Teams and User Access Control
Manage user roles and permissions by inheriting from third-party services or setting custom rules.
Netlify Create allows you to create different types of access for your team members through one of three methods:
- Third-Party Sevice: Leveraging existing roles from content sources
- Single-Sign On: Using SSO to integrate with existing organization systems (enterprise only)
- Built-In: Setting your own roles, using pre-defined permissions
Let's cover a few of the basic concepts to help contextualize how user management works.
Collaborators are Netlify Create users invited to contribute to a project. If the project belongs to an organization, the collaborators will also have to become members of the organization in order to be able to become project collaborators.
There are four pre-defined roles in Netlify Create, with the following names and permissions:
- Viewer: View (read) access only
- Editor: Edit access, can't publish content changes
- Publisher: Edit and publish content changes, but not code changes; can't invite collaborators unless also an admin in the organization
- Developer: Edit and publish content and code; can also invite collaborators and manage project settings (integrations, publishing workflows setup, etc.)
Additionally, organization admins can also create custom roles.
Organizations let you manage access to projects by teams. There are two built-in organization member roles:
- Admin: Full control over the organization, including project access and creation, and members and teams management.
- Member: Access to see projects they have been added to directly. Individual user permission may override this setting.
The same organization member can have different roles in different teams and projects, but always the same role in the organization (admin or member).
Organization admins can also create custom roles.
Teams are organization members grouped into the same role.
Single-Sign On (SSO)
SSO is available for enterprise customers for their members to be able to use their company credentials to edit projects in Netlify Create. It is only available as an enterprise feature.
Available functionality includes synchronization with the Identity Provider (IdP) of choice via SSO for the following:
- User addition/deletion
- Member role sync via IdP groups
- Default project role sync via IdP groups
Inviting Members to Organization
To invite a new member to the organization in Netlify Create, go to Manage Organization > All Members > Invite Member.
Users will get an invitation by email. They will appear as pending until they accept the invitation. If using SSO, see below for inviting and managing organization members.
Organization Member Attributes
Organization members come with two main attributes:
- Member Role: The role in the organization. If using SSO, this can be synced with roles in the Identity Provider.
- Default Project Role: (optional) This is helpful for organization with cross-functional teams. If using SSO, this can be synced with roles in the Identity Provider.
Managing SSO Users
If using SSO, the organization gets defined in the Identity Provider (IdP). Netlify Create is kept in sync and updates additions, deletions, and data updates in the IdP. SSO users can not be added or removed via Netlify Create.
Netlify Create also updates user roles (role in the organization and default project role) according to groups in the IdP or the user attributes in the IdP. SSO user roles can't be edited from Netlify Create.
Configuring SSO for Netlify Create
To setup to work with Netlify Create, go to your IdP and find the place to add a custom attribute for groups and/or for users (depending on how you're planning to use SSO with Netlify Create).
Two custom attributes need to be created following the details in the tables below.
Default Project Role
How SSO Sync Works
When a user logs in to Netlify Create for the first time, Netlify Create will get their organization role and their default project role from the group they're assigned to in the IdP.
This value can't be edited from Netlify Create. When changed in the IdP, it is synced and will be updated in Netlify Create. Default project roles can be found under Manage organization > Members and roles > All members.
Teams provide the ability to grant access to future organization members.
For example, consider a Design team with three members and developer access to Project 1. A new member is added to the Design team, and when they accept the invitation, they immediately get access to Project 1.
Creating a New Team
Go to Manage Organization > New Team and give the team a name.
Then add members to the team.
There is a built-in team called Everyone. New organization members are automatically added to the Everyone team, unless a project that existed outside an organization is moved inside the organization. In this case, previous collaborators are provided access to that one particular project in the organization, but they are not added to the Everyone team.
Therefore, note that the Everyone team is different than All Members, since All Members contains absolutely all users within the organization, and it cannot be used as a team.
Inviting users to projects has various implications, depending on where the project is inside an organization or not.
Projects Inside Organizations
To invite an existing organization member to collaborate in a project, open the project and click on Share. Choose the user, give them a role, and click the Grant Access button.
After granting access to a user, they will see the project in their dashboard.
Only organization admins can add non-members as project collaborators. They will be able to invite new users via the dropdown menu in the same collaborators modal.
Once the user accepts the invitation to the project, they will also be added as a member in the organization.
Inviting a Team
Admins also have the ability to add a team to a project. All of that team's current and future members will inherit access to that project.
Choose a role for the whole team when giving that team access to the project.
Or choose Default user roles for cross-functional teams.
For cross-functional teams:
- If the organization role is not provided, Netlify Create will default to
member(lowest permission level).
- If the default project role is not provided, Netlify Create will default to
viewer(lowest permission level).
Projects in SSO Organizations
Since the organization is defined in the Identity Provider (IdP), the collaborators dropdown will only show users of the organization who have logged in Netlify Create at least once as part of the org in Netlify Create.
However, everyone added to the organization in the IdP will be able to use SSO to log into Netlify Create with their company credentials.
Users who have not logged into Netlify Create at least once, can still be added to teams and projects, but they will appear as pending until they log into Netlify Create for the first time.
Projects Outside Organizations
If a project is not part of an organization, collaborators can be invited directly using the collaboration menu to invite users by email.
The user(s) will receive an email invitation that needs to be accepted in order to be able to view, edit, and publish the project.
Organization administrators can create and manage custom roles for their organization members and project collaborators.
Organization Member Custom Roles
Organization roles are managed within organization settings.
Create custom roles for organization members by clicking "Add Custom" in the "Organization role" section.
Give the new role a name and choose the appropriate permissions and projects.
After saving, the new role will be available in the dropdown for members.
Project Collaborator Custom Roles
Project collaborator roles are managed within organization settings.
Create custom roles for project collaborates by clicking "Add Custom" in the "Organization collaborator role" section.
Give the new role a name and choose the appropriate permissions and projects.
Go into the settings in a project within the organization to verify the new role is available.
Deleting Custom Roles
Custom roles can only be deleted when they are not in use. Built-in roles can't be deleted or modified.
Hover over the role to show the delete icon.