Configure Vercel's role-based access control (RBAC) with team roles, project-level access groups, SSO/SAML integration, and audit logging. Covers the two access control planes: team-level (who can deploy) and application-level (who can access deployed content).
Prerequisites
Vercel Pro or Enterprise plan
Identity Provider (IdP) with SAML 2.0 support (for SSO)
Understanding of your organization's access requirements
Instructions
Step 1: Understand Vercel's Role Model
Team-Level Roles:
Role
Deploy Prod
Manage Projects
Manage Billing
Manage Members
Owner
Yes
Yes
Yes
Yes
Member
Yes
Yes
No
No
Developer
Preview only
Limited
No
No
Viewer
No
Read-only
No
No
Security (Enterprise)
No
Security settings
No
No
Extended Permissions (Enterprise):
Layer on top of base roles for granular control:
Deploy to production
Manage environment variables
Manage domains
Access runtime logs
Manage integrations
Step 2: Configure Team Members via API
# Invite a team member
curl -X POST "https://api.vercel.com/v1/teams/team_xxx/members" \
-H "Authorization: Bearer $VERCEL_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"role": "DEVELOPER"
}'
# List team members
curl -s -H "Authorization: Bearer $VERCEL_TOKEN" \
"https://api.vercel.com/v2/teams/team_xxx/members" \
| jq '.members[] | {name: .name, email: .email, role: .role}'
# Update a member's role
curl -X PATCH "https://api.vercel.com/v1/teams/team_xxx/members/user_xxx" \
-H "Authorization: Bearer $VERCEL_TOKEN" \
-H "Content-Type: application/json" \
-d '{"role": "MEMBER"}'
# Remove a team member
curl -X DELETE "https://api.vercel.com/v1/teams/team_xxx/members/user_xxx" \
-H "Authorization: Bearer $VERCEL_TOKEN"
Step 3: Access Groups (Project-Level Permissions)
Access Groups assign teams of people to specific projects with specific roles:
Go to Team Settings > Access Groups
Create a group (e.g., "Frontend Team", "Backend Team")
Add members to the group
Assign the group to specific projects with a role
Example Access Group Setup:
├── Frontend Team → [project-web, project-docs] → Member role
├── Backend Team → [project-api, project-worker] → Member role
├── DevOps Team → [all projects] → Member role
└── QA Team → [all projects] → Viewer role
Step 4: SSO / SAML Configuration
In the Vercel dashboard: Team Settings > Authentication > SAML Single Sign-On
Enable SAML SSO
Configure your IdP (Okta, Azure AD, Google Workspace):
ACS URL: https://vercel.com/api/auth/saml/acs
Entity ID: https://vercel.com
Name ID format: emailAddress
Enter IdP metadata URL or upload certificate
Map SAML attributes to Vercel fields
SAML Attribute Mapping:
├── email → user email (required)
├── firstName → display name
├── lastName → display name
└── groups → Vercel team roles (optional)
Enforce SSO for all team members:
Once enabled, toggle "Require SAML for login" — all members must authenticate through SSO.