Advanced Permissions

Learn how to setup more advanced configurations for project access control

In some scenarios more advanced permission configurations are required. For example, when you need a particular group of users to have write permission on the dev and ci configs, read-only access on the stg config, and the ability to see that the prd config exists without being able to view its secrets. But how would you accomplish this? When assigning a group to a project, you have to choose a single access role for the group. That role can't have both read-only access while also providing write access. And you can't limit visibility of secrets for a single config on a project without limiting it for all configs.

The answer here is to compose multiple User Groups together. The Doppler permissions model combines all of a user's permissions together and uses the most permissive of all permission sets. For example, if a user is in two User Groups and both groups have access to a particular config – one with read-only access and the other with write access – the user would have write access to that config. You can take advantage of this to assign different permission levels to configs on the same Project.

1. Create Custom Project Roles

To set this up, you would first create three separate Custom Project Roles:

  • Secret Read-only. This role should have the "View Secrets" permission.
  • Secret Write. This role should have the "View Secrets" permission and the "Manage Secrets" permission.
  • No Secrets. This role should have no permissions.

2. Create User Groups & Assign Roles

Now create three separate groups and setup their project access. In the below examples, we're providing access to an "example" project that has a dev, ci, stg, and prd config.

  • Dev+CI Write. Assign this group the "Secret Write" role on the project and only give it access to the dev and ci environments.
  • Staging Read-only. Assign this group the "Secret Read-only" role on the project and only give it access to the stg environment.
  • Prod No Secrets. Assign this group the "No Secrets" role on the project and only give it access to the prd environment.

3. Inspect Project Member Access

When complete, you can inspect the Members area for the project in question. You should see something similar to the below where the three groups you assigned show up with the appropriate role and environment access.

On the project config view in the dashboard, the user assigned with this permission layout will see all configs that they were assigned to. They'll have write access to dev and ci, the ability to view secrets in stg, and won't be able to click into prd or its branch configs, but can see that it exists.