Skip to main content

Documentation Index

Fetch the complete documentation index at: https://launchdarkly-preview.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Overview

This topic explains how to work with role scope and role attributes. A role scope is a resource type by which a role may be parameterized. When you define a role, you can optionally specify a role scope and the parameter, which is called a role attribute. If multiple members or teams should have similar permissions, but work with different resources, then defining role scope using an attribute key lets you reuse the same role for many members or teams. This means the total number of roles in your account is much smaller, and much easier to maintain. This topic includes:

Background: Resources, role scope, and role attributes

When you create a new role, you can specify resources that the role can or cannot access in the following ways: | Types of resources a role can access
Example
| --- | | All instances of the resource. | All projects | | All instances of the resource with a few exceptions. | All projects except “Project A” | | Only specific instances of the resource, where the instances are named explicitly in the role’s policy statements. | “Project A,” “Project B,” and “Project C” | | Only specific instances of the resource, where the instances are linked to a particular view. To learn more, read Use views in complex policy statements . | All flags in a project that are linked to the “frontend” view. | | Only specific instances of the resource, where the instance properties match a particular value. | All environments that are marked as critical . To learn more, read Property-based selectors . | | Only specific instances of the resource, where the instances are specified based on a parameter. This parameter is called a role attribute.
In this option, you define the role attribute when you create the role, and you specify its value when you assign the role to an account member or team.
For example, you can define the role attribute as “developerProjectKey,” set the value of the role attribute to “Project A” when you assign the role to member A, and then set the value of the role attribute to “Project B” when you assign the role to member B.
This option is discussed in more detail in the sections below: Define role scope using attribute key, Set role attribute values. | “developerProjectKey” | Role attributes are defined and assigned within LaunchDarkly. They cannot be passed through SAML assertions for single sign-on. For SAML-based SSO, LaunchDarkly supports mapping only the role, customRole, and teamKey attributes.

Define role scope using attribute key

To define role scope using a role attribute when you create a new role policy:
  1. From the “New role” page, click Advanced to open the “Scope using attribute key” section:
The "Advanced" section of the "New role" page.
  1. Click + Add resource type.
  2. Select a resource type from the menu, for example, “Project.”
  3. At the prompt, enter a key for the role attribute:
The "developerProjectKey" defined as a role attribute.
  1. The role attribute is now a parameter for this role.
  2. In the role’s policy statements, use the role attribute key any place that you would normally use a specific instance of that resource. For example, if you selected the “Project” resource type in step 3, then you can use the role attribute to allow access only to projects:
The "developerProjectKey" used in a policy statement.
  1. Click Create role.
You set the value of the role attribute when you assign this role to a member or team. In this example, you would enter values for one or more project keys when you assign this role. To learn how, read Set role attribute values, below. To learn more about creating roles, read Creating roles and policies.

Set role attribute values

You set a role attribute value, or specific resource, when you assign a role to an account member or team. In the “Assign access” dialog, enter the values for the role attribute in the Resources field:
The "Assign access" dialog, with a role attribute and resource specified for the custom role being assigned.
You can enter one or more values when you set the role attribute. For example, you can set the value of the role attribute to projectA (the project key of “Project A”) when you assign the role to one member, and then set the value of the role attribute to projectB and projectC (the project keys of “Project B” and “Project C”) when you assign the role to a different member.

You can also use the REST API: Custom roles.In the REST API, use the syntax ${roleAttribute/<attributeKey>}, for example ${roleAttribute/developerProjectKey}, in your policy statements.
To learn more, read Assigning roles to members and Assigning roles to teams.

Example: Consolidate existing roles using role attributes

Without role scope, if you have two members who require a similar set of permissions, but require access to different flags, you need to define two roles, one for each member: 
    {
      "effect": "allow",
      "actions": [ "*" ],
      "resources": [
        "proj/example-project:env/*:flag/flag-1"
      ]
    }
Given additional flags, or additional projects, the number of roles required increases rapidly, and quickly becomes unmanageable. You can use role scope to define just one role. Then, you can assign the same role to both members. Here’s the previous set of roles, rewritten to use the flagKey role attribute: 
    {
      "effect": "allow",
      "actions": [ "*" ],
      "resources": [
        "proj/example-project:env/*:flag/${roleAttribute/flagKey}"
      ]
    }
When you assign this role to each member, you set the value of flagKey to the specific flag that that member should have access to. You can use multiple role attributes in a given role. For example, if you also wanted to parameterize the project, you could use a separate role attribute for that: 
    {
      "effect": "allow",
      "actions": [ "*" ],
      "resources": [
        "proj/${roleAttribute/projectKey}:env/*:flag/${roleAttribute/flagKey}"
      ]
    }
In this case, LaunchDarkly prompts you to set the value of both role attributes when you assign the role to a member. For additional examples of roles defined using role attributes, read:

Special cases for role scope

For some policy statements, you may need a combination of the advanced editor and the REST API to define a policy that uses role scope or to set role attribute values.

Use views in complex policy statements

You can define a role scope for a view when you create a role. The policy builder supports using the viewKey role attribute in a statement with a “view” resource scope. Here’s an example policy:
The policy builder, with a statement allowing access to views based on the "viewKey" role attribute.
This statement allows access to all actions on the views specified by viewKey in the project specified by projectKey. In the advanced editor, the statement looks like this: 
    [
      {
        "effect": "allow",
        "actions": ["*"],
        "resources": [
          "proj/${roleAttribute/projectKey}:view/${roleAttribute/viewKey}"
        ]
      }
    ]
You can also use a view role attribute in a flag scope statement. Here’s an example: 
    [
      {
        "effect": "allow",
        "actions": ["*"],
        "resources": [
          "proj/${roleAttribute/projectKey}:env/*:flag/*;view:${roleAttribute/viewKey}"
        ]
      }
    ]
This statement allows access to all actions on flags in the project specified by projectKey, in all environments, provided the flags are linked to the view specified by viewKey. If the viewKey role attribute is only used in a selector, LaunchDarkly may not prompt you to set its value when you assign this role to a member or team using the LaunchDarkly UI. If this happens, use the Modify an account member REST API to set the value of the role attribute. Here’s an example request body that gives the viewKey role attribute a value of exampleView for a member: 
    curl -X PATCH https://app.launchdarkly.com/api/v2/members/<id> \
         -H "Authorization: <apiKey>" \
         -H "Content-Type: application/json" \
         -d '[
            {
              "op": "replace",
              "path": "/roleAttributes/viewKey",
              "value": ["exampleView"]
            }
          ]'

Flag creation and multiple views

When a member creates a feature flag, they can associate it with multiple views in a single request. A createFlag statement scoped to one view does not prevent a member from listing additional views in the same API call. This means that a member may be able to add a flag to a view that they do not have access to, as long as they are also adding it to a view they do have permission to add flags to. Access to the flag after it exists is still governed by your other policy statements.

Tags and role scope

You cannot use role attributes in tag-based policy statements. For most role-scoping use cases, use views instead of tags. Views provide a supported way to group resources and assign access within a project. To learn more, read Onboarding to views and Use views in complex policy statements.