Currently anyone with access to the the hubot instance can run heroku commands.

I imagine that might make people feel uncomfortable and we might want a base layer of permissions.

Either everyone has full access to heroku commands or only people given a special role using hubot.