Going Further with Heroku Enterprise
After completing this unit, you'll be able to:
- Manage user access in a Heroku Enterprise Team.
- Describe the privilege sets available for giving users fine-grained access to your applications.
- Explain how the Heroku Connect add-on gives you the ability to sync Salesforce organization data to Heroku Enterprise.
- Name two use cases for the Private Spaces feature.
Getting the Most out of Heroku
So far we've talked about how Heroku works, the pieces that make it up, and when it makes sense to use the platform. Heroku Enterprise adds additional features to the Heroku platform. In this unit, we show you some additional features that can help you get the most out of Heroku Enterprise.
You learn about user management, application access controls, and consolidated billing. We also show you some of the special features available in Heroku Enterprise, like Heroku Connect, single sign-on, and Private Spaces, plus where to go to learn more or if you need a little technical support.
The Heroku Enterprise Team
Organizations that use Heroku Enterprise need to be able to collect related apps into groups to simplify billing, user management, application access, and application development. The Heroku Enterprise Team structure provides all this and more.
In a Heroku Enterprise Team, Heroku users who have access are all managed in one place. In the Access tab, you can grant and revoke access to the Enterprise Team or to specific apps housed within the Enterprise Team. You can also easily see which users have enabled two-factor authentication on their Heroku account. Here's a screenshot of the Access tab in an example org called csa-training and an example Enterprise team called csa-connect.
Four levels of access can be granted within a Heroku Enterprise Team: admin, member, viewer, and collaborator.
Admin is the highest access level. Admins have full control over the entire Enterprise Team. They can add and remove members, edit user access, view billing information, and have all privileges on all apps housed in the Enterprise Team, even apps that are locked to prevent access. As you can see in the screenshot, one member has admin access in the csa-connect Enterprise Team. They have view, billing, manage, and create access.
The next access level is a member. Members can view all members and admins that have access to an Enterprise Team. They can transfer applications into the account, view a list of the Enterprise Team's apps, create apps, and be assigned specific privileges on apps within the Enterprise Team. Members cannot join locked apps--they must be specifically given access. In the csa-training Enterprise Team, one member has view access.
The third level is viewer. Viewer is a limited role that enables users to view apps and pipelines, spaces, users, and resources.
The fourth level is collaborator. Collaborators are users who aren't part of the Enterprise Team. They are external Heroku users who have been granted access to one or more apps housed within the Enterprise Team. The main use case for collaborator access is to allow contractors to work with members within the company on an app on the Heroku platform. The csa-training Enterprise Team has a single collaborator with access to one app. Collaborators do not have any team-level access.
All members have MFA enabled. Excellent!
To learn more about collaborating with an Enterprise Team, see the aptly named Getting Started as a Collaborator in the Heroku Dev Center.
Fine-Grained Access Controls
Heroku Enterprise Teams provide granular control over what a user can do to an application on the platform. Not only does that give flexibility and security to enterprises using Heroku, we get the really cool acronym FGAC.
You can assign users privilege sets to control how they interact with an application.
|view||See that the app exists and view details about it.|
|deploy||Deploy code, run one-off dynos, add or remove free add-ons, and view and edit configuration variables.|
|operate||Change the dyno formation, add or remove paid add-ons, and restart the app.|
|manage||Add or remove users, transfer the app, and delete the app.|
To dig into the nitty-gritty details on the buttons and switches each level gives you, take a look at the fabulous Application Privileges Cheatsheet in the Heroku Dev Center.
Check out what it looks like in the Heroku Enterprise dashboard. Below is a screenshot of the application-level Access tab for an app called heroku-101-demo-app inside the how-to-heroku Enterprise Team. Apps have their own Access tab, separate from the top-level Enterprise Team access controls.
You can see that this app has been unlocked. When an app is unlocked, all team members can join.
You can also lock an app. When an app is locked, only Enterprise Team admins and members who have been granted access can see anything about the app. Additionally, only admins and existing viewers can grant access to other Enterprise Team members.
Below the App Members section, you see Enterprise Team admins listed. All csa-training Enterprise Team admins have access to this app and all other apps in the Enterprise Team. Admins always have all privileges on every app, as well.
For sensitive or production apps, you can use FGACs to combine the security of locking the app with the flexibility of giving members the rights they need to accomplish their tasks. Developers and operations teams can get their jobs done without a hassle while the security team can breathe easier knowing access is tightly controlled.
Control over Third-Party Add-on Usage
In addition to the fine-grained controls around access to your Enterprise Team and applications, Heroku Enterprise offers the ability to manage which add-ons applications can use in the Enterprise Team. You can restrict the use of these third-party services to the ones that have been approved and added to your add-on allowlist.
You can turn on Add-on Allowlisting controls in an Enterprise Team’s Settings tab, as shown below.
Build your allowlist and then click Enable Add-ons Allowlisting Restrictions when you’re ready to apply them across the Enterprise Team. If an app is using add-ons that aren't allowed, it's shown as having allowlist exceptions. Click the number of installs link to see which applications are using a non-allowlisted add-on.
This list helps you keep track of and manage apps that require exceptions or need to be changed and brought into compliance with your Enterprise Team’s allowlist.
Annual Billing and Consolidated Usage
With Heroku Enterprise, companies love knowing their annual cost for the Heroku platform upfront and being able to manage resources across all their apps at once. All applications housed in the Enterprise Team have their resource utilization collected in the Usage tab, which only Enterprise Team admins can access.
Here's a screenshot of the Usage tab for the csa-training Enterprise Team.
You can see that this Enterprise Team has a license for add-on usage of up to $15,000, and dyno usage of up to 75 units per month. With the entire Enterprise Team's resource utilization collected in one place, admins can easily see which resources the apps in the Enterprise Team have used so far this month.
You can also view month over month reports to spot trends in your Heroku usage across the Enterprise Team. Here you can see the usage in the csa-training Enterprise Team since February 2016. Roll over the month on the graph to see the actual values.
Take a closer look at events associated with your Enterprise Account by exporting an audit log. The audit log is a JSON-formatted archive of certain events associated with the account. It includes events related to add-ons, apps, enterprise account membership, team membership, and more.
Here is a screenshot of the Settings tab where you can access your Audit Logs for the csa-training Enterprise Team:
Audit trails can help you meet a variety of compliance, auditing, and accountability requirements. Heroku provides a separate audit trail event archive for each calendar month.
Heroku Connect is an add-on that syncs data from a Salesforce organization into a Heroku Postgres database and vice versa. You can access and modify data on a Salesforce organization from the powerful Heroku platform. The syncing between a Salesforce organization and Heroku happens quickly. It's not quite real time but pretty darn close.
Sync Data from Salesforce and Back Again
You can configure Heroku Connect to sync your data only from a Salesforce organization to Heroku or set it up to be bidirectional. So you can create apps on the Heroku platform that consume only your Salesforce organization data, as well as apps that modify the data and deliver it back into your database of record. You can make changes to your Heroku data to automatically kick-off Salesforce workflows and take advantage of other powerful Lightning Platform features.
From the Heroku Connect dashboard, you can select which objects and fields from the Salesforce organization to sync. The objects are replicated to your Heroku Postgres database as tables and rows, ready to be used by your custom applications. Learn more about this powerful add-on by reading the Heroku Connect Dev Center documentation.
Fast, Seamless Data Access
Heroku Connect gives you a few big advantages over using the Lightning Platform API. First, it eliminates the need for your application on Heroku to directly call the API to read data at the moment when it's needed. Your Heroku Postgres database is automatically kept up to date by Heroku Connect. Querying the database instead of calling the API can greatly simplify your Heroku application, save you programming and time, and conceivably remove hundreds of milliseconds of latency on each request. That's a long time in the web app world!
The Heroku Connect add-on also makes your Salesforce organization data super easy to work with from inside your applications on Heroku. All the most popular open-source language frameworks have database drivers and Object Relational Managers (ORM) that streamline getting data in and out of a datastore. These tools work seamlessly with Heroku Postgres databases. With Heroku Connect, it's almost like your Salesforce organization data is built right in.
Many organizations are turning to single sign-on (SSO) solutions to simplify user management. Heroku Enterprise Teams allow you to leverage an external identity provider to manage your users who use the Heroku Enterprise platform. Your users have to remember only one password, and all the familiar Heroku access controls still function.
Heroku Enterprise has built-in support for Salesforce Identity, Okta, Bitium, and Ping identity providers. You can also configure Heroku Enterprise as a service provider with other SAML 2.0–compliant identity providers. Support for Microsoft Active Directory and Azure Identity is in the works.
If SSO sounds like your thing, you can read about the features and setup in the SSO for Heroku Dev Center documentation.
Heroku Private Spaces
Heroku Private Spaces are one of the coolest features available in Heroku Enterprise. Each Private Space you create is a completely network-isolated environment within the Heroku platform in which your apps can run. That means that you get the ease of developing and managing apps on Heroku and the security of your app being isolated from the traffic of other apps. You can even require that all inbound requests to your app come only from specific allowlisted IP addresses. Lock it down, Sarge!
In addition to network isolation, you can create Private Spaces in several different geographic regions. If most of your customers are in Tokyo, you can ensure that your dynos run on a part of the Heroku Enterprise platform that's physically located in Tokyo, resulting in faster response times for your application's users. And who doesn't like faster service?
For many cases, the shared platform infrastructure is more than sufficient. However, some times you need the added protection of having your apps in a "walled garden," or you want to get faster response times by running your dynos on infrastructure that's physically closer to your users. In these cases, turn to Private Spaces.
Building high compliance, customer-facing apps? Heroku Shield Private Spaces provide additional security features for regulated industries like healthcare, life sciences, and financial services. Your Shield Private Space app runs in a network-isolated environment with additional trust controls for high compliance including production access logging and strict TLS enforcement.
As always, you can read more about Private Spaces in the Dev Center!
The Heroku Dev Center
Because we've mentioned it all along the way, you probably already know that the most comprehensive guide available to help you as you use Heroku Enterprise is the Dev Center. It's a highly-curated, well-maintained, and constantly evolving collection of articles and documentation covering just about everything that you might want to know about Heroku.
Read in depth about the various parts of the platform, or dive into one of the getting started guides for the natively-supported languages on the platform. Each getting started guide walks you through installing the Heroku Toolbelt for the command line, deploying an application, and scaling and running the app on Heroku.
When you're stuck on something that the Dev Center doesn't cover, the Heroku Support team is ready to help. You can open a ticket with Support online at help.heroku.com, and one of the team will help you sort through the issue. And if anything comes up involving downtime on your production applications running on Heroku Enterprise, an SLA means even faster assistance. Even at 3 AM on New Year's Day. That's what we mean when we say, "Let us wear the pager!"
Heroku provides a powerful accelerator for creating modern, powerful applications quickly. It takes all the hard parts out of managing and scaling the underlying infrastructure for your applications, allowing you to concentrate on what's most important to your customers. Combined with the powerful business tools of Lightning Platform, Marketing Cloud, Service Cloud, and Sales Cloud, you can easily assemble powerful customer-facing applications with equally powerful back-office tools.