User Roles & Access

AppControl uses two access layers:

User role decides which product areas a user can use.
App role decides what a user can do in each app they can see.

Most users need both.

A user role without app access means the user can sign in, but may see no apps.
App access without the right user role means the user can see an app, but some actions stay unavailable.
Platform Administrator is the exception. This role already has full visibility.

Rule of thumb:

User role = feature access
App role = app-level actions
App Groups = delegation (policy / release / task management) and visibility
User Groups = app role assignment at scale

Access model at a glance

How AppControl decides access

User signs in
   ↓
User role unlocks product areas
   ↓
App access makes apps visible
   ↓
App role unlocks actions in each visible app

Ways a user gets app access

Platform Administrator
   └─ sees all apps

Other users
   ├─ Direct app access
   │    └─ one user → one app
   ├─ App group membership
   │    └─ one user → all apps in one app group → App Member
   └─ User group membership
        └─ many users → many apps → configurable app role

Choose the right access path

App groups

Use app groups to delegate management.

One app belongs to one app group.
Group members get App Member on all apps in that group.
Group administrators manage group members and group resources.

See App Groups.

User groups

Use user groups to grant app roles to many users.

One user group can contain many apps.
Members inherit access on every app in the group.
Each member can be App Owner, App Administrator, App Member, or App Operator.

See User Groups.

Direct app access

Use direct app access for one-off cases.

This is useful when a user needs access to one app only.

User roles

User roles control which product areas a user can use.

Role

Use this for

Access

Platform Administrator

Central platform management

Manage system settings, groups, access, all policies, all pipelines, and all tasks. View all apps and repository data.

Group Administrator

Delegated management for one or more app groups

Manage group members, user access, group policies, group pipelines, and group tasks for assigned groups.

App Administrator

App-level operations

Manage app policies, app pipelines, and app tasks for apps the user can access.

App Viewer

Read-only access

View visible apps and their related dashboards and data.

Policy Viewer

Policy and insight review

View policy and insight data for visible apps. Policy changes still require the right app role.

No Access

Disabled or inactive users

No access to AppControl.

App Administrator exists in two places:

as a user role, it unlocks app management features
as an app role, it grants admin rights on a specific app

A user needs both to fully manage an app. Note that if you add a user as an App Administrator to an app, that the App Administrator user role will automatically be granted to them.

App roles

App roles apply per app.

Role

Use this for

Access

App Owner

Business or service ownership

Manage app info and approve releases. View policy, release, task, environment, and repository information.

App Administrator

Operational ownership

Manage app policies, app pipelines, app tasks, create releases, and approve releases. View policy, release, revision, environment, configuration, task, and repository information.

App Member

General team access

View policy, release, environment, task, and repository information.

App Operator

Release execution

Create releases. This can be limited to specific environment types.

Users with the Policy Viewer user role only get policy access for apps where they also have app visibility.

Common combinations

These combinations cover most setups:

Platform Administrator — full platform access and full app visibility.
Group Administrator + assigned app group — delegated management for one domain or team.
App Viewer + app group membership — read-only access to every app in that group.
App Administrator user role + App Administrator app role — full app-level operations for a specific app.
Policy Viewer + App Member — review policy results and insights without release or task management.

Common scenarios

Give a team read-only visibility for a set of apps

Add the users as members of an app group.

Give them the App Viewer user role.

Give an operations team release rights across many apps

Create a user group with those apps.

Add the users to the user group with the App Operator app role.

Delegate management for one app domain

Create an app group.

Assign a Group Administrator to that group.

Use user groups when the team also needs app roles across the apps in that group.

Troubleshooting access issues

Check whether the user has app access through one of these paths:

direct app access
app group membership
user group membership

The user can see an app, but cannot perform an action

Check both layers:

does the user role allow the product area?
does the app role allow the action on that app?

The user was added to an app group, but still lacks release or admin rights

App group membership only grants App Member.

Use a user group or direct app access when the user needs App Owner, App Administrator, or App Operator.