Restrict a System Administrator to non-production environments?

Can I give a user the permissions of a system administrator, but prevent them from deploying to production and from giving themselves or someone else access to deploy to production?

I can create a Team with the System Administrator role and limit it to non-production environments, and at first that seems to be sufficient. Members of that team can’t deploy to production, and they can’t grant another team access to production explicitly. They can, however, remove all environments from a team (including their own) which gives that team access to all environments, including production. Is that by design, or is that an oversight?

In our environment, developers are not allowed to deploy to production due to regulatory audit restrictions. But we would like a lead developer on each of our teams to manage the users for their own projects and to have access to the diagnostics, audits, certificates, and other features relevant to their projects that only a System Administrator can access. Is there another way to accomplish this?

Hi Adam,

Thanks for the feedback on the permission system, we’ll look into whether there’s a way to prevent system administrators from making these kinds of changes.



Did anything come of this? As a matter of documentation, does the System Administrator role respect the Projects/Environment restrictions?

Hi Josh,

The system administrator role will grant complete access. But since this original thread, the permissions are now much more granular, and you can build a custom role that will limit with environments.

Let me know if I can provide more information :slight_smile:


I ran a test yesterday and the it looks like System Administrator role will respect a per-project filter (at least – didn’t try environment filter), so assuming I have this right, it’s pretty great.

  • Josh