My goal:
Restrict a user so they only have access to the staging environment, with no visibility or access to production.
Issue:
When we add a new user and assign what appears to be a staging-specific role, the user still defaults to seeing the production environment. We’re unable to isolate them to staging only.
Steps I've taken to troubleshoot:
Created a group for staging-only users
Granted access to apps and resources inside that group
Tested permission levels:
With Use permission → user only sees default production, not staging
With Edit permission → user can see both staging and production, but also gains edit access (which we do not want)
If you are on the Business or Enterprise plan, you can configure resource environment permissions (doc here), but unfortunately we do not have permission settings available for app environments at the moment.
In the meantime, here are a few workaround suggestions that might be helpful:
In Settings > Beta, you can enable the "Viewer Environments Toggle" setting so that your users with Use permission can toggle to the Staging environment from the bottom-left menu.
On the Business or Enterprise plan, you can restrict user permissions such that they can only run queries against Staging data.
You can append ?_environment=staging to a URL, but users would be able to change it, so it’s not a good access control mechanism.
Below is another workaround that was posted:
These suggestions do not completely restrict visibility and access to the prod environment, so I just put your +1 to our internal feature request and will let you know if there are any updates!
!