Team-Level Roles

[Dhrumil-Sentry]

Today, Sentry organizations can grant any of the following organizational-level roles to their developers:

• Owner
• Manager
• Admin
• Member

Several Sentry customers have multiple teams monitoring several projects in Sentry. At their scale, they need more users to have the privileges to make changes to the settings for various projects. A common feedback theme we’ve been hearing from our large customers - “Everyone is an admin”.

This is problematic for two reasons:

1. Customers don’t want too many users to be able to make changes to the settings for critical projects because these impact product capabilities like inbound filters which in turn impact project visibility and consumption.
2. Users with Admin roles can belong to multiple teams however, they don’t necessarily need to have Admin permissions for all teams they belong to.

We are addressing these concerns by introducing team-level roles for Business and Enterprise plan customers.

What are team-level roles?

In addition to existing organizational roles, Users can now be granted one of two roles at a team level:

• Team Admin
• Contributor

Every member is granted the Contributor role once they are added to a team. Team Admins have access to make the following changes:

• Make changes to Project Settings such as Inbound Filters, Ownership rules, etc. for the projects owned by their teams
• Add or remove projects that their team is associated with
• Assign Team Admin role to other team members

A Sentry member can be an admin for team A and a contributor for team B. This allows Sentry organizations to grant more granular controls to their users which lets them manage their own projects while mitigating risks from unnecessary access to other projects.

How can you grant Team Admin roles?

From the team settings page

1. Go to Organization Settings → Teams → Select the team
2. You can change the roles for team members from Contributor to Team Admin
   

From the member settings page

1. Go to Organization Settings → Members → Select the Member
2. You can change the team level roles for this member as shown below
   

Who will get the Team Admin role automatically?

Any user who has the Organization Owner, Manager, or Admin role will be granted Team Admin roles for all the teams to which they belong. This happens because their org-level roles have a superset of the permissions of a Team Admin.

Users can view this information in the member settings.

What happens to the Organization Admin role?

Any Sentry user that has an Organization Admin role will still possess that role but customers will not be able to grant that role to any other user going forward.

I already have roles assigned for my org. How do I transition these over to team-level roles?

For now, you would need to use the Member settings page to make these role changes but we plan to publish APIs for user role management that will allow you to automate these changes as well

We want to hear from you!

These changes are meant to help customers have the right levels of access controls. We’d love to hear your thoughts on the following

1. Do you want team admins to be granted permissions to make any other changes? If yes, what permissions would you like?
2. Do you want the users who have the Organization Admin role to continue possessing that role?
3. Are there any Sentry management flows that you’d like to restrict to team admins?

[Dhrumil-Sentry]

An update on this feature- Based on customer feedback we're working on allowing Team Admins to setup Alert rules for their teams even if the following setting is disabled at an Org level:

[Angelodaniel]

@Dhrumil-Sentry would it be possible for a member to request for the Team Admin role? Instead of someone explicitly assigning it to them?

[Dhrumil-Sentry]

@Angelodaniel This is not possible today but this is a good idea and I have created a new issue for this #50556 and added it to our backlog

[Dhrumil-Sentry]

Team-level roles is now generally available. Please find more information in our docs

[Angelodaniel]

Hi @Dhrumil-Sentry
With the removal of the Org Admin role, some users within the org should be able to configure Integrations like GitHub Enterprise or Slack for their teams. With the removal of Org Admin, it is now required to grant these persons the Manager role. This role breaks every kind of team/project separation. We try to keep teams and projects as much as possible separated as every team/project may accidentally receive personal data and we must ensure that only a specific portion of people, the respective team, can see these type of data.

Would it be possible to allow Team Admins the configuration of integrations? I think in a later stage, it would be great if the Org Admin or a Manager would receive a notification about a newly enabled integration or maybe even must approve the integration before activation.

[Dhrumil-Sentry]

Hi @Angelodaniel - This is great feedback and it would be good to have a separate issue created for tracking this request. The Org Admin role also broke any kind of team/project separation since it was at an Org Level but we realize that it's important for team admins to be able to configure integrations for their projects.

But most integrations operate at an organizational level- E.g. you just need to install Slack or Jira once and then create alert rules at the project level. Is there any integration other than GitHub/GitLab etc for which team admins need to configure project-level changes?

cc @leedongwei

[jarus]

Hi @Dhrumil-Sentry, I'm the initial reporter of this feedback towards Angelo. Thank you for taking my feedback serious.

But most integrations operate at an organizational level- E.g. you just need to install Slack or Jira once and then create alert rules at the project level. Is there any integration other than GitHub/GitLab etc for which team admins need to configure project-level changes?

In our case we use a Slack Enterprise Grid meaning that we have multiple different workspaces. Not everyone is part of every workspace. While creating a Sentry Slack Integration, Slack requires that you are part of the new target workspace therefore it would be great if Team Admins could create such Sentry Slack Integration as I as org owner can't create every integration without joining hundreds of different workspaces.

We have a similar situation with GitHub Enterprise. Team leads should be able to configure their own GitHub Enterprise integration with their own GitHub App. This means I don't need to create one global App with huge permissions to every thing instead project teams can be more flexible in their setup.

[Dhrumil-Sentry]

Hi @jarus Thanks a lot for the detailed feedback. I have some more questions to understand your use case better:

• Are workspaces owned by an individual team or multiple teams?
• If Sentry allowed Team Admins to edit integration configurations and install integrations then Team Admins could technically change the configuration for other workspaces too - Everything would be audited but it is still a possibility
• Do you expect a flow wherein Integration configurations are linked to specific projects and only those team admins should be allowed to install/configure these?

[rathpc]

I have two asks which I think would be extremely helpful:

1. Upon registration of a new user - either by manual creation or SSO auto creation, a list of teams that you want new users to automatically be added to can be applied to that new user. For example, a new user signs in via Okta, a new account is created at a Member privilege level and they are automatically added to team a, h and z as a Contributor.

2. Close membership can be toggled individually on teams. So if at an org level open membership is turned on, it can be disabled for certain teams so if someone wants to join a specific team it would require approval but others they can join without approval.