Hi @mighty island. I'm happy to dig into this for you! I'll check my internal sources for answers to your question! :wave:
#Team Admin
analog thicketBOT
Based on the knowledge sources, I can provide information about Team Admin roles and their ability to invite or promote other users to Team Admin roles in Sentry.
Team Admin Role Capabilities
Team Admins in Sentry have specific permissions that allow them to manage their teams. According to the documentation, Team Admins can:
- Make changes to Project Settings such as Inbound Filters, Ownership rules, etc. for the projects owned by their teams
- Add or remove projects that their team is associated with
- Assign Team Admin role to other team members
Sentry Monorepo
Promoting Users to Team Admin
A Team Admin can promote another team member to the Team Admin role. This capability is explicitly mentioned in the documentation:
"Team Admins have access to make the following changes: [...] Assign Team Admin role to other team members"
Sentry Monorepo
However, there was a bug in the past where Team Admins couldn't promote other members to Team Admin despite having the permission to do so. This issue was identified and fixed:
"Can't promote member to team admin despite being team admin myself [...] Closing - this was fixed in https://github.com/getsentry/sentry/pull/47105 and has been verified to work."
Github Issue
How to Promote a User to Team Admin
You can promote a user to Team Admin in two ways:
- From the team settings page:
- Go to Organization Settings → Teams → Select the team
- Change the roles for team members from Contributor to Team Admin
- From the member settings page:
- Go to Organization Settings → Members → Select the Member
- Change the team level roles for this member
Sentry Monorepo
It's worth noting that Team Admins cannot see team invite requests or receive notifications about them, as indicated in a GitHub issue for self-hosted Sentry instances.
The Team Admin role was introduced as a replacement for the organization-wide Admin role on Business plans, allowing for more granular access control at the team level.
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
mighty island
One org admin can invite another org admin role user
@analog thicket could you please check it out
analog thicketBOT
Let me check the knowledge base for you again. One moment! :books:
I'm not sure what specific aspect you'd like me to check out regarding Team Admin roles in Sentry. Based on our previous conversation, I confirmed that Team Admins can promote other team members to Team Admin roles.
If you have a specific question about Team Admin capabilities, permissions, or any other aspect of Sentry's team management that you'd like me to clarify or investigate further, please let me know what you're looking for specifically.
I'm happy to provide more detailed information about any aspect of Sentry's Team Admin functionality based on the available knowledge sources.
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
mighty island
@analog thicket One org admin can invite another org admin role user?
analog thicketBOT
Let me check the knowledge base for you again. One moment! :books:
Based on the knowledge sources, I can provide information about Organization Admin roles and invitations in Sentry.
Organization Admin Role Status
The Organization Admin role in Sentry has been deprecated. According to the documentation:
"Any Sentry user that has an Organization Admin role will still possess that role but customers will not be able to grant that role to any other user going forward."
Sentry Monorepo
This is further confirmed in another source which states:
"It is still possible to invite an Admin to a Sentry Organization. This role is deprecated. The correct role should be Team Admin."
Github Issue
Inviting Users with Admin Privileges
Since the Organization Admin role is deprecated, the recommended approach is to use Team Admin roles instead. For Business plan customers, the admin role was replaced by the team admin role:
"The admin role on Business plans was replaced by the team admin role. This allows you to assign users as admin for specific teams and not organization-wide."
How can I promote a user to Admin
Who Can Invite New Members
Only users with Manager or Owner roles can invite new members to a Sentry organization:
"Note: You must have the Manager or Organization Owner role to add a new member."
How do I add members to my organization?
Summary
In summary, while existing Organization Admin users retain their role, it's no longer possible to invite new users with the Organization Admin role as it has been deprecated. Instead, users should be invited as Members and then assigned Team Admin roles for specific teams. Only Managers and Owners have the permission to invite new members to the organization.
If you need more specific information about user roles and permissions in Sentry, please let me know.
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
mighty island
@analog thicket for Team plan still org role is not deprecated and In that plan does One org admin can invite another org admin role user
analog thicketBOT
Let me check the knowledge base for you again. One moment! :books:
Based on the knowledge sources, I need to clarify the status of the Organization Admin role in Sentry's Team plan and invitation capabilities.
According to the documentation, the Organization Admin role has been deprecated, but there's a distinction between different plans:
"The admin role on Business plans was replaced by the team admin role. This allows you to assign users as admin for specific teams and not organization-wide, as you can read here."
How can I promote a user to Admin
This specifically mentions the change for Business plans, but doesn't explicitly state the status for Team plans.
However, when looking at the API documentation for adding members to an organization, it states:
"admin - Can edit global integrations, manage projects, and add/remove teams. They automatically assume the Team Admin role for teams they join. Note: This role can no longer be assigned in Business and Enterprise plans. Use TeamRoles instead."
Add a Member to an Organization
This suggests that the Admin role is still available for Team plans since the limitation is specifically mentioned for Business and Enterprise plans.
Regarding whether an Organization Admin can invite another Organization Admin, the documentation states:
"Note: You must have the Manager or Organization Owner role to add a new member."
How do I add members to my organization?
This indicates that Organization Admins do not have the permission to invite new members - only Managers and Owners can do so. Therefore, an Organization Admin cannot invite another user with the Organization Admin role (or any role) to the organization.
If you need to add a new Organization Admin in a Team plan, you would need a Manager or Owner to send the invitation with the appropriate role.
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
mighty island
@analog thicket Thanks
analog thicketBOT
Let me check the knowledge base for you again. One moment! :books:
You're welcome! I'm glad I could help clarify the information about Sentry's organization roles and invitation capabilities. If you have any other questions about Sentry's features, permissions, or any other aspects of the platform, please don't hesitate to ask.
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
mighty island
@analog thicket explain how did the Default Role works in sentry
analog thicketBOT
Let me check the knowledge base for you again. One moment! :books:
Based on the knowledge sources, I can explain how the Default Role works in Sentry.
Default Role in Sentry
The Default Role in Sentry is the role automatically assigned to new members when they join an organization. This setting helps streamline user management by establishing a baseline permission level for all new users.
How Default Role Works with SSO
When Single Sign-On (SSO) is configured:
"Every member who creates a new account via SSO will be given global organization access with a member role. This means that they can access events from any team, but they won't be able to create new projects or administer current ones."
Single Sign-On (SSO)
Default Role with SCIM Provisioning
When using SCIM for user provisioning, you can override the default role by specifying a role:
"The organization role of the member. If unspecified, this will be set to the organization's default role."
Provision a New Organization Member
Configuring Default Role
The default role is configurable in the organization settings. As shown in the API response example:
"defaultRole": "member"
This setting determines what role is automatically assigned to new members if no specific role is specified during the invitation or provisioning process.
Available Default Roles
The available roles that can be set as default include:
- Member
- Admin (deprecated in Business and Enterprise plans)
- Manager
- Billing
Each role has different permission scopes as defined in the organization settings.
It's worth noting that for organizations using Okta SCIM provisioning, you can configure organization-level roles through custom attributes, which would override the default role setting.
If you need to change how new users are added to your organization or modify the default permissions they receive, adjusting the Default Role setting is the primary way to accomplish this.
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
mighty island
@analog thicket Hi, could anyone please differentiate the Default Role option available under Org settings and Default Role option available under SSO Auth setting (will be visible after enabling SCIM)
They both are same or completely different
analog thicketBOT
Let me check the knowledge base for you again. One moment! :books:
Based on the knowledge sources, I can explain the difference between the two Default Role settings in Sentry.
Default Role in Organization Settings vs. SSO Auth Settings
These are two different settings that serve related but distinct purposes:
Default Role in Organization Settings
This is the general default role setting for your Sentry organization that applies to all new members who join through any method (manual invites, API, etc.). As shown in the API documentation:
"defaultRole": "member"
This setting determines what role is automatically assigned to new members if no specific role is specified during the invitation process.
Default Role in SSO Auth Settings
This setting specifically applies to users who are authenticated through Single Sign-On (SSO). According to the documentation:
"Every member who creates a new account via SSO will be given global organization access with a member role. This means that they can access events from any team, but they won't be able to create new projects or administer current ones."
Single Sign-On (SSO)
When SCIM is enabled, this setting becomes particularly important because it determines the default role for users provisioned through your Identity Provider (IdP) when no specific role is assigned.
How They Interact with SCIM
When using SCIM provisioning with Okta, for example, you can override both default settings by explicitly assigning roles:
"If the sentryOrgField field is left blank, group members will be provisioned with the default organization-level role. This default role can be configured in Sentry, under Settings -> Organization -> Auth."
Okta SCIM Provisioning
This means that the SSO Auth default role takes precedence for SCIM-provisioned users when no specific role is assigned through the IdP.
Key Difference
The main difference is scope of application:
- Organization Settings Default Role: Applies broadly to all new members
- SSO Auth Default Role: Specifically applies to users authenticated through SSO/SCIM
When using SCIM provisioning, the SSO Auth default role becomes the more relevant setting for users coming from your IdP.
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
mighty island
@analog thicket could younpls provide article links to default role in organisation settings
analog thicketBOT
Let me check the knowledge base for you again. One moment! :books:
Based on the knowledge sources, I can provide you with article links related to the default role in organization settings for Sentry.
The main documentation for the default role in organization settings can be found in the API documentation:
This API documentation shows the organization structure that includes the defaultRole parameter, which is set to "member" in the example.
For SSO-related default role settings, you can refer to these articles:
-
For Okta SSO configuration:
Okta SSO -
For Azure Active Directory SSO configuration:
Azure Active Directory SSO -
For Ping Identity SSO configuration:
Ping Identity SSO
Each of these SSO configuration guides includes information about setting the "Default Role" for new SSO users.
For SCIM provisioning with Okta, which relates to default roles when automatically provisioning users:
Okta SCIM Provisioning