> ## Documentation Index
> Fetch the complete documentation index at: https://docs.incident.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Role restrictions

> Control who can be assigned to incident roles and what they can do

Role restrictions let you control who's eligible to be assigned specific roles during an incident, and what permissions each role grants. For example, you may want only members of your Security team to be the Incident Lead for Security incidents, and grant that role permission to manage the incident lifecycle.

Restrictions and permissions are configured per [incident type](/incidents/incident-types), so you can tailor each role to match the needs of different incident types. Role-level permissions are available on the [Enterprise plan](https://incident.io/pricing).

## Setting up

To configure a role, head to **[Settings → Types](https://app.incident.io/~/settings/incident-types)** and select the incident type you want to configure. Scroll to the **Roles** section.

<Frame caption="The Roles section before any restrictions are configured">
  <img src="https://mintcdn.com/incidentio-18bb4170/gqUHpHvJNgsLojkd/images/help-centre/role-restrictions/screenshot-1.png?fit=max&auto=format&n=gqUHpHvJNgsLojkd&q=85&s=9983f3cb5b7401f81000f6a47598749c" alt="Roles section with no restrictions" width="1416" height="980" data-path="images/help-centre/role-restrictions/screenshot-1.png" />
</Frame>

Click the three-dot menu on any role and select **Configure role** to open the configuration drawer. The drawer has two sections: **Who can get this role?** and **Grant additional permissions**.

<Frame caption="The role restrictions drawer before adding any restrictions">
  <img src="https://mintcdn.com/incidentio-18bb4170/gqUHpHvJNgsLojkd/images/help-centre/role-restrictions/screenshot-2.png?fit=max&auto=format&n=gqUHpHvJNgsLojkd&q=85&s=3954dd0d67329bdbae200e9703fba716" alt="Role restrictions drawer with no restrictions" width="1506" height="1064" data-path="images/help-centre/role-restrictions/screenshot-2.png" />
</Frame>

## Who can get this role?

Restrictions are built using the expression builder. Select a user attribute to restrict on, choose an operator, and pick the values to match against.

<Frame caption="Choosing a variable to restrict on">
  <img src="https://mintcdn.com/incidentio-18bb4170/gqUHpHvJNgsLojkd/images/help-centre/role-restrictions/screenshot-3.png?fit=max&auto=format&n=gqUHpHvJNgsLojkd&q=85&s=7979afcfa58e29a2ba56c52d4f3664a9" alt="Filter picker showing available restriction variables" width="1480" height="1142" data-path="images/help-centre/role-restrictions/screenshot-3.png" />
</Frame>

Common examples include restricting a role to a specific list of users, or to members of a particular team. You can also restrict based on any user attribute or custom catalog type connected to users.

You can combine multiple conditions:

* **Conditions within the same group** use AND logic - all conditions must be met
* **Separate groups** use OR logic - any group can match

<Frame caption="A completed restriction with multiple conditions">
  <img src="https://mintcdn.com/incidentio-18bb4170/SAagSCOwPkDRXOZy/images/help-centre/role-restrictions/screenshot-4.png?fit=max&auto=format&n=SAagSCOwPkDRXOZy&q=85&s=92c5598e36372536a54e4bbba9e962c3" alt="Role restrictions drawer with restrictions applied" width="1008" height="826" data-path="images/help-centre/role-restrictions/screenshot-4.png" />
</Frame>

Once saved, restrictions are displayed beneath each role in the Roles section so you know which roles have restrictions set.

<Frame caption="The Roles section showing configured restrictions">
  <img src="https://mintcdn.com/incidentio-18bb4170/SAagSCOwPkDRXOZy/images/help-centre/role-restrictions/screenshot-5.png?fit=max&auto=format&n=SAagSCOwPkDRXOZy&q=85&s=2bf846625ac2afa3f0527cccee5d2446" alt="Roles section with restrictions applied" width="1416" height="1078" data-path="images/help-centre/role-restrictions/screenshot-5.png" />
</Frame>

Users who don't meet a role's restrictions will appear disabled in role assignment dropdowns. If someone attempts to assign a restricted user directly, an error message explains why the assignment can't be made.

Restrictions are enforced wherever incident roles are assigned:

* **Slack** - when assigning roles via `/inc role` or the channel announcement buttons
* **Microsoft Teams** - when assigning roles via channel announcement buttons
* **Dashboard** - when picking roles during incident declaration or while managing an active incident
* **Workflows** - any steps that assign roles to ineligible users will cause the workflow to fail

## Grant additional permissions

The **Grant additional permissions** section lists permissions you can grant to users holding that role during incidents of this type. Check the ones you want to grant.

For example, you might grant the Incident Lead permission to manage the incident lifecycle and update fields, while giving the Communications Lead only permission to update the timeline.

<Frame caption="Granting permissions to the Incident Lead role, with the tooltip showing which account-level roles already grant a permission">
  <img
    src="https://mintcdn.com/incidentio-18bb4170/gqUHpHvJNgsLojkd/images/help-centre/role-restrictions/screenshot-6.png?fit=max&auto=format&n=gqUHpHvJNgsLojkd&q=85&s=ffc20053e75d9ad67efe36a35443d901"
    alt="Grant additional permissions section with some permissions checked and a tooltip showing account-level
roles"
    width="1470"
    height="836"
    data-path="images/help-centre/role-restrictions/screenshot-6.png"
  />
</Frame>

Permissions granted here are layered on top of any that a user already has through their account-level base or custom roles — you can grant additional permissions to an incident role, but not remove ones a user already has. Each permission shows which account-level roles already grant it, so you can see what a user would have access to regardless of their incident role.

<Tip>
  If you're moving permissions from account-level roles to incident roles, set up your incident role permissions
  **first**, then remove them from the account-level roles. This avoids a gap where users temporarily lose access to
  permissions they need.
</Tip>

### All other participants

Below the named roles, there's an **All other participants** entry. Use this to configure permissions for anyone participating in the incident who doesn't hold a specific role.

This is useful for tightening permissions on sensitive incident types — for example, granting permission to update follow-ups or manage post-mortems only to the Incident Lead, while leaving other participants with more limited access.

## Workflows

<Warning>
  If you have workflows that assign incident roles, adding restrictions may cause those workflow steps to fail. A workflow step will fail if the user it tries to assign doesn't meet the role's restrictions.
</Warning>

When you have active workflows that assign roles, you'll see a warning banner in the Roles section of your incident type settings reminding you of this.

Review your [workflows](/workflows) after adding role restrictions to make sure the users being assigned still meet the new requirements.

## FAQs

<AccordionGroup>
  <Accordion title="Can I set role restrictions globally across all incident types?">
    No - role restrictions are configured per incident type. You'll need to set up restrictions individually for each
    type where you want them.
  </Accordion>

  <Accordion title="What happens if no one meets a role's restrictions?">
    The role dropdown will show all users as disabled. Consider broadening your restrictions if this happens.
  </Accordion>
</AccordionGroup>