Netlify Create /Cloud project /

Netlify Create teams, group, and user access control

Manage user roles and permissions by inheriting from third-party services or setting custom rules.

Netlify Create allows you to create different types of access for your team members through one of three methods:

  • Third-Party Sevice: Leveraging existing roles from content sources
  • Single-Sign On: Using SSO to integrate with existing organization systems (enterprise only)
  • Built-In: Setting your own roles, using pre-defined permissions

# Basic concepts

Let's cover a few of the basic concepts to help contextualize how user management works.

# Project collaborators

Collaborators are Netlify Create users invited to contribute to a project. If the project belongs to a team, the collaborators will also have to become members of the team in order to be able to become project collaborators.

There are four pre-defined roles in Netlify Create, with the following names and permissions:

  • Viewer: View (read) access only
  • Editor: Edit access, can't publish content changes
  • Publisher: Edit and publish content changes, but not code changes; can't invite collaborators unless also an admin in the team
  • Developer: Edit and publish content and code; can also invite collaborators and manage project settings (integrations, publishing workflows setup, etc.)

Additionally, team admins can also create custom roles.

# Team members

Teams let you manage access to projects by user groups. There are two built-in team member roles:

  • Admin: Full control over the team, including project access and creation, and members and user groups management.
  • Member: Access to see projects they have been added to directly. Individual user permission may override this setting.

The same team member can have different roles in different user groups and projects, but always the same role in the team (admin or member).

Team admins can also create custom roles.

# User groups

User groups are functional groups of team members, where each group member can have a unique role within that group.

# Single-Sign On (SSO)

This feature is available on Create Enterprise plans.

SSO is available for enterprise customers for their members to be able to use their company credentials to edit projects in Netlify Create. It is only available as an enterprise feature.

Available functionality includes synchronization with the Identity Provider (IdP) of choice via SSO for the following:

  • User addition/deletion
  • Member role sync via IdP groups
  • Default project role sync via IdP groups

# Invite members to team

Note

Only team admin users can invite new members to the team.

To invite a new member to the team in Netlify Create, go to Manage Team > All Members > Invite Member.

Users will get an invitation by email. They will appear as pending until they accept the invitation. If using SSO, see below for inviting and managing team members.

# Team member attributes

Team members come with two main attributes:

  • Member Role: The role in the team. If using SSO, this can be synced with roles in the Identity Provider.
  • Default Project Role: (optional) This is helpful for organizations with cross-functional users. If using SSO, this can be synced with roles in the Identity Provider.

Note

If members who have a pending invitation are added to user groups or projects, they will immediately have access to those user groups and projects upon accepting the invitation.

# Manage SSO users

If using SSO, the team gets defined in the Identity Provider (IdP). Netlify Create is kept in sync and updates additions, deletions, and data updates in the IdP. SSO users can not be added or removed via Netlify Create.

Netlify Create also updates user roles (role in the team and default project role) according to groups in the IdP or the user attributes in the IdP. SSO user roles can't be edited from Netlify Create.

# Configure SSO for Netlify Create

To setup to work with Netlify Create, go to your IdP and find the place to add a custom attribute for groups and/or for users (depending on how you're planning to use SSO with Netlify Create).

Two custom attributes need to be created following the details in the tables below.

Team Role

Info Description
Data Type string
Display Name "Stackbit Team Role"
Variable Name stackbit_organization_role (must match exactly)
Define enumerated list of values true (check the box)
Attribute Members Must match the built-in roles in Netlify Create and any custom roles you may want to make available:
Admin: admin
Member: member
Attribute Required true (check the box)

Default Project Role

Info Description
Data Type string
Display Name "Stackbit Default Project Role"
Variable Name stackbit_default_project_role (must match exactly)
Define enumerated list of values true (check the box)
Attribute Members Must match the built-in roles in Netlify Create and any custom roles you may want to make available:
Viewer: viewer
Editor: editor
Publisher: publisher
Developer: developer
Attribute Required true (check the box)

# How SSO sync works

When a user logs in to Netlify Create for the first time, Netlify Create will get their team role and their default project role from the group they're assigned to in the IdP.

This value can't be edited from Netlify Create. When changed in the IdP, it is synced and will be updated in Netlify Create. Default project roles can be found under Manage team > Members and roles > All members.

# Manage user groups

User groups provide the ability to grant access to future team members.

For example, consider a Design team with three members and developer access to Project 1. A new member is added to the Design user group, and when they accept the invitation, they immediately get access to Project 1.

# Create a new user group

Go to Manage Team > New User Group and give the team a name.

Then add members to the user group.

# Reserved user groups

There is a built-in team called Everyone. New team members are automatically added to the Everyone user group, unless a project that existed outside a team is moved inside the team. In this case, previous collaborators are provided access to that one particular project in the team, but they are not added to the Everyone user group.

Therefore, note that the Everyone user group is different than All Members, since All Members contains absolutely all users within the team, and it cannot be used as a user group.

# Project invitations

Inviting users to projects has various implications, depending on whether the project is inside a team or not.

# Projects inside teams

To invite an existing team member to collaborate in a project, open the project and click on Share. Choose the user, give them a role, and click the Grant Access button.

After granting access to a user, they will see the project in their dashboard.

# Invite non-members

Only team admins can add non-members as project collaborators. They will be able to invite new users via the dropdown menu in the same collaborators modal.

Once the user accepts the invitation to the project, they will also be added as a member in the team.

# Invite a user group

Admins also have the ability to add a user group to a project. All of that user group's current and future members will inherit access to that project.

Choose a role for the whole user group when giving that user group access to the project.

Or choose Default user roles for cross-functional teams.

For cross-functional users:

  • If the team role is not provided, Netlify Create will default to member (lowest permission level).
  • If the default project role is not provided, Netlify Create will default to viewer (lowest permission level).

# Projects in SSO teams

Since the team is defined in the Identity Provider (IdP), the collaborators dropdown will only show users of the team who have logged in Netlify Create at least once as part of the team in Netlify Create.

However, everyone added to the team in the IdP will be able to use SSO to log into Netlify Create with their company credentials.

Users who have not logged into Netlify Create at least once, can still be added to user groups and projects, but they will appear as pending until they log into Netlify Create for the first time.

# Projects outside teams

If a project is not part of an team, collaborators can be invited directly using the collaboration menu to invite users by email.

The user(s) will receive an email invitation that needs to be accepted in order to be able to view, edit, and publish the project.

# Custom roles

This feature is available on Create Enterprise plans.

Team administrators can create and manage custom roles for their team members and project collaborators.

# Team member custom roles

Team roles are managed within team settings.

Create custom roles for team members by clicking "Add Custom" in the "Team role" section.

Give the new role a name and choose the appropriate permissions and projects.

After saving, the new role will be available in the dropdown for members.

# Project collaborator custom roles

Project collaborator roles are managed within team settings.

Create custom roles for project collaborators by clicking "Add Custom" in the "Team collaborator role" section.

Give the new role a name and choose the appropriate permissions and projects.

Go into the settings in a project within the team to verify the new role is available.

# Delete custom roles

Custom roles can only be deleted when they are not in use. Built-in roles can't be deleted or modified.

Hover over the role to show the delete icon.