment, and exactly when? Two risks converge — over-privileged access and weak change attribution — and together they make release governance depend on memory and manual process instead of tooling.

Scoped permissions

Grant access at the account, project, or individual environment level. A developer working on a staging flag does not automatically inherit write access to production. Delegation is explicit, minimal, and reversible.

Account scope

Org-wide roles and access defaults. Controls who can create projects and manage billing-level settings.

Project scope

Access per feature-flag project. Developers scoped to a project cannot touch other projects or environments.

Environment scope

Permission per environment within a project. A staging write role does not carry into production.

Granularity is the default, not a bolt-on. Access follows the shape of how teams actually work — by project and environment — not by a flat all-or-nothing permission bit.

Production-sensitive controls

Specific operations on production environments — flag enables, rollout changes, environment variable writes — can be restricted to a defined set of roles. Least-privilege is enforced at the point of change, not via policy documentation. Production protection is not a manual review gate that slows every release. It is a targeted control around the specific operations that carry real customer risk.

  • Flag enable restrictions

    Limit who can enable or disable flags in production environments to named roles.

  • Rollout change controls

    Restrict adjustments to rollout percentages in production to reduce the risk of unintended exposure.

  • Environment variable writes

    Protect environment-level configuration from changes by developers without production scope.

  • Role-based assignments

    Map team members to roles that carry the right level of access for their actual responsibilities.

  • Explicit delegation

    Access is granted deliberately and can be revoked without organizational restructuring.

  • Zero friction for developers

    Least-privilege means the right people have the right access by default — not constant approval gates.

Immutable audit history

Every flag evaluation change, configuration write, and permission modification is captured with actor identity, timestamp, and environment context. The record cannot be altered retroactively. Every change is attributable. When something goes wrong, the answer is already there — no log reconstruction, no asking around, no gap in attribution.

Audit log — production / checkout-v2
2026-05-31 14:22:08
enabled checkout-v2 in productionsarah@acme.com
2026-05-31 14:20:44
rollout changed checkout-v2 25% → 50% in productionsarah@acme.com
2026-05-30 09:11:02
rollout changed checkout-v2 0% → 25% in productionalex@acme.com
2026-05-29 17:55:19
permission granted sarah@acme.comproduction-write on checkout projectadmin@acme.com

Actor identity

Every entry includes who made the change — not just a service account.

Environment context

Entries are scoped to the environment where the change occurred.

Tamper-proof record

Entries cannot be altered or deleted after the fact.

What teams gain

  • Reduced blast radius from misconfigured or prematurely enabled changes because access is scoped, not blanket.

  • Engineering and operations leads can reconstruct a release timeline during incident review without relying on memory or chat logs.

  • Compliance and governance reviewers can confirm who approved, who changed, and when — without bespoke tooling or manual log parsing.

  • Developers retain velocity because least-privilege means the right people have the right access by default — not constant approval friction.

Related capabilities

  • Feature Flags

    Manage flag state with access controls that enforce who can change what in production

    Learn more →

  • Progressive Rollouts

    Control rollout exposure with percentage ramps — every change tracked in the audit log

    Learn more →

Release with confidence, not guesswork

Scoped permissions and immutable audit history give every team the right access and a complete record of every change.

Start free trial See pricing Read the announcement