Restricting a role to specific environments

I have a question about role permissions as it relates to individual environments. Under the global settings for roles, I see that I can restrict a role to just primary environment, just sandbox environments, or both. But I cannot restrict a role (under global settings) to specific sandbox environments, e.g. “staging” and primary but not “development”. If I’m missing something there, let me know.

Under “content permissions” for a specific environment, I see that I can set permissions for a role. See my screenshot.

I want to make sure I understand this correctly. If I set “asset permissions” to “view assets” and “record permissions” to “view”, does that mean the role can select the environment but, in effect, they can’t make any changes to it?

Basically I want a certain set of content editors to only be able to see the “staging” and primary environments. But since it looks like I can’t do that, if I can make the other environments “read-only” for the other environments, that would work.

If I do understand this correctly, I’d like to suggest that the product be enhanced so that a role can be specified as only being able to “see” a specific set of environments.


Hello @donnie.hale

You can do so by going to roles, and then to the role you want to edit

Then, you can specify there the environments this role has access to by selecting them in this dropdown right here:

When I go to that screen, the dropdown doesn’t list specific environments, i.e. using the environment names that I specified. See my screenshot below.

What I’d like to see is a multiselect list where each individual environment can be selected:

[ ] primary
[ ] staging
[ ] qa
[ ] development

That way in one place I can restrict the actual content editors to just staging and primary - they wouldn’t even know that the other environments existed.

I see @donnie.hale

Unfortunately at the moment we don’t offer that level of granularity for roles, and we only allow you to restrict the role to primary or sandbox environments, or both. I do see the usage for a higher granularity so i transformed this topic into a feature request so we can track this a bit better in the future and track community interest on it

Thank you!

1 Like

Thank you again.

Given the current capabilities, and going back to my original question…

Is my understanding of the environment-specific “content permissions” correct? If the role has no asset permissions and no record permissions in an environment, then they in effect can’t make any changes in the environment, even though technically they can “see” the environment?

Appreciate the responses.


Although they would be able to read the name of the environment, they would not be able to perform any actions on it.

1 Like