Back to Blog Home

Rethinking Roles

David Cramer image

David Cramer -

Rethinking Roles

Sentry has a long history of building features to add support to complex organizational security. It's
the reason we support things like multiple and revokable client keys, teams,
and a variety of ways to limit the scoping of actions. Somewhere
along the way, however, we feel we went a bit too far with our permission
matrix. It became too complicated for the average user. Today that is changing
with our new Roles.

Some History

The way roles used to function is by describing two attributes, team access
and a membership level, we would compute which scopes and object permissions
you had. This worked fairly well on the backend, but for the user experience
it was confusing. A primary example is that giving ownership access to an
organization required both ticking the has global access box in addition
to setting the Owner role. This led to far too many support tickets, and
eventually documentation that even we ourselves weren't satisfied with writing.

Never was it clear which level of permission you would need to grant to
members in order to allow them to do certain tasks such as creating new teams
or adding members. It was obvious a change was in order.

Introducing Roles

Today we are releasing a new Roles feature to replace the old-style permission
computation.

The new rules consist of four primary levels:

Owner
The owner acts exactly like you would have expected it to previously. It has full permissions across the board.

Manager
Identical to the owner but with one key restriction: they cannot submit an organization delete request.

Admins
Admins lose the ability to perform organization-wide affects. They can create and remove projects (within their teams), as well as create new teams (thus becoming members of them).

Member
Nearly identical to before. They receive the ability to interaction with events and in some cases, read-only access to project settings.

Additionally for Hosted Sentry we've got you covered for accounting, with the new Billing role.

Team Membership

The last piece of our puzzle is team membership. When Sentry began the only way
for a member to join a team was by having an administrator invite them. Along
the way we improved this significantly by adding the ability for users to
request access to an existing team. We then improved it even further by
allowing you to set Open Membership within an organization's settings,
thus allowing anyone to join and leave teams whenever they wanted.

Today we're making one more significant change to membership: Owners and
Managers will no longer be automatically added to new teams. They'll
always be able to join a team without approval, but it'll no longer happen
by default. This means that in large organizations the team responsible for
managing the organization no longer has to deal with negative side effects.

Unless your company happens to building highly sensitive mobile phones, we feel
the best experience you can give your team members starts with enabling Open
Access
and Single Sign-On. From there let Sentry run on auto-pilot.

Looking Forward

We're going to continually be evaluating our access controls and simplifying
things where it makes sense. We already see some obvious improvements if we
were to combine several of our more granular scopes. An example of this would be merging team:write and team:delete into team:admin.

As always, we'd love to hear your feedback. Whether you want to debug Python, do PHP error tracking, or handle an obscure JavaScript exception, we'll be working hard to provide the best possible experience for you and your team with Sentry!

Share

Share on Twitter
Share on Bluesky
Share on HackerNews
Share on LinkedIn

Published

Sentry Sign Up CTA

Code breaks, fix it faster

Sign up for Sentry and monitor your application in minutes.

Try Sentry Free

Topics

Sentry

New product releases and exclusive demos

Listen to the Syntax Podcast

Of course we sponsor a developer podcast. Check it out on your favorite listening platform.

Listen To Syntax
© 2024 • Sentry is a registered Trademark of Functional Software, Inc.