Overview
It can sometimes be unclear how permissions are applied when a member has multiple role types. This can lead to confusion around why a member has certain access rights or why access behaves differently in specific scenarios.
Common Misunderstandings
Why doesn’t my admin user still have admin access after I assign a custom or preset role?
Because assigning a custom or preset role overrides built-in (base permissions).Why doesn’t my admin user still have admin access after I assign the LaunchDarkly Admin preset role?
Because LaunchDarkly Admin is an organization role. In addition to assigning a member an organization role, you should assign at least one project role.-
If I set someone to
no_access, can I still give them access through a team?
Yes, team access (whether custom or preset) will still apply.
Custom Role clarification
Role Terminology
Built-in roles: Predefined roles provided by LaunchDarkly (
owner,admin,writer,reader,no_access).Custom Roles: Roles defined by your organization.
-
Preset Roles: Roles provided by LaunchDarkly to streamline onboarding. Preset roles come in two categories:
Preset Project Roles (e.g., LaunchDarkly Contributor, Developer, Maintainer, Project Admin, Viewer) — resource scoped to projects.
Preset Organization Roles (e.g., LaunchDarkly Admin, Architect, Billing Admin, Member) — scoped across the whole organization.
Team Roles: Custom or preset roles assigned through team membership, rather than directly assigned to a member.
Role Precedence Rules
- A member can be assigned both a built-in role and one or more custom or preset roles, but the custom/preset roles take precedence and override the built-in role.
- If a member has one or more custom or preset roles, they replace their built-in role.
- Team Roles always add on top of either built-in or custom/preset roles.
- If the built-in role is
no_accessand the member has no custom or preset roles, then only Team roles apply.
Examples of Role Combination Outcomes
+---------------+--------------------+--------------------+-------------------------------------------------------------------------------------------------------------+
| Built-in Role | Custom/Preset Roles| Team Roles | Effective Permissions / Notes |
+---------------+--------------------+--------------------+-------------------------------------------------------------------------------------------------------------+
| admin | custom-policy-a | team-role-policy-a | Member gets custom-policy-a + team-role-policy-a (Custom/Preset role replaces Built-in, Team role adds) |
| admin | custom-policy-a | None | Member gets custom-policy-a (Custom/Preset role replaces Built-in) |
| admin | None | team-role-policy-a | Member gets admin + team-role-policy-a (built-in + Team role) |
| admin | None | None | Member gets admin (built-in only) |
| no_access | custom-policy-a | team-role-policy-a | Member gets custom-policy-a + team-role-policy-a (Custom/Preset role replaces Built-in, Team role adds) |
| no_access | None | team-role-policy-a | Member gets team-role-policy-a (built-in = no_access, so only team role applies) |
| no_access | None | None | Member gets no_access (no effective permissions) |
+---------------+--------------------+--------------------+-------------------------------------------------------------------------------------------------------------+
Member's can only
- have built-in role OR custom/preset roles;
- AND Team roles