Extended permissions
Vercel's Role-Based Access Control (RBAC) system consists of three main components:
- Team roles: Core roles that define a user's overall access level within a team
- Project roles: Roles that apply to specific projects rather than the entire team
- Extended permissions: Granular permissions that can be combined with roles for fine-tuned access control
These components can be combined to create precise access patterns tailored to your organization's needs.
Project roles apply only to specific projects and include:
| Project Role | Compatible Team Roles | Permissions Enabled Through Role |
|---|---|---|
| Admin | Contributor, Developer | Full control over a specific project including production deployments and settings |
| Project Developer | Contributor | Can deploy to assigned project and manage dev/preview environment variables |
| Project Viewer | Contributor | Read-only access to assigned project |
Extended permissions add granular capabilities that can be combined with roles:
| Extended permission | Description | Compatible Roles | Already Included in |
|---|---|---|---|
Create Project | Allows the user to create a new project. | Developer | Owner, Member |
Full Production Deployment | Deploy to production from CLI, rollback and promote any deployment. | Developer, Contributor | Owner, Member |
Usage Viewer | Read-only usage team-wide including prices and invoices. | Developer, Security, Member, Viewer | Owner, Billing |
Integration Manager | Install and use Vercel integrations, marketplace integrations, and storage. | Developer, Security, Billing, Viewer, Contributor | Owner, Member |
Environment Manager | Create and manage project environments. | Developer, Member | Owner, Member |
Environment Variable Manager | Create and manage environment variables. | Developer | Owner, Member |
Extended permissions work when the user has at least one compatible team role.
Team roles provide the foundation of access control. Each role has a specific scope of responsibilities:
| Team Role | Role Capabilities | Compatible Extended Permissions |
|---|---|---|
| Owner | Complete control over all team and project settings | All extended permissions (already includes all permissions by default) |
| Member | Can manage projects but not team settings | - Environment Manager - Usage Viewer |
| Developer | Can deploy and manage projects with limitations on production settings | - Create Project - Full Production Deployment - Usage Viewer - Integration Manager - Environment Manager - Environment Variable Manager |
| Billing | Manages financial aspects only | - Integration Manager |
| Security | Manages security features team-wide | - Usage Viewer - Integration Manager |
| Viewer | Read-only access to all projects | - Usage Viewer - Integration Manager |
| Contributor | Configurable role that can be assigned project-level roles | - Full Production Deployment - Integration Manager See project-level table for compatible project roles and permissions |
The multi-role system allows users to have multiple roles simultaneously. When roles are combined:
- Users inherit the most permissive combination of all their assigned roles and permissions
- A user gets all the capabilities of each assigned role
- Extended permissions can supplement roles with additional capabilities
- Project roles can be assigned alongside team roles for project-specific access
The following table outlines various use cases and the role combinations that enable them. Each combination is designed to provide specific capabilities while maintaining security and access control.
| Use Case | Role Combinations | Key Permissions | Outcome |
|---|---|---|---|
| DevOps engineer | Developer + Environment Variable Manager + Full Production Deployment | - Deploy to both preview and production environments - Manage preview and production environment variables - Full deployment capabilities incl. CLI and rollbacks | Manages deployments and config without billing or team access |
| Technical team lead | Member + Security | - Create/manage projects and team members - Configure deployment protection, rate limits - Manage log drains and monitoring | Leads projects and enforces security without Owner access |
| External contractor | Contributor + Project Developer (for specific projects only) | - Can deploy to assigned projects only - No access to team settings or other projects | Limited project access for external collaborators |
| Finance manager | Billing + Usage Viewer | - Manage billing and payment methods - View usage metrics across projects - Read-only project access | Monitors costs and handles billing with no dev access |
| Product owner | Viewer + Create Project + Environment Manager | - Read-only access to all projects - Create new projects - Manage environments, but not deployments or settings | Oversees product workflows, supports setup but not execution |
Not all roles and permissions can be meaningfully combined. For example:
- The Owner role already includes all permissions, so adding additional roles doesn't grant more access
- Some extended permissions are only compatible with specific roles (e.g. Full Production Deployment works with Developer, Member, and Owner roles)
- Project roles are primarily assigned to Contributors or via Access Groups
Was this helpful?