Start tracking your progress
Trailhead Home
Trailhead Home

Get the Most Out of Heroku Enterprise

Learning Objectives

After completing this unit, you'll be able to:

  • Manage user access in a Heroku Organization account.
  • Describe the privilege sets available for giving users fine-grained access to your applications.
  • Explain how the Heroku Connect add-on gives you the ability to sync data to Heroku Enterprise.
  • Name two use cases for the Private Spaces feature.

Getting the Most out of Heroku Enterprise

So far we've talked about how Heroku works, the pieces that make it up, and when it makes sense to use the platform. In this unit, we show you some additional tools that can help you get the most out of Heroku Enterprise.

You learn about user management, application access controls, and consolidated billing. We also show you some of the special features available in Heroku Enterprise, like Heroku Connect, single-sign on, and Private Spaces, plus where to go to learn more or if you need a little technical support.

The Heroku Enterprise Organization Account

Organizations that use Heroku Enterprise need to be able to collect related apps into groups to simplify billing, user management, application access, and application development. The Heroku Enterprise Organization account structure provides all this and more.

User Management

In a Heroku Enterprise Organization, Heroku users who have access are all managed in one place. In the Access tab, you can grant and revoke access to the Organization or to specific apps housed within the Organization account. You can also easily see which users have enabled two-factor authentication on their Heroku account. Here's a screenshot of the Access tab in an example org called csa-training.

Heroku Organization Access Tab

Three levels of access can be granted within a Heroku Organization: admin, member, and collaborator.

Admin is the highest access level. Admins have full control over the entire Organization account. They can add and remove members, edit user access, view billing information, and have all privileges on all apps housed in the Organization, even apps that are locked to prevent access. As you can see in the screenshot, has admin access in the csa-training Organization account.

The next access level is a member. Members can view all members and admins that have access to an Organization. They can transfer applications into the account, view a list of the Organization's apps, create apps, and be assigned specific privileges on apps within the Organization. Members cannot join locked apps--they must be specifically given access. In the csa-training Organization account, has member access. You can also see that this user still needs to set up two-factor authentication!

The third level is collaborator. Collaborators are users who aren't part of the Organization account. They are external Heroku users who have been granted access to one or more apps housed within the Organization. The main use case for collaborator access is to allow contractors to work with members within the company on an app on the Heroku platform. The csa-training Organization has two collaborators who each have access to one app each. These collaborators do not have any Org-level access.

Fine-Grained Access Controls

Heroku Enterprise Organization accounts provide granular control over what a user can do to an application on the platform. Not only does that give flexibility and security to enterprises using Heroku, we get the really cool acronym FGAC.

You can assign users privilege sets to control how they interact with an application.

Privilege Set Capabilities
view See that the app exists and view details about it.
deploy Deploy code, run one-off dynos, add or remove free add-ons, and view and edit configuration variables.
operate Change the dyno formation, add or remove paid add-ons, and restart the app.
manage Add or remove users, transfer the app, and delete the app.

To dig into the nitty-gritty details on the buttons and switches each level gives you, take a look at the fabulous Application Privileges Cheatsheet in the Heroku Dev Center.

Check out what it looks like in the Heroku Enterprise dashboard. Below is a screenshot of the application-level Access tab for an app called heroku-101-demo-app inside the csa-training Organization. Apps have their own Access tab, separate from the top-level Organization account access controls.

Heroku App Access Tab

You can see that this app has been locked. When an app is locked, only Organization admins and members who have been granted access can see anything about the app. Additionally, only admins and existing collaborators can grant access to other Organization members. The user, a member of the csa-training Organization, has been invited to collaborate on this app. He has been given the view and operate privilege sets. Another user,, is a collaborator on this app and has full application privileges.

Below the App Members section, you see Organization admins listed, including All csa-training Organization admins have access to this app and all other apps in the Organization. Admins always have all privileges on every app, as well.

For sensitive or production apps, you can use FGACs to combine the security of locking the app with the flexibility of giving members the rights they need to accomplish their tasks. Developers and operations teams can get their jobs done without a hassle while the security team can breathe easier knowing access is tightly controlled.

Control over Third-Party Add-on Usage

In addition to the fine-grained controls around access to your Organization and applications, Heroku Enterprise offers the ability to manage which add-ons applications can use in the Organization account. You can restrict the use of these third-party services to the ones that have been approved and added to your add-on whitelist.

You can turn on Add-on Whitelisting controls in an Organization’s Settings tab, as shown below.

Add-on Whitelisting Controls

Build your whitelist and then click Enable Add-ons Whitelisting Restrictions when you’re ready to apply them across the Organization. If an app is using add-ons that aren't whitelisted, it's shown as having whitelist exceptions. Click the number of installs link to see which applications are using a non-whitelisted add-on.

Add-on Whitelisting Exceptions

This list helps you keep track of and manage apps that require exceptions or need to be changed and brought into compliance with your Organization’s whitelist.

Annual Billing and Consolidated Usage

With Heroku Enterprise, companies love knowing their annual cost for the Heroku platform upfront and being able to manage resources across all their apps at once. All applications housed in the Organization have their resource utilization collected in the Usage tab, which only Organization admins can access.

Here's a screenshot of the Usage tab for the csa-training Organization account.

Heroku Organization Usage Tab

You can see that this Organization has a license for add-on usage of up to $15,000, and dyno usage of up to 75 units per month. With the entire Organization's resource utilization collected in one place, admins can easily see which resources the apps in the Organization account have used so far this month.

You can also view month over month reports to spot trends in your Heroku usage across the Organization. Here you can see the usage in the csa-training Organization since February 2016. Roll over the month on the graph to see the actual values.

Heroku Organization Monthly Usage Report

Heroku Connect

Heroku Connect is an add-on that syncs data from a database into a Heroku Postgres database and vice versa. You can access and modify data on from the powerful Heroku platform. The syncing between and Heroku happens quickly. It's not quite real time but pretty darn close.

Sync Data from and Back Again

You can configure Heroku Connect to sync your data only from to Heroku or set it up to be bidirectional. So you can create apps on the Heroku platform that consume only your data, as well as apps that modify the data and deliver it back into your database of record. You can make changes to your Heroku data to automatically kick-off Salesforce workflows and take advantage of other powerful features.

From the Heroku Connect dashboard, you can select which objects and fields from to sync. The objects are replicated to your Heroku Postgres database as tables and rows, ready to be used by your custom applications. Learn more about this powerful add-on by reading the Heroku Connect Dev Center documentation.

Fast, Seamless Data Access

Heroku Connect gives you a few big advantages over using the API. First, it eliminates the need for your application on Heroku to directly call the API to read data at the moment when it's needed. Your Heroku Postgres database is automatically kept up to date by Heroku Connect. Querying the database instead of calling the API can greatly simplify your Heroku application, save you programming and time, and conceivably remove hundreds of milliseconds of latency on each request. That's a long time in the web app world!

The Heroku Connect add-on also makes your data super easy to work with from inside your applications on Heroku. All the most popular open-source language frameworks have database drivers and Object Relational Managers (ORM) that streamline getting data in and out of a datastore. These tools work seamlessly with Heroku Postgres databases. With Heroku Connect, it's almost like your data is built right in.

Single Sign-On

Many organizations are turning to single sign-on (SSO) solutions to simplify user management. Heroku Organization accounts allow you to leverage an external identity provider to manage your users who use the Heroku Enterprise platform. Your users have to remember only one password, and all the familiar Heroku access controls still function.

Heroku Enterprise has built-in support for Salesforce Identity, Okta, Bitium, and Ping identity providers. You can also configure Heroku Enterprise as a service provider with other SAML 2.0–compliant identity providers. Support for Microsoft Active Directory and Azure Identity is in the works.

If SSO sounds like your thing, you can read about the features and setup in the SSO for Heroku Dev Center documentation.

Heroku Private Spaces

Heroku Private Spaces are one of the coolest features available in Heroku Enterprise. Each Private Space you create is a completely network-isolated environment within the Heroku platform in which your apps can run. That means that you get the ease of developing and managing apps on Heroku and the security of your app being isolated from the traffic of other apps. You can even require that all inbound requests to your app come only from specific whitelisted IP addresses. Lock it down, Sarge!

In addition to network isolation, you can create Private Spaces in several different geographic regions. If most of your customers are in Tokyo, you can ensure that your dynos run on a part of the Heroku Enterprise platform that's physically located in Tokyo, resulting in faster response times for your application's users. And who doesn't like faster service?

For many cases, the shared platform infrastructure is more than sufficient. However, some times you need the added protection of having your apps in a "walled garden," or you want to get faster response times by running your dynos on infrastructure that's physically closer to your users. In these cases, turn to Private Spaces.

As always, you can read more about Private Spaces in the Dev Center!

The Heroku Dev Center

Because we've mentioned it all along the way, you probably already know that the most comprehensive guide available to help you as you use Heroku Enterprise is the Dev Center. It's a highly-curated, well-maintained, and constantly evolving collection of articles and documentation covering just about everything that you might want to know about Heroku.

Read in depth about the various parts of the platform, or dive into one of the getting started guides for the natively-supported languages on the platform. Each getting started guide walks you through installing the Heroku Toolbelt for the command line, deploying an application, and scaling and running the app on the Heroku Enterprise platform.

Heroku Support

When you're stuck on something that the Dev Center doesn't cover, the Heroku Support team is ready to help. You can open a ticket with Support online at, and one of the team will help you sort through the issue. And if anything comes up involving downtime on your production applications running on Heroku Enterprise, an SLA means even faster assistance. Even at 3 AM on New Year's Day. That's what we mean when we say, "Let us wear the pager!"


Heroku Enterprise provides a powerful accelerator for creating modern, powerful applications quickly. It takes all the hard parts out of managing and scaling the underlying infrastructure for your applications, allowing you to concentrate on what's most important to your customers. Combined with the powerful business tools of, Marketing Cloud, Service Cloud, and Sales Cloud, you can easily assemble powerful customer-facing applications with equally powerful back-office tools.

In later modules, we'll dive deeper into the most powerful features of Heroku Enterprise, like Heroku Connect and Private Spaces.