Custom Roles

Create your own custom role types for greater control of permissions assigned to users at the Workplace and Project level.

Custom roles allow you to create more fine-grained permission assignments than the default Workplace and Project roles supplied by Doppler so you can better apply the principle of least privilege.

When combined with User Groups and SCIM for automated user provisioning, users can be automatically assigned custom roles at the project and workplace level based on group membership.

πŸ“·

Requires an upgraded subscription

This feature is standard on our Enterprise plan or can be added on to an existing Team plan. Explore pricing or book a demo for more details.

933

Prerequisites

Management

Custom Roles are created and managed by navigating to the Doppler dashboard under Team -> Roles.

924

Roles can be assigned at the Workplace and Project level:

  • Workplace: Each user can be assigned a single Workplace role (groups cannot currently be assigned a Workplace role). These roles include permissions for accessing logs, team management, settings, billing, etc. You can see a full list of permissions below.
  • Project: Each user or group can be assigned one Project role per project. If you need different permissions on a per-config basis, you can assign separate permission levels to different groups and assign the users into these various groups. The permissions granted to the user are the highest available from the combination of all roles they have applied to them. These roles include permissions for secrets read/write, project management, project access, config management, etc. You can see a full list of permissions below.
929

Assignment

Custom roles are assigned in the same way Doppler's pre-defined roles are.

Default

The default workplace role is assigned when a new user joins a workplace if the user's role is undefined (e.g. if user groups are not used)

Workplace Level

Navigate to the dashboard Team page and click on the Users tab to assign a specific role to user:

925

Project Level

Navigate to Members in the Project sub-menu menu to assign permissions at the Project level.

1511

Available Permissions

Below is a breakdown of all the available permissions for Workplace and Project roles.

Workplace

NameCategoryDescription
Access All ProjectsProject AccessAutomatically adds the user as a member on all projects in the workplace.
Admin on All ProjectsProject AccessAutomatically gives the user Admin level permissions on all projects in the workplace. Admins on a project have the ability to manage that project's environments, user memberships, and webhooks. They can also enable/disable project-level secret referencing, access all environments/configs, rename the project, and delete the project.
Create ProjectProject ManagementAllows the user to create new projects in the workplace.
Manage Secrets ReferencingProject ManagementAllows the user to enable or disable secret referencing on the workplace level (i.e., enable or disable it for ALL projects).
View Default EnvironmentsProject ManagementAllows the user to view the Default Environments for the workplace.
Manage Default EnvironmentsProject ManagementAllows the user to modify the Default Environments for the workplace.
View LogsActivity LogsAllows the user to view only the workplace Activity Logs the user has access to.
View All LogsActivity LogsAllows the user to view ALL workplace Activity Logs.
View TeamTeam ManagementAllows the user to view the Team settings page – including read access to the Users, Groups, and Roles tabs.
Manage Team *Team ManagementAllows the user to make changes to the Team settings – including inviting users, creating/modifying groups, and assigning users to groups. It also provides access to the SSO tab and allows the user to configure the workplace's SSO settings. Enabling this permission automatically enables the View Settings and List Verified Domains permissions as they're required.
Manage Custom Roles *Team ManagementAllows the user to create or modify Custom Roles from the Roles tab on the Team settings page.
View Service AccountsService AccountsAllows the user to view Service Accounts on the Team settings page, including the projects they have access to.
Manage Service AccountsService AccountsAllows the user to create or modify Service Accounts on the Team settings page.
View Service Account API TokensService AccountsAllows the user to view a list of all existing Service Accounts API Tokens. This allows them to see a preview of the token value, but not the full value.
Manage Service Account API TokensService AccountsAllows the user to create or modify Service Account API Tokens. This includes the ability to roll an existing API token (which would then provide access to the new token value).
View BillingBilling ManagementAllows the user to access the Billing settings page and view the current plan the workplace is on.
Manage BillingBilling ManagementAllows the user to view and modify the workplace plan and payment method on the Billing settings page.
View SettingsSettings ManagementAllows the user to access the workplace Settings page and view the current
Manage SettingsSettings ManagementAllows the user to delete the workplace and modify the workplace Settings – including the ability to rename the workplace, update contact emails, and add or update Logging Services.
List Verified DomainsSettings ManagementAllows the user to view the workplace's Verified Domains on the workplace Settings page.
Manage Verified DomainsSettings ManagementAllows the user to add or modify the workplace's Verified Domains on the workplace Settings page.
Use All Integration ConnectionsIntegration ConnectionsAllows the user to create syncs, rotated secrets, and dynamic secrets using existing Integration connections that have already been created and configured.
View All Integration ConnectionsIntegration ConnectionsAllows the user to view all the existing Integration connections from the workplace Integrations page.
Manage All Integration ConnectionsIntegration ConnectionsAllows the user to create Integration connections from the sync creation page and modify existing Integration connections from the workplace Integrations page.
Manage EKMToken Engine (EKM)Allows the user to configure the workplace's Enterprise Key Management (EKM) settings.

* Actors with this permission can change all permissions including their own.

Project

NameCategoryDescription
Rename ProjectProjectAllows the user to rename the project.
Delete ProjectProjectAllows the user to delete the project.
Manage Project MembersProject AccessAllows the user to add/remove users and groups to a project along with setting their permission level and which configs are accessible.
Access All ConfigsProject AccessAllows the user to access all configs on the project. Used primarily to ensure a user will always have access to new configs added to the project over time.
List All EnvironmentsProject AccessAllows the user to view all Environments on the main project config page.
List All ConfigsProject AccessAllows the user to view all Configs in the Environments they have access to on the main project config page.
Manage NotesProject ToolsAllows the user to create and modify Notes on secrets they have access to.
Manage Project WebhooksProject ToolsAllows the user to create and modify Webhooks on the project.
Manage RemindersProject ToolsAllows the user to create and modify Reminders on secrets they have access to.
Manage Project Secrets ReferencingProject ToolsAllows the user to enable or disable Secret Referencing for the project.
Create EnvironmentsEnvironmentsAllows the user to create new Environments for the project.
Delete EnvironmentsEnvironmentsAllows the user to delete Environments for the project.
Reorder EnvironmentsEnvironmentsAllows the user to change the order of Environments on the main project config page. Note that this only impacts the order they're displayed in on the dashboard.
Rename EnvironmentsEnvironmentsAllows the user to rename Environments.
Manage Environment SettingsEnvironmentsAllows the user to enable or disable Personal Configs for Environments they have access to.
Create ConfigConfigAllows the user to create Configs in Environments they have access to.
Delete ConfigConfigAllows the user to delete Configs in Environments they have access to.
Duplicate ConfigConfigAllows the user to duplicate Configs in Environments they have access to.
Rename ConfigConfigAllows the user to rename Configs in the Environments they have access to.
Lock ConfigConfigAllows the user to lock and unlock Configs in the Environments they have access to. Locking a Config prevents it from being renamed or deleted until unlocked.
Manage Service TokensConfig ToolsAllows the user to create, roll, and delete service tokens for Configs in the project.
Manage Trusted IPsConfig ToolsAllows the user to add, remove, and update Trusted IPs for Configs they have access to.
Manage Config Secrets ReferencingConfig ToolsAllows the user to enable or disable Secret Referencing at the Config level for any Configs they have access to.
View Config LogsConfig LogsAllows the user to view the Activity Log for a Config.
Rollback ChangeConfig LogsAllows the user to rollback a secret change from the Activity Log for a Config they have access to.
View Config Access LogsAccess LogsAllows the user to view the Access Logs for Configs they have access to.
View SecretsSecretsAllows the user to view Secrets in the Configs they have access to.
Manage SecretsSecretsAllows the user to create, modify or delete Secrets in Configs they have access to.
Approve Change RequestsChange RequestsAllows the user to review Change Requests to approve them.
Lease Dynamic SecretsDynamic SecretsAllows the user to lease a Dynamic Secret when fetching secrets from a Config that contains them.
View Dynamic SecretsDynamic SecretsAllows the user to view Dynamic Secrets that have been created in Configs they have access to.
Manage Dynamic SecretDynamic SecretsAllows the user to create, modify, or delete Dynamic Secrets for Configs they have access to.
View Rotated SecretsRotated SecretsAllows the user to view Rotated Secrets that been created in Configs they have access to.
Manage Rotated SecretsRotated SecretsAllows the user to create, modify, or delete Rotated Secrets for Configs they have access to.
Manage SyncsSyncsAllows the user to create, modify, or delete Syncs for Configs the project.