Unleash Portal — Feature Deep Study

Complete comparison of Open Source vs Enterprise · What to implement first

UNLEASH · OSS · ENTERPRISE · FEATURE FLAGS · RBAC · CHANGE REQUESTS

What Is Unleash Portal (Admin UI)?

Unleash Portal is the web-based admin dashboard that ships with the Unleash server. It is the control plane — the place where your team creates, manages, targets, and monitors feature flags. It is NOT a separate product; it runs alongside the Unleash backend server. All SDKs (Node, Python, Java, Go, etc.) connect to the Unleash server API, and the Portal is the UI on top of that same server.

~20
OSS Features / Category
+14
Enterprise-only Features
5
Flag Types (both)
2
Max Environments (OSS)
Environments (Enterprise)
🟢

Open Source (OSS)

Self-hosted, free. Full source code on GitHub. Core feature flagging + basic RBAC. Great for small-to-mid teams.

💜

Enterprise

Self-hosted or cloud. Paid. Adds approval workflows, unlimited environments, SSO/SCIM, advanced RBAC, signals, and compliance features.

☁️

Unleash Cloud (Pro)

Hosted version. Pro plan = most Enterprise features without self-hosting overhead. Managed by Unleash team.

🔌

Unleash Edge

Separate Rust binary. Acts as high-performance proxy/cache between your SDKs and the server. Works with both OSS and Enterprise.

OSS vs Enterprise — Quick Summary

🟢 Open Source — Included

  • All 5 feature flag types
  • 5 built-in activation strategies
  • Custom activation strategies
  • Variants (A/B testing)
  • Constraints (advanced targeting)
  • 2 environments (dev + prod)
  • Multiple projects
  • Basic RBAC (3 global roles)
  • Client / Admin / Frontend tokens
  • Project-level segments
  • Webhooks & integrations (Slack, Teams, Datadog)
  • Basic metrics & impressions
  • Playground (flag evaluation test)
  • Import / Export
  • OIDC login (Google, GitHub, Azure AD)
  • Basic event log
  • Tags & tagging
  • Personal access tokens (PAT)
  • REST Admin API
  • All official SDKs (18+ languages)

💜 Enterprise — Additional

  • Change Requests (approval workflows)
  • Advanced RBAC (custom roles)
  • Project-level role assignment
  • Unlimited environments
  • Environment cloning
  • Feature Dependencies
  • Global / cross-project segments
  • SAML 2.0 SSO
  • SCIM user provisioning
  • Service accounts (for CI/CD)
  • Signals & Actions (auto kill-switch)
  • Network View (SDK topology)
  • Insights & Analytics dashboard
  • Feature Lifecycle management
  • Feature Naming Patterns
  • Extended Audit Logs (compliance)
  • Banner / Announcement system
  • Jira & ServiceNow integration
  • SLA-backed support
OSS Hard Limits: 2 environments only (development + production). Cannot create staging, QA, UAT without Enterprise. This is often the first blocker teams hit.

Priority Implementation Guide — What to Build First

If you are on OSS and want to self-implement or workaround enterprise features, here is the ranked order by value. Score is 1–10.

# Enterprise Feature Value Score Why You Need It OSS Workaround
1
 Change Requests 10/10 CRITICAL Any team member can change production flags without review. Zero governance by default in OSS. Use separate staging env + discipline, or build a PR-like approval using GitHub/GitLab webhooks.
2
 Unlimited Environments 9/10 CRITICAL OSS gives you only dev + prod. No staging, QA, UAT. Teams with any CI/CD pipeline hit this immediately. Hack: use projects as fake environments, or run multiple Unleash servers per env (expensive).
3
 Advanced RBAC (custom roles) 8/10 HIGH OSS has 3 global roles only (Admin / Editor / Viewer). No per-project roles. No read-only access per env. Use separate Unleash server instances per team, or restrict via API token scoping.
4
 Feature Dependencies 7/10 HIGH When flag B should only be on if flag A is on. Complex rollout sequences break without this. Implement logic in application code: manually check parent flag before evaluating child.
5
 Signals & Actions 7/10 HIGH Auto-disable flags when error rate spikes. Critical for safe feature rollouts at scale. Build your own: Datadog/Grafana alert → webhook → Unleash Admin API to disable flag.
6
 Extended Audit Logs 7/10 HIGH Compliance (SOC2, ISO27001) requires audit trail of who changed what and when. OSS log is basic. Subscribe to Unleash events via webhook, store in your own logging system (CloudWatch, ELK).
7
 Global Segments 6/10 MEDIUM OSS segments are per-project only. Can't reuse "beta users" segment across all projects. Duplicate segment definition in each project manually. Painful but workable for small scale.
8
 SAML 2.0 SSO 6/10 MEDIUM Enterprises use Okta/Azure with SAML. OSS only has OIDC (works with Google, GitHub, Azure OIDC). Configure Azure AD / Okta in OIDC mode (they support both). Works fine in most cases.
9
 Feature Lifecycle 5/10 MEDIUM Track stale flags (flags that have been on or off for too long without cleanup). Prevents flag debt. Use tags manually to mark flag status. Build a cron job to report on old flags via Admin API.
10
 SCIM Provisioning 5/10 MEDIUM Auto-sync users/groups from Okta/Azure AD. Without it, you manually create Unleash users. Use Unleash Admin API to script user creation from your IdP. Run it nightly.
11
 Network View 4/10 LOW Visual map of all connected SDKs, their token usage, health. Nice for ops visibility. Query Unleash metrics API, build a Grafana dashboard showing connected clients.
12
 Insights & Analytics 4/10 LOW Flag lifecycle analytics, time-to-production, team productivity metrics. Export metrics via Admin API → BigQuery / Redshift for custom reporting.
13
 Naming Patterns 3/10 LOW Enforce flag name conventions (e.g., must start with team prefix). Prevents chaos at scale. Lint flag names via webhook + CI validation script before flags are created.
14
 Service Accounts 3/10 LOW Non-human CI/CD accounts with scoped permissions. OSS PATs are tied to human users. Create a dedicated "bot" user in Unleash and use its PAT for CI/CD pipelines.

1. Feature Flags — Core

🚩

The Foundation — Fully Available in OSS

All flag types, evaluation logic, and SDK integration are open source. This is the core of Unleash.

Release Toggle

OSS + Enterprise

The most common flag type. Controls whether a feature is released to users. Simple on/off per environment. Used for trunk-based development — merge your code behind a flag, release when ready without a new deployment.

  • Use case: "Show the new checkout page only to users in production gradually."
  • Default off → turn on when ready to release → remove flag once stable.
  • Supports all activation strategies (gradual rollout, user IDs, etc.)

Experiment Toggle (A/B Test)

OSS + Enterprise

Used for A/B testing and multivariate experiments. Uses the Variants system to assign users to different groups and track metrics per variant. Designed to be short-lived.

  • Use case: "Show button color A to 50% of users, color B to 50%."
  • Variant weights determine distribution (must sum to 100%).
  • Returns variant name + optional payload to your SDK. You track metrics externally.

Operational Toggle

OSS + Enterprise

Controls operational behavior of the system, not user-facing features. Long-lived. Used for circuit breakers, maintenance modes, and system configuration.

  • Use case: "Switch from old payment provider to new one without deployment."
  • "Enable maintenance mode for database migration window."
  • Often permanent — lives in the codebase for months or years.

Kill Switch

OSS + Enterprise

A safety valve — normally enabled, disabled only in emergency. Inverts the mental model: default is ON, you disable it when something goes wrong. Critical for production safety.

  • Use case: "If the recommendations engine fails, disable it — show fallback UI instantly."
  • Zero-downtime incident response: disable a broken feature without deploying.
  • Combined with Signals & Actions (Enterprise), this becomes automatic.

Permission Toggle

OSS + Enterprise

Controls access to features based on user roles, plan tiers, or entitlements. Long-lived. The flag IS the permission check.

  • Use case: "Only show the export CSV button to users on the Pro plan."
  • Avoids hardcoding plan checks in application code.
  • Change entitlements without deployment — update the strategy in Unleash Portal.

2. Activation Strategies

🎯

Determines WHO sees the flag as enabled

Strategies are conditions evaluated per request. Multiple strategies = OR logic (any strategy matching = enabled).

Default (Standard) Strategy

OSS + Enterprise

Simplest strategy — flag is on for everyone or off for everyone. No targeting. The toggle itself is the switch.

Gradual Rollout Strategy

OSS + Enterprise

Roll out to a percentage of users. Uses consistent hashing (MurmurHash) so the same user always gets the same result. Set 0%→10%→50%→100% gradually. Configure which field is used as the stickiness key.

  • Stickiness options: default (userId, sessionId, or random), userId, sessionId, or any custom context field.
  • Grouping: Multiple flags sharing the same groupId get consistent bucketing — if user sees flag A, they see flag B too.

User ID List Strategy

OSS + Enterprise

Enable the flag only for specific user IDs. Perfect for beta testers, internal team testing, canary users. Add/remove IDs without deployment.

Remote Address (IP) Strategy

OSS + Enterprise

Enable for specific IP addresses. Useful for office IP allowlisting, data center ranges, or development machines.

Application Hostname Strategy

OSS + Enterprise

Enable only on specific server hostnames. Useful for canary server deployments or enabling a feature on specific pods in Kubernetes.

Custom Strategies

OSS + Enterprise

Define your own strategy with custom parameters. The Unleash Portal stores the strategy definition; your SDK implements the evaluation logic. You register the custom strategy with the SDK client.

  • Example: "AccountPlan" strategy — takes a "plan" parameter, enables if user's plan matches.
  • Strategy definition (schema) stored in Unleash. Evaluation logic in your SDK.
// Register custom strategy in your SDK const unleash = initialize({ url: 'http://unleash/api', appName: 'my-app', customStrategies: [{ name: 'AccountPlan', isEnabled: (parameters, context) => { return parameters.plans.includes(context.properties.plan); } }] });

Constraints (Advanced Targeting)

OSS + Enterprise

Constraints are AND conditions added on top of any strategy. They filter further. Example: gradual rollout to 50% AND only if user is in "premium" segment AND app version >= "2.0.0".

  • Operators: IN, NOT_IN, STR_STARTS_WITH, STR_ENDS_WITH, STR_CONTAINS, NUM_EQ, NUM_GT, NUM_LT, DATE_AFTER, DATE_BEFORE, SEMVER_EQ, SEMVER_GT, SEMVER_LT
  • Can constrain on any context field: userId, sessionId, remoteAddress, properties.*, appVersion, environment, etc.
  • Inverted constraints also supported (NOT logic)

3. Variants & A/B Testing

Variants System

OSS + Enterprise

Variants extend a flag beyond on/off. Each enabled user gets assigned one variant based on weighted distribution. You use this for A/B/C/D testing. Each variant can carry a payload (JSON, string, CSV, number) passed to the application.

  • Weight: Each variant gets a weight (total must = 1000 = 100%). E.g., variant A = 500, variant B = 500 = 50/50 split.
  • Payload: Optional data sent with the variant. E.g., {"color": "blue", "size": "large"} for a button test.
  • Stickiness: Same user always gets the same variant. Uses same hashing as gradual rollout.
  • Override: Force specific users into a specific variant (for QA testing).
  • Disabled variant: What users get when the flag is off — you define this to avoid null checks in code.
// SDK usage for variants const variant = unleash.getVariant('checkout-button'); if (variant.enabled) { const color = variant.payload?.value; // "blue" or "red" renderButton(color); } else { renderButton('default'); }

4. Environments

🌍

Biggest OSS Limitation — Only 2 Environments

Environments let the same flag have different states in different deployment stages. Critical for real-world CI/CD pipelines.

Per-Environment Flag State

OSS + Enterprise

Each flag has independent on/off state and strategy configuration per environment. Turning on a flag in staging does NOT affect production. Environments also control which tokens can read which flags.

  • A flag can be ON in development but OFF in production.
  • Strategies can differ per environment (100% rollout in dev, 5% in prod).
  • Client API tokens are scoped to one environment.

Maximum 2 Environments

OSS OnlyHARD LIMIT

Open Source Unleash ships with development and production environments and does not allow creating additional environments. You cannot add staging, QA, UAT, or pre-prod environments.

Impact: If your pipeline is dev → staging → QA → prod, you cannot represent staging and QA as separate environments. Many teams run separate Unleash server instances per environment as a workaround — which is costly and hard to manage.

Unlimited Environments + Environment Cloning

Enterprise OnlyCRITICAL

Create as many environments as you need: development, staging, QA, UAT, canary, production-EU, production-US, etc. Each is fully independent for flag states and strategies.

  • Environment cloning: Clone all flag configurations from staging to production in one click. No manual copying.
  • Environment ordering: Define the promotion order (dev → staging → prod) for visual guidance.
  • Environment type: Tag environments as "development" or "production" type — affects SDK behavior and metrics aggregation.
Why it matters:

Without multiple environments, your team is doing manual coordination ("don't turn on flag X, QA is testing it"). This doesn't scale. Environments are the most common reason OSS teams upgrade.

5. Projects & Organization

Projects

OSS + Enterprise

Projects group related feature flags together. Each project has its own flags, members (in Enterprise), and segments. Typical grouping: one project per product team or microservice.

  • Default project is "Default" — flags live here unless you create projects.
  • Flags are scoped to a project — cannot be shared across projects (by design).
  • Members assigned per project in Enterprise. In OSS, access is global only.

Project-level Role Assignment

Enterprise OnlyHIGH

In Enterprise, you assign users different roles per project. User A can be "Editor" in Project Alpha but "Viewer" in Project Beta. In OSS, roles are global — if you are Editor, you can edit ALL projects.

Why it matters:

Multi-team orgs need isolation. You do not want the payments team editing the recommendations team's flags. Project-level RBAC is mandatory for any org with 3+ teams.

Project Owner

Enterprise Only

Designate an owner for each project — a named person responsible for the flags in that project. Shows up in UI and in health/lifecycle reports. Helps flag hygiene ownership.

6. Access Control (RBAC)

🔐

Role-Based Access Control

OSS has 3 fixed global roles. Enterprise adds custom roles with granular permissions at project level.

Built-in Roles (OSS)

OSS + Enterprise

Three fixed roles available in OSS:

RolePermissionsUse For
AdminFull access — manage users, API tokens, all flags, all projects, settingsPlatform admins, DevOps
EditorCreate/edit/delete flags in all projects. Cannot manage users.Developers, product managers
ViewerRead-only access to all flags in all projects. Cannot make changes.External stakeholders, data teams
OSS Limitation: These roles are global. You cannot give someone Editor access to only one project. Everyone with Editor role can edit everything.

Custom Roles

Enterprise OnlyHIGH

Create custom roles with any combination of permissions. Each permission is a specific action on a specific resource type.

  • Example role "Flag Approver": Can review Change Requests + approve/reject, but cannot create or delete flags.
  • Example role "Flag Creator": Can create flags but cannot enable/disable them in production.
  • Example role "Production Gate": Can toggle flags in production only, no other write permissions.
  • Root roles (global) vs Project roles — assigned at different scopes.
  • Permission categories: flags, strategies, variants, segments, metrics, API tokens, projects, users.
Why it matters:

Separation of duties. Developers create flags; senior engineers or product managers approve them going to production. Custom roles enforce this workflow at the system level, not just by convention.

7. Change Requests — #1 Most Valuable Enterprise Feature

📋

Approval Workflows for Flag Changes

Any change to a flag in a protected environment must be approved before it takes effect. Think: GitHub Pull Requests, but for feature flags.

Change Request Workflow

Enterprise OnlyCRITICAL — #1 PRIORITY

When Change Requests are enabled for an environment, no direct changes can be made. Every modification is bundled into a Change Request that must go through approval before it's applied.

User edits flag
Change Request created (Draft)
In Review (sent to approvers)
Approved / Rejected
Applied to environment
  • Batch changes: Multiple flag changes can be grouped into a single Change Request. Apply atomically.
  • Minimum approvals: Configure how many approvers are required (e.g., require 2 approvals).
  • Approver roles: Only users with the "Approve Change Requests" permission can approve.
  • Self-approval: By default, the creator cannot approve their own Change Request.
  • Conflict detection: If a flag changes in the base after a Change Request is created, the system flags the conflict.
  • Scheduled apply: Approve now, apply at a scheduled time (e.g., apply at 2:00 AM during maintenance window).
  • Comments & discussion: Reviewers can leave comments before approving or rejecting.
  • Change history: Full trail of who created, reviewed, approved, and applied each Change Request.
Why it matters:

Without Change Requests, any Editor can flip a flag in production at any time with no oversight. For teams with compliance requirements (SOX, ISO 27001, SOC2) or any regulated industry, this is a hard requirement. Change Requests also prevent "oops" moments — someone toggling the wrong flag in prod during Friday afternoon.

OSS Workaround:

Create a webhook integration: when any flag change event fires, post to a Slack channel "#flag-changes-prod" for manual review. But this is notification-only — there is no enforcement. Anyone can still make changes without approval. Also build a Slack bot that uses the Admin API to revert changes if not approved within N minutes. Complex, fragile, and not auditable.

8. SSO & Authentication

Username / Password Login

OSS + Enterprise

Default authentication. Users have Unleash accounts with email and password. Suitable for small teams or self-hosted setups where SSO is not needed.

OIDC (OpenID Connect) SSO

OSS + Enterprise

Connect Unleash to any OIDC-compatible Identity Provider. Users log in through your IdP. Available in OSS.

  • Providers supported: Google Workspace, GitHub, Azure Active Directory (OIDC mode), Okta (OIDC mode), Auth0, Keycloak, AWS Cognito, and any OIDC-compliant IdP.
  • Config: Issuer URL, Client ID, Client Secret — standard OIDC discovery.
  • Auto-create users: Option to auto-create users in Unleash on first OIDC login.
  • Role mapping: In Enterprise, map IdP groups to Unleash roles automatically.

SAML 2.0 SSO

Enterprise OnlyMEDIUM

SAML 2.0 (Security Assertion Markup Language) for enterprise IdPs that do not support OIDC, or organizations that require SAML for compliance reasons.

  • Use when: Your org uses Okta, Azure AD, or ADFS in SAML-only mode (some legacy enterprise policies).
  • Metadata exchange: Upload IdP SAML metadata XML, or provide individual fields (entityId, SSO URL, certificate).
  • Attribute mapping: Map SAML attributes (email, name, groups) to Unleash user properties.
OSS Workaround:

Most modern IdPs (Okta, Azure AD) support both SAML and OIDC. Configure your IdP in OIDC mode and use Unleash's built-in OIDC support. This works for ~90% of enterprise cases.

9. SCIM User Provisioning

SCIM 2.0 Automated User Sync

Enterprise OnlyMEDIUM

SCIM (System for Cross-domain Identity Management) automates user lifecycle management. When you add/remove users in Okta or Azure AD, Unleash syncs automatically. No manual user management.

  • Provision: New user in IdP → auto-created in Unleash with correct roles.
  • Deprovision: User removed from IdP (e.g., employee left company) → auto-deactivated in Unleash. Critical for security.
  • Group sync: IdP groups map to Unleash roles. User added to "Feature Flag Editors" group → gets Editor role automatically.
  • Supported IdPs: Okta, Azure AD / Entra ID (primary); others via SCIM 2.0 protocol.
Why it matters:

Without SCIM, when an employee leaves your company you must manually remove them from Unleash. A single forgotten account = security risk. SCIM ensures offboarding happens automatically and immediately.

OSS Workaround:

Write a script that runs nightly: query your IdP's user list, compare with Unleash user list via Admin API, deactivate users not in IdP. Not real-time but covers 95% of the risk if automated.

10. Segments & Targeting

👥

Reusable Groups of Constraints

Segments let you define a user group once and reuse it across many flags. Like saved filter presets.

Project Segments (OSS)

OSS + Enterprise

Define segments at the project level. A segment is a named set of constraints that can be attached to any strategy within that project. Changes to the segment automatically apply to all flags using it.

  • Example segment "Beta Users": userId IN [123, 456, 789] AND properties.betaEnrolled = "true"
  • Attach this segment to 20 flags — update one segment, all 20 flags update.
  • OSS limit: Segments are scoped to a single project. Cannot be shared with other projects.

Global Segments (Cross-Project)

Enterprise OnlyMEDIUM

Global segments are defined at the organization level and can be used by any project. If you have "Internal Employees" or "VIP Customers" as a targeting group, you define it once and reuse everywhere.

Why it matters:

With OSS, if you have 10 projects and need to update your "beta users" list, you update 10 separate project segments. With global segments, update once.

11. Feature Dependencies

Parent-Child Flag Dependencies

Enterprise OnlyHIGH — #4 PRIORITY

Define that Flag B depends on Flag A. Flag B evaluates as disabled if Flag A is disabled, regardless of B's own strategy. Used for complex rollout orchestration and feature composition.

  • Parent required ON: "new-checkout" depends on "new-payment-api" — if payment API is off, checkout is automatically off.
  • Parent required to have variant: "premium-dashboard" depends on "billing-v2" having variant "enabled" — ensures premium features only show when new billing is fully active.
  • Chain dependencies: C depends on B which depends on A. The entire chain must be enabled for C to be enabled.
  • Circular detection: Unleash detects and prevents circular dependencies at creation time.
  • Visual graph: The Portal shows the dependency graph visually so you can see the chain.
Why it matters:

Without dependencies, developers implement the dependency logic manually in application code (check flag A before checking flag B). This logic is scattered, hard to audit, and creates silent bugs when someone turns off flag A without realizing flag B depends on it.

OSS Workaround:

Implement dependency checks in your application: if (isEnabled('flag-a') && isEnabled('flag-b')). Document the dependency in flag description. Relies on human discipline — no system enforcement.

12. Feature Flag Lifecycle

Lifecycle Stages & Health Tracking

Enterprise OnlyMEDIUM

Tracks every flag through its lifecycle stages automatically, based on metrics and configuration. Alerts when flags become stale (enabled too long, or disabled too long without cleanup).

Lifecycle Stages:

StageMeaningAuto-detected?
InitialFlag created, not yet receiving trafficYes — on creation
Pre-LiveFlag is receiving traffic in non-production environmentsYes — on first evaluation in dev/staging
LiveFlag is receiving traffic in productionYes — on first evaluation in prod
CompletedFlag has reached 100% rollout or been fully disabledPartially manual
ArchivedFlag is removed from active use, pending code cleanupManual
  • Health indicators: Flags stuck in "Live" for too long (flag debt) are marked unhealthy. Portal shows a health score per project.
  • Staleness alerts: Configurable thresholds — alert if a flag has been fully enabled for more than 30 days (time to remove from code).
  • Project health dashboard: See all flags with their current lifecycle stage in one view. Red/yellow/green health status.
OSS Workaround:

Build a cron job using the Admin API: find all flags where createdAt > 90 days ago and the flag is enabled in production. Post to Slack "#flag-hygiene" channel weekly with a list of stale flags.

13. Signals & Actions — Automatic Kill Switches

Signals & Actions

Enterprise OnlyHIGH — #5 PRIORITY

Connect external metric systems (Datadog, Grafana, PagerDuty) to Unleash so that when an alert fires, Unleash automatically disables a specific flag. This turns Kill Switch flags into true automatic circuit breakers.

External Metric Spikes (e.g., error rate > 5%)
Signal received by Unleash
Action triggered
Flag disabled in production

Signals:

  • Define a signal endpoint — Unleash exposes a URL that external systems POST to.
  • Signals carry a name and optional metadata (severity, value).
  • Sources: Datadog webhooks, Grafana alerts, PagerDuty webhooks, custom HTTP POST from any system.

Actions:

  • Define rules: "IF signal 'high-error-rate' fires THEN disable flag 'new-checkout' in production".
  • Actions can also send notifications or trigger other webhooks.
  • Action log: track every automatic action taken, when, and why.
Why it matters:

Without Signals & Actions, when your new feature causes production errors, an on-call engineer must: wake up, log in to Unleash, find the flag, disable it. This takes 5–30 minutes. Signals make this happen in seconds, automatically, while the engineer is still reading the alert.

OSS Workaround:

Build your own: Datadog alert → webhook → Lambda/Cloud Function → Unleash Admin API to call PATCH /api/admin/projects/:id/features/:name/environments/:env/off. Requires custom infrastructure but is doable in ~2 hours.

14. Metrics & Analytics

Basic Metrics (OSS)

OSS + Enterprise

Every SDK call to evaluate a flag sends back impression data. OSS aggregates and displays this in the Portal. You see per-flag request counts (yes count = flag was enabled, no count = flag was disabled) per environment.

  • Last 1 hour and last 24 hours of flag evaluation counts.
  • Per-application breakdown (which app is calling which flag).
  • Charts in the flag detail page.
  • Metrics reset every hour (rolling window, not historical).
OSS Limitation: No long-term historical metrics. No aggregate analytics across flags. No variant performance data. Metrics are mainly useful for "is this flag being evaluated at all?"

Insights & Analytics Dashboard

Enterprise OnlyLOW

A dedicated analytics section showing flag health, team productivity, and lifecycle metrics across the entire organization.

  • Flag health overview: How many flags are stale, live, or completed.
  • Time-to-production: How long it takes flags to move from creation to production. Team/flag trend over time.
  • Flags per project/team: Which teams have the most flag debt.
  • User activity: Who is making the most changes. Change frequency per environment.

15. Network View

Connected SDK Topology

Enterprise OnlyLOW

Visual dashboard showing all SDK instances currently connected to your Unleash server. See which applications are polling for flags, which tokens they're using, and their connection health.

  • Live connections: See every connected SDK client, app name, SDK version, last seen timestamp.
  • Token attribution: Know which client token is being used by which application.
  • SDK versions: Identify applications running outdated SDKs that need upgrading.
  • Orphan token detection: Find API tokens that are configured but no SDK is using them.
OSS Workaround:

The /api/admin/metrics/applications endpoint exists in OSS. Build a Grafana dashboard querying it to display connected apps, SDK versions, and last-seen timestamps.

16. Integrations & Addons

Webhook Addon

OSS + Enterprise

Fire an HTTP POST to any URL when Unleash events occur. Use for custom automation, audit pipelines, or integration with any system.

  • Events: feature-created, feature-updated, feature-enabled, feature-archived, strategy-created, etc.
  • Custom headers and payload templates supported.

Slack, Microsoft Teams, Datadog

OSS + Enterprise

Built-in addon integrations. Post flag change notifications to Slack channels or Teams rooms. Send feature flag events to Datadog as events for correlation with metrics.

Jira Integration

Enterprise Only

Link Unleash feature flags to Jira issues. See which flag is associated with which ticket. Track flag lifecycle from Jira. When a Jira issue is closed, optionally trigger archiving of the related flag.

ServiceNow Integration

Enterprise Only

Connect Change Requests in Unleash to ServiceNow change management tickets. Required for ITSM-governed environments where all production changes need a ServiceNow change ticket.

17. API Tokens & Access

Client Tokens

OSS + Enterprise

Used by server-side SDKs to poll the Unleash server for flag configurations. Scoped to a specific project and environment. Read-only — cannot make changes via Admin API.

# Format: [project]:[environment].secret default:production.abc123xyz

Frontend (Browser) Tokens

OSS + Enterprise

Safe for use in browser-side / mobile applications. Unlike client tokens, frontend tokens do not expose all flag configurations — they return evaluated flag results only for a given context. Works with Unleash Proxy and Unleash Edge.

Admin Tokens

OSS + Enterprise

Full access Admin API tokens. Can read and write everything. Used for CI/CD scripts, admin automation. Should never be used in application SDKs. Treat like root credentials.

Personal Access Tokens (PAT)

OSS + Enterprise

User-specific tokens for Admin API access. Have the same permissions as the user who created them. Users can create and revoke their own PATs. Useful for personal scripts and developer tooling.

Service Accounts

Enterprise OnlyLOW

Non-human accounts for CI/CD pipelines and automation. Unlike PATs (tied to a human user who might leave the company), service accounts are organization-owned and have their own role assignments.

OSS Workaround:

Create a dedicated human user account (e.g., "ci-bot@yourcompany.com"), assign it the minimum required role, and use its PAT. Works identically — just a naming/ownership convention difference.

18. Playground

Flag Evaluation Playground

OSS + Enterprise

The Playground lets you test flag evaluation without writing any code. You provide a context (userId, sessionId, remoteAddress, properties) and the Playground shows you which flags would be enabled for that context and why.

  • Select any environment to test against.
  • See results for all flags at once, or filter to a specific flag.
  • Explanation view: For each flag, shows which strategy matched, which constraints passed/failed, and what variant was assigned.
  • Critical for debugging "why is this flag on/off for this user?" without looking at code.

19. Audit Log

Event Log (OSS)

OSS + Enterprise

Unleash logs all admin actions as events. You can view the event history in the Portal. OSS keeps a functional event log accessible via the UI and Admin API.

  • Events: feature created, enabled, disabled, strategy changed, archived, user added, token created, etc.
  • Shows who made the change, when, and what changed.
  • OSS limit: UI shows recent events (limited history). No filtering, export, or compliance-grade retention policies.

Extended Audit Log (Compliance-Grade)

Enterprise OnlyHIGH — #6 PRIORITY

Enterprise audit logs are designed for compliance. Immutable, long-term, searchable, and exportable. Required for SOC2, ISO 27001, HIPAA, SOX audits.

  • Long retention: Full history (not just recent), configurable retention period.
  • Advanced filtering: Filter by user, event type, project, flag, date range.
  • Export: Download audit logs as CSV/JSON for external compliance reporting.
  • Tamper-evident: Logs cannot be deleted or modified by admin users.
  • Change Request audit: Full trail of approval workflow — who submitted, who reviewed, who approved, when applied.
OSS Workaround:

Subscribe to all Unleash events via Webhook → push to an external append-only logging system (AWS CloudTrail, ELK, Splunk, CloudWatch Logs). Set log retention to 1 year. Query externally. This is fully functional for compliance with some engineering effort (~1 day to set up).

20. Feature Naming Patterns

Enforced Naming Conventions

Enterprise OnlyLOW

Define regex patterns that flag names must match. When a developer creates a new flag, Unleash validates the name against the pattern and rejects names that don't conform.

  • Example patterns:
  • [team]-[jira-ticket]-[description] → e.g., payments-PAY-1234-new-stripe-checkout
  • (feat|exp|kill|ops|perm)\.[a-z-]+ → enforces type prefix
  • Pattern is set per project — different teams can have different conventions.
  • Shows a hint in the UI explaining the expected format when the user is creating a flag.
OSS Workaround:

Build a webhook: on feature-created event, validate the flag name via regex. If invalid, call Admin API to immediately archive/delete the flag and post a Slack message explaining the naming convention. Works but the UX is poor (flag is created then deleted).

Final Decision Guide — For OSS Users

Your situation: You are on Unleash OSS and want to know what to build/implement first to close the gap with Enterprise. Here is the recommended order based on team size and use case.

If your team has 2–5 people

The OSS feature set is sufficient. You probably do not need Change Requests yet — trust and communication handle governance at this scale.

  • Use 2 environments (dev + prod). Run a separate Unleash instance for staging if needed.
  • Use OIDC for SSO (OSS covers this).
  • Build first: Webhook → Slack audit notification for production flag changes.

If your team has 5–20 people

You are hitting OSS limits. Prioritize in order:

  • 1️⃣ Extra environments — Run a 2nd Unleash OSS instance as "staging" server. Simple but operational overhead.
  • 2️⃣ Change Request workaround — Webhook + Slack approval bot for production changes.
  • 3️⃣ Audit log pipeline — Webhook → CloudWatch/ELK. Set it up now, before you need it.
  • 4️⃣ Feature dependencies — Implement in application code with documented conventions.

If your team has 20+ people OR has compliance needs

Strongly consider upgrading to Enterprise or Unleash Cloud Pro. The features you need are expensive to replicate:

  • Change Requests — A week of engineering to build a proper approval bot with enforcement. Enterprise has this built-in, audit-grade.
  • Multiple environments — Running 3+ separate Unleash servers multiplies your operational overhead. Not worth it.
  • Advanced RBAC — Cannot be replicated in OSS. Project-level role isolation requires Enterprise.
  • SCIM — Security requirement for organizations with rapid team changes.
Cost math: If your team spends even 5 hours per month on flag governance workarounds, and your average developer cost is $80/hr, that's $400/month. Unleash Enterprise / Cloud Pro typically costs less than that for small teams. The ROI is positive at 5+ developers.
Quick Reference — OSS vs Enterprise at a Glance:

Flag types ✓ · Strategies ✓ · Variants ✓ · Constraints ✓ · 2 environments ✓ · Basic RBAC ✓ · OIDC SSO ✓ · Webhooks ✓ · Playground ✓ · Basic metrics ✓ · Basic audit log ✓

Enterprise adds: Change Requests · Unlimited environments · Custom RBAC · Project roles · Feature Dependencies · Global segments · SAML · SCIM · Signals & Actions · Network View · Lifecycle · Insights · Naming patterns · Service accounts · Jira/ServiceNow