Skip to content

Team Security and Compliance

Learn how to view and configure your teams security and compliance settings.

Security features are available on Enterprise plans

To manage Enterprise team accounts, you need an extra layer of security settings to help you control and analyze how, where, and when your team members have accessed the account. Inside your team's settings is a section for Security in the left sidebar.

From here, you can configure two exclusive security-facing features that are available only for Enterprise team accounts:

Configuring a team email domain will automatically add your coworkers to your team if they sign up with a matching email address. For example, if the team email domain is acme.com, a new user signing up with john@acme.com will be able to join your team.

This is useful if you would like employees, or those you work with, to automatically join your team without needing a manual invitation.

To allow this feature, you must add the email domain to the Vercel Domains section. Given the example above, you would add acme.com.

Setting the Team Email Domain for a Team.

Audit logs are available in Beta on Enterprise plans

Those with Owner roles have access

Audit Logs allow you to track and analyze each member's activity. These logs show the sequence of activities performed by an individual, procedure, or event enabling you to monitor and verify who accessed what, for what reason and at which time.

Any team member with an owner role can export and download a Comma Separated Value (CSV) file of the data from the Team Settings, Security section on your Vercel dashboard.

This file contains information about the events that occurred during a selected time frame.

Reports can be generated from the last 90 days (three months). Exporting Audit Logs will have no impact on your billing.

Before a report can be exported, you must select a valid time frame. The team owner who has requested an export will then receive an email with the report.

Export audit logs for your team's activity in a selected timeframe.

The email contains a link to download the Audit Log file. This link is valid for 24 hours and requires the owner role to access the file.

The CSV file can be opened in any spreadsheet compatible software. The following fields make up the table:

Property
Description
timestamp
Time and date at which the event occurred
action
Name for the specific event. E.g, project.created, team.member.left, project.transfer_out.completed, auditlog.export.downloaded, auditlog.export.requested, etc.
actor_vercel_id
User ID of the team member responsible for an event
actor_name
Account responsible for the action. For example, username of the team member
actor_email
Email address of the team member responsible for a specific event
location
IP address from where the action was performed
user_agent
Details about the application, operating system, vendor, and/or browser version used by the team member
previous
Custom metadata (JSON object) which indicates the previous state of the object onto which an action was performed. For example, when changing the name of a team, it will show the old name in the metadata
next
Custom metadata (JSON object) which shows the updated state of the object. For example, when changing the name of a team, it will show the new name in the metadata

Consider an event where a team owner updates the role of a member from viewer to owner. The log entries for action, previous and next states will resemble the following:

terminal
team.member.role.updated

By looking at the previous and next metadata, you can analyze how the role field changes from "role":"VIEWER" to "role":"OWNER" for your team member.

SAML is available on Enterprise plans

Those with Owner roles have access

To manage the members of your team through a third-party identity provider like Okta or Auth0, you can set up the Security Assertion Markup Language (SAML) feature from the team settings.

To enable this feature, the team must be on the Enterprise plan and you must hold an owner role.

All team members will be able to log in using your identity provider (which you can also enforce), and similar to the team email domain feature, any new users signing up with SAML will automatically be added to your team.

If needed, you can then also automatically assign a users personal account with a specific role within your team by setting up Directory Sync.

The SAML SSO settings for a Team.

SAML can be configured from the team settings, under the SAML Single Sign-On section. Clicking "Configure" will open a walkthrough that helps you configure SAML SSO for your team with your identity provider of choice.

After completing the steps, SAML will be successfully configured for your team.

Do you need to enable SAML SSO for your team?

This feature is available on the Enterprise plan

Contact Sales

Once you have configured SAML, your team members can use SAML SSO to log in or sign up to Vercel. Click "Continue with SAML SSO" on the authentication page, then enter your team's slug.

Your team slug is the identifier in the URLs for your team. For example, the identifier for vercel.com/acme is acme.

Logging in with SAML SSO for a Team.

Click "Continue with SAML SSO" again and you will be redirected to your third-party authentication provider to finish authenticating. Once completed, you will be logged into Vercel.

SAML SSO sessions last for 24 hours before users must re-authenticate with the third-party SAML provider (unless Directory Sync is configured).

For additional security, SAML SSO can be enforced for a team so that all team members cannot access any team information unless their current session was authenticated with SAML SSO.

You can only enforce SAML SSO for a team if your current session was authenticated with SAML SSO. This ensures that your configuration is working properly before tightening access to your team information, this prevents lose of access to the team.

SAML SSO configured and enforced.

Note: When modifying your SAML configuration, the option for enforcing will automatically be turned off. Please verify your new configuration is working correctly by re-authenticating with SAML SSO before re-enabling the option.

Directory Sync is available on Enterprise plans

Those with Owner roles have access

Directory Sync helps teams manage their organization membership from a third-party identity provider like Google Directory or Okta. Like SAML, Directory Sync is only available for Enterprise Teams and can only be configured by Team Owners.

When Directory Sync is configured, changes to your Directory Provider will automatically be synced with your team members. All team members will also receive an email detailing the change. For example, if a new user is added to your Okta directory, that user will automatically be invited to join your Vercel Team. If a user is removed, they will automatically be removed from the Vercel Team.

You can configure a mapping between your Directory Provider's groups and a Vercel Team role. For example, your "Engineers" group on Okta can be configured with the member role on Vercel, and your "Admin" group can use the owner role.

Go to the Team's Security settings from the top header. Here, you can configure Directory Sync for your Team. Clicking "Configure" will open a walkthrough that helps you configure Directory Sync for your Team with your Directory Provider.

After completing the steps of the configuration walkthrough, configure how Directory Groups should map to Vercel Team roles:

Setting the Okta Admins group as Vercel owners and the Engineers group as Vercel Members.

Finally, an overview of all synced members is shown before you complete the syncing:

An overview of Team owners and Members that will be added.

Once confirmed, Directory Sync will be successfully configured for your Vercel Team.

Note: SAML Single Sign-On is optionally available on the Enterprise Plan. To get this enabled contact sales.

Vercel supports the following third-party SAML providers: