This guide covers all of the default permissions for each of the five roles in Heap along with steps to customize these permissions and create custom roles for your teammates.
If you haven’t done so already, we recommend reviewing Plan Your Data Governance Strategy to familiarize yourself with the three general approaches to data governance. Thinking through your data governance strategy will guide you when deciding on roles and permissions for your team.
For an interactive course on how to keep your Heap account clean and organized, check out our Organizing and Managing Heap course in Heap University.
When inviting teammates to Heap, you’ll be prompted to assign one of five default roles, each with increasing restrictions on the actions they can take.
|Admin||Has the largest range of access and can manage projects, billing information, SSO settings, the home dashboard, and delete teammates or change their role.|
|Architect||Second to the Admin. Has all the permissions of an Analyst and can manage verified events, snapshots, connect new warehouses and sources, and edit change history.|
|Analyst||Has baseline permissions to manage data in Heap. Has all the permissions of a Consumer and can create events, categories, segments, and update property notes.|
|Consumer||Has baseline permissions for contributing to the dataset. Can manage reports and dashboards, personal definitions, and invite new teammates.|
|Read-Only||Exactly as it sounds; this role can only read existing data in Heap. Can run queries, export CSV results, and add or remove themselves from emailed reports.|
|Custom Role||In addition to the default roles above, you can create custom roles to mix and match permissions based on your team structure.|
A table of permission settings for each role is available in the Default Permissions section below.
To invite new teammates to Heap, navigate to Account > Manage > Teammates and click the Add Teammates button at the top.
In the pop-up that appears, provide your new teammates’ email addresses, assign them a role, choose an initial Environment, then click Send Invites.
They’ll receive an email invite to join your Heap workspace.
Adding teammates with SSO
If you have SSO enabled, you won’t see an Add Teammates button in your Heap account. Instead, you will directly manage teammates in your account from your IDP/SSO provider.
To re-send the invite, you can do so by clicking the envelope icon in the top navigation on the teammate details pane.
Note that this email invite expires a month from when it’s sent.
Unless your role has the Change User Permissions setting enabled, you cannot invite someone to a role that has permissions that you do not have.
Not sure what role your new team member should have? Read on for an overview of the default roles and permissions in Heap and steps to create custom roles to suit your organizational structure.
When you invite new team members to Heap, you’ll be prompted to select their role. It’s important to understand the permissions associated with each role, and how these roles work within the structure of your team, to make the best choices for your team members.
By default, Heap provides five different roles with varying degrees of access within the product. These permissions define what team members can and cannot do in the app. See the permissions table below for a full overview of the different levels of access each role has.
|Export Query Results||✓||✓||✓||✓||✓|
|Recieve & Remove Self from Emailed Reports||✓||✓||✓||✓||✓|
|Manage Personal Reports & Dashboards||✓||✓||✓||✓||✓|
|View session replays||✓||✓||✓||✓||✓|
|Manage Shared Reports & Dashboards||✓||✓||✓||✓|
|Manage Personal Definitions (Events, Segments, Properties)||✓||✓||✓||✓|
|Request Definition Verification||✓||✓||✓|
|Manage Shared Definitions (Events, Segments, Properties)||✓||✓||✓|
|Edit Verified Definitions||✓||✓|
|Manage Data Capture Settings||✓||✓|
|Manage Heap Connect||✓||✓|
|Manage Change History||✓||✓|
|Manage Security Settings||✓|
|Manage Home Dashboard||✓|
Admins can also create custom roles, rename existing roles, and delete unused roles in Heap. This allows you to customize your roles to fit your organization.
Creating Custom Roles
To create a new custom role, navigate to Account > Manage > Roles. From this page, click the + Add Role button in the top right.
On the page that appears, set a name, description, and default permission set for your custom role. You’ll have the option to customize this later, this is just a starting point.
Click Add at the bottom. This will take you back to the list of roles. Click on the role you just created to pull up the role details.
On this page, click the checkmark and X icons to the left of each permission to toggle it as enabled or disabled for this role.
Last but not least, click the Save button at the top to update this role.
Renaming Existing Roles
To rename existing roles, navigate to Account > Manage > Roles. From this page, click on the role you’d like to rename to pull up the role details.
Click on the name field, enter your new name for this role, then click the Save button at the top.
Deleting Unused Roles
Note that you can’t delete a role that is currently assigned to one or more team members. To update those team members’ roles, see the Changing Permissions section below.
To delete a role, navigate to Account > Manage > Roles. From this page, click on the role you’d like to delete to pull up the role details.
Click the trash icon at the top of the role details screen.
To change your teammates permissions, navigate to Account > Manage > Teammates, click the team member whose role you’d like to update, then adjust the permissions by clicking on them.
You can also set role-based permissions by clicking on a teammate. This will open up the teammate editor panel, where you can select a new permission level.
For practical advice on how to structure these roles to support a large-scale organization, see Team Permissions That Scale.
Setting Project Permissions by Team
Heap supports setting permissions by team and project. This allows you to manage granular access control at scale. Learn how to set up project-level permissions in Permissions.