When making changes to your site, you may come across the need for an internal or 3rd-party developer to test or deploy their changes. Often times, these users only need limited access to get the job done.
For account security purposes, we always recommend only giving the minimum amount of access required to get the job done. In this article, we'll show you how to appropriately provide and manage developer access.
Understanding Access Roles
Within your Pagely account, collaborators can be assigned a role that restricts their permissions to only what the role allows. There are several, but for the purpose of this article, we'll go over a few that would apply to a developer who needs to make changes.
For more information on the different access roles, take a look at the following chart:
|Manage Billing/Tech Users||✓||✓||✓|
|Manage Site-Level Users||✓||✓||✓|
|Manage 2-Factor (self)||✓||✓||✓||✓||✓||✓|
|Force 2-Factor for All Users||✓|
|Manage Account SSH/SFTP Keys||✓||✓||✓||✓||✓||✓|
|Manage Plan and Addons||✓||✓||✓|
|View Plans and Addons||✓||✓||✓||✓|
|View All Tickets||✓||✓||✓|
|View Their Own Tickets||✓||✓||✓||✓||✓||✓|
|Manage Maintenance Windows||✓||✓||✓||✓|
|Access Database Admin||✓||✓||✓||✓||✓|
|Access Log Viewer||✓||✓||✓||✓||✓|
The Tech role allows the user to be able to make technical-related changes such as manage sites, access the server over SSH, submit support tickets, and manage things like DNS. Usually, this is a role that would be used by people that are internal to your organization and can be fully trusted.
You'd want to set someone as the Tech role if they need to:
- Manage all sites.
- Manage maintenance windows
- Access the server over SSH.
The main difference between the Tech role and the Site-Only role is SSH access and the ability to manage all sites on the account. If they only need to access a single site, you'll likely want to go with a lower access level like App-Only or App-Only-Minimal.
This role is similar to the Tech role, but only allows the user to access a specific site on your account. You'd want to set a user to this role if you need to allow access to things like SFTP, access backups, submit tickets, or manage things like DNS for a single site without giving them access to all sites like a Tech user would.
An app-only user should only be someone that you trust, since they will have access to things like backups, DNS, databases, support tickets, and other things that could impact how your site is configured on the server.
This is the most limited role, but also a common one for people who only need to manage files on a specific site. If you're hiring a 3rd-party developer or someone else that is just making code-related changes, this is almost always the best role for them to have.
A user that has been assigned the app-only-minimal role will be able to manage files on a site over SFTP, but won't have access to other account-related features that could impact how your site is configured.
Giving a Developer Access
When giving someone else access to your account, always do so by inviting them as a collaborator. For information on adding a collaborator to your account, see our article on managing collaborators.
Only provide people access to the things that they absolutely need. Generally, your roles should look something like this:
Tech: Technical-minded managers who are comfortable with tech-related responsibilities or senior-level developers would need to manage all sites on the account.
App-Only: Senior-level developers who only need to manage a single site.
App-Only-Minimal: Anyone else who needs to manage files for a site.
If someone is moving up or down in your organization and needs more or less access, you can easily change their role at any time. To do so, just follow the instructions in our Managing Collaborators article.
Any time that someone is no longer required to access the site, their access should be immediately revoked. This includes internal developers who are leaving the company or 3rd-party developers who are finishing their contract.
Always remember to revoke access for accounts that no longer require it. You can always add the user again if they continue working with you in the future.