Role-Based Permissions & Change Management
Features and benefits of role-based permissions for Pantheon Drupal and WordPress sites.
Discuss in our Forum Discuss in SlackChange Management is an Organization feature that enables role-based permissions for users in the organization. It is automatically enabled for all Organizations.
Users added to the organization can access all sites associated with the organization, with access restricted based on the user's role in that organization. These roles exist to restrict who can deploy code on sites, and manage other users in the organization or sites it works on.
Roles and Permissions
These tables detail the actions each role can execute on each Dashboard.
In some Dashboards, you may notice the "User in Charge" label applied to a user. This helps distinguish who created a site for Enterprise and EDU Organizations where members are allowed to spin up new Sandbox sites at will. However, in these organizations the "User in Charge" cannot adjust the site service level — e.g. to take a site live. Because this may affect the overall bill for the organization, only organization admins are allowed to change service levels.
If you are an administrator for a Pantheon organization, contact support to have the User in Charge changed.
Organizations: Roles and Permissions
| Permissions | Administrator | Team Member | Developer | Unprivileged |
|---|---|---|---|---|
| Create sites within an org | ✔ | ✔ | ✔ | ✔ |
| Work in Dev environments | ✔ | ✔ | ✔ | ✔ |
| Access to Multidev environments | ✔ | ✔ | ✔ | ✔ |
| Access and manage Autopilot | ✔ | ✔ | ✔ | ✔ |
| Access the org Dashboard | ✔ | ✔ | ✔ | ❌ |
| Deploy to Test and Live | ✔ | ✔ | ❌ | ❌ |
| Invite new team members | ✔ | ✔ | ❌ | ❌ |
| Manage user roles | ✔ | ❌ | ❌ | ❌ |
| Delete sites or remove users from an org | ✔ | ❌ | ❌ | ❌ |
| Manage a site's plan | ✔ | ❌ | ❌ | ❌ |
| Create/Manage Custom Upstreams | ✔ | ❌ | ❌ | ❌ |
| Change site upstream | ✔ | ❌ | ❌ | ❌ |
Site-Level: Roles and Permissions
| Permissions | User in Charge / Owner | Team Member | Developer |
|---|---|---|---|
| Access the site Dashboard | ✔ | ✔ | ✔ |
| Work in Dev environments | ✔ | ✔ | ✔ |
| Deploy to Test and Live | ✔ | ✔ | ❌ |
| Clear cache on Test and Live | ✔ | ✔ | ❌ |
| Manage user roles | ✔ | ❌ | ❌ |
| Delete sites or remove users from a site | ✔ | ❌ | ❌ |
| Add a Supporting Organization | ✔ | ❌ | ❌ |
| Manage a site's plan | ✔ Org admin or Owner | ❌ | ❌ |
| Deploy from Custom Upstreams | ✔ | ✔ | ✔ |
| Add/Manage Custom Domains | ✔ | ✔ | ❌ |
| Enable Pantheon Search | ✔ | ❌ | ❌ |
| Change site upstream | ✔ | ❌ | ❌ |
Manage People in an Organization
Add a User to the Organization
- In the People tab, click Add User.
- Enter the email address of the new user, select a role, and click Add user.
An email confirmation is sent to the user. If the user already has a Pantheon account, they are immediately added to the Organization. If not, they'll first need to click the confirmation link in the email to create their account.
To create a new user with an unprivileged role, create the user first, then change the role as detailed below.
Change a User's Role
- In the People tab, select the user's name.
- Click Operations, and choose Change Role.
- Select the new role from the drop-down, and click Set User Role.
Change Site Owner
To change the owner of a paid site (e.g. Basic or Performance):
- From the Pantheon Site Dashboard, click on the Billing tab.
- Click on Transfer Site. Enter the email address associated with the account you want to transfer site ownership to.
- Click Send Request. The recipient will need to confirm the transfer.
Resellers and Enterprise organizations should contact their Account Manager or create a Support ticket to request a transfer of ownership.
Keep in mind that Partner Organizations cannot own sites directly.
For Sandbox sites, within the Team modal, the current site owner can click Make Owner next to the site team member who should receive ownership of the site.
Manage a Site's Team
Add a User to a Site
- At the Site Dashboard, click Team.
- Enter the user's email address, select a role, and click Add Team Member.
Add a Supporting Organization to a Site
Organization Administrators, Users in Charge, or Site Owners can add a Supporting Organization.
- At the Site Dashboard, click Team.
- Click Add a Supporting Organization, enter the organization's name in the search box, and click Search.
- Select a role, and click Add.
All members of the Supporting Organization receive the role assigned on the site, regardless of their role in the Supporting Organization.
Frequently Asked Questions (FAQs)
Which role should I assign a user to give them the lowest level of access?
At the site level, the Developer role has the least amount of permissions and can create sites, view the Organization Dashboard, and deploy to the Development and Multidev environments. At the organization level, the Unprivileged role has the least amount of permissions and can only create sites.
Which environments can a user with the Developer role deploy to?
The Developer role can only deploy to Development and Multidev environments. If a user needs to deploy to Live, you can promote a Developer to Team Member for a single site by adding the user to the site's team.
Who can add users to Organizations?
Enterprise Administrators can add site Team Members or Supporting Organizations to sites owned by the organization, with the Developer or organizational Team Member roles. Partner Organizations can assign users the role of an Administrator, Team Member, or Developer at the organization level.
How do I recover an account after a site owner leaves?
See the steps in our Site Access doc for recovery instructions.