Custom Roles
Create your own custom role types for greater control of permissions assigned to users at the Workplace and Project level.
Custom roles allow you to create more fine-grained permission assignments than the default Workplace and Project roles supplied by Doppler so you can better apply the principle of least privilege.
When combined with User Groups and SCIM for automated user provisioning, users can be automatically assigned custom roles at the project and workplace level based on group membership.
Requires an upgraded subscriptionThis feature is standard on our Enterprise plan or can be added on to an existing Team plan. Explore pricing or book a demo for more details.
Prerequisites
- Enterprise subscription with Custom Roles enabled
- Must be a workplace owner
Management
Custom Roles are created and managed by navigating to the Doppler dashboard under Team -> Roles.
Roles can be assigned at the Workplace and Project level:
- Workplace: Each user can be assigned a single Workplace role (groups cannot currently be assigned a Workplace role). These roles include permissions for accessing logs, team management, settings, billing, etc. You can see a full list of permissions below.
- Project: Each user or group can be assigned one Project role per project. If you need different permissions on a per-config basis, you can assign separate permission levels to different groups and assign the users into these various groups. The permissions granted to the user are the highest available from the combination of all roles they have applied to them. These roles include permissions for secrets read/write, project management, project access, config management, etc. You can see a full list of permissions below.
Assignment
Custom roles are assigned in the same way Doppler's pre-defined roles are.
Default
The default workplace role is assigned when a new user joins a workplace if the user's role is undefined (e.g. if user groups are not used)
Workplace Level
Navigate to the dashboard Team page and click on the Users tab to assign a specific role to user:
Project Level
Navigate to Members in the Project sub-menu menu to assign permissions at the Project level.
Available Permissions
Below is a breakdown of all the available permissions for Workplace and Project roles. The Dependencies column lists permissions that must also be enabled for a given permission to function. In the dashboard, dependencies are automatically enabled when a permission is turned on. When using the API, you must explicitly include all required dependencies. Dependencies may have their own dependencies that must also be included (transitively).
Workplace
| Name | API Slug | Category | Dependencies | Description |
|---|---|---|---|---|
| Access All Projects | all_enclave_projects | Project Access | ā | Automatically adds the user as a member on all projects in the workplace. |
| Admin on All Projects | all_enclave_projects_admin | Project Access | Access All Projects, View Team | Automatically gives the user Admin level permissions on all projects in the workplace. Admins on a project have the ability to manage that project's environments, user memberships, and webhooks. They can also enable/disable project-level secret referencing, access all environments/configs, rename the project, and delete the project. |
| Create Project | create_enclave_project | Project Management | ā | Allows the user to create new projects in the workplace. |
| Manage Secrets Referencing | enclave_secrets_referencing | Project Management | Manage Settings | Allows the user to enable or disable Secret Referencing on the workplace level (i.e., enable or disable it for ALL projects). |
| Manage Config Inheritance | enclave_inheritance | Project Management | Manage Settings | Allows the user to enable or disable Config Inheritance on the workplace level (i.e., enable or disable it for ALL projects). |
| View Default Environments | workplace_default_environments_read | Project Management | ā | Allows the user to view the Default Environments for the workplace. |
| Manage Default Environments | workplace_default_environments_manage | Project Management | View Default Environments | Allows the user to modify the Default Environments for the workplace. |
| View Change Request Policies | change_request_policy_read | Change Requests | View Team | Allows the user to view workplace-level Change Request policies. |
| Manage Change Request Policies | change_request_policy_manage | Change Requests | View Team, View Change Request Policies | Allows the user to create, edit, and delete workplace-level Change Request policies. |
| View Logs | logs | Activity Logs | ā | Allows the user to view only the workplace Activity Logs the user has access to. |
| View All Logs | logs_audit | Activity Logs | View Logs | Allows the user to view ALL workplace Activity Logs. |
| Access Analytics Dashboard | analytics_dashboard | Analytics Dashboard | Access All Projects, Admin on All Projects | Allows the user to view the Analytics Dashboard. |
| View Team | team | Team Management | ā | Allows the user to view the Team settings page ā including read access to the Users, Groups, and Roles tabs. |
| Manage Team * | team_manage | Team Management | View Team, List Verified Domains | Allows the user to make changes to the Team settings ā including inviting users, creating/modifying groups, and assigning users to groups. It also provides access to the SSO tab and allows the user to configure the workplace's SSO settings. Enabling this permission automatically enables the View Settings and List Verified Domains permissions as they're required. |
| Manage Custom Roles * | custom_roles_manage | Team Management | View Team | Allows the user to create or modify Custom Roles from the Roles tab on the Team settings page. |
| View Service Accounts | service_accounts | Service Accounts | View Team | Allows the user to view Service Accounts on the Team settings page, including the projects they have access to. |
| Manage Service Accounts | service_accounts_manage | Service Accounts | View Service Accounts | Allows the user to create or modify Service Accounts on the Team settings page. |
| View Service Account API Tokens | service_account_api_tokens | Service Accounts | View Service Accounts | Allows the user to view a list of all existing Service Accounts API Tokens. This allows them to see a preview of the token value, but not the full value. |
| Manage Service Account API Tokens | service_account_api_tokens_manage | Service Accounts | View Service Account API Tokens, Manage Service Accounts | Allows the user to create or modify Service Account API Tokens. This includes the ability to roll an existing API token (which would then provide access to the new token value). |
| View Service Account Identities | service_account_identities | Service Accounts | View Service Accounts | Allows the user to view identities belonging to Service Accounts. |
| Manage Service Account Identities | service_account_identities_manage | Service Accounts | View Service Account Identities, Manage Service Accounts | Allows the user to create, edit, and delete identities belonging to Service Accounts. |
| View Billing | billing | Billing Management | ā | Allows the user to access the Billing settings page and view the current plan the workplace is on. |
| Manage Billing | billing_manage | Billing Management | View Billing | Allows the user to view and modify the workplace plan and payment method on the Billing settings page. |
| View Settings | settings | Settings Management | ā | Allows the user to access the workplace Settings page and view the current workplace settings. |
| Manage Settings | settings_manage | Settings Management | View Settings | Allows the user to delete the workplace and modify the workplace Settings ā including the ability to rename the workplace, update contact emails, and add or update Logging Services. |
| List Verified Domains | verified_domains | Settings Management | View Settings | Allows the user to view the workplace's Verified Domains on the workplace Settings page. |
| Manage Verified Domains | verified_domains_manage | Settings Management | List Verified Domains, Manage Settings | Allows the user to add or modify the workplace's Verified Domains on the workplace Settings page. |
| Use All Integration Connections | workplace_integrations_read | Integration Connections | View All Integration Connections | Allows the user to create syncs, rotated secrets, and dynamic secrets using existing Integration connections that have already been created and configured. |
| View All Integration Connections | workplace_integrations_list | Integration Connections | ā | Allows the user to view all the existing Integration connections from the workplace Integrations page. |
| Manage All Integration Connections | workplace_integrations_manage | Integration Connections | View All Integration Connections, Use All Integration Connections | Allows the user to create Integration connections from the sync creation page and modify existing Integration connections from the workplace Integrations page. |
| Create Integration Connection | workplace_integrations_create | Integration Connections | View All Integration Connections | Allows the user to create new Integration connections. Requires the ability to list existing connections to prevent duplicates. |
| Manage EKM | ekm | Token Engine (EKM) | ā | Allows the user to configure the workplace's Enterprise Key Management (EKM) settings. |
* Actors with this permission can change all permissions including their own.
Project
| Name | API Slug | Category | Dependencies | Description |
|---|---|---|---|---|
| Rename Project | enclave_project_rename | Project | ā | Allows the user to rename the project. |
| Delete Project | enclave_project_delete | Project | ā | Allows the user to delete the project. |
| Manage Project Members | enclave_project_members | Project Access | ā | Allows the user to add/remove users and groups to a project along with setting their permission level and which configs are accessible. |
| Access All Configs | enclave_project_environment_all | Project Access | List All Environments | Allows the user to access all configs on the project. Used primarily to ensure a user will always have access to new configs added to the project over time. |
| List All Environments | enclave_project_environment_list_all | Project Access | ā | Allows the user to view all environments on the main project config page. |
| Manage Notes | enclave_project_secrets_notes_manage | Project Tools | View Secrets, Manage Secrets | Allows the user to create and modify Notes on secrets they have access to. |
| Manage Project Webhooks | enclave_project_webhooks | Project Tools | ā | Allows the user to create and modify Webhooks on the project. |
| Manage Reminders | enclave_secret_reminders | Project Tools | View Secrets | Allows the user to create and modify Reminders on secrets they have access to. |
| Manage Project Secrets Referencing | enclave_project_secrets_referencing | Project Tools | Manage Config Secrets Referencing | Allows the user to enable or disable Secret Referencing for the project. |
| Manage Project Config Inheritance | enclave_project_inheritance | Project Tools | ā | Allows the user to enable or disable Config Inheritance for the project. |
| Create Environments | enclave_project_environment_create | Environments | List All Environments | Allows the user to create new Environments for the project. |
| Delete Environments | enclave_project_environment_delete | Environments | ā | Allows the user to delete Environments for the project. |
| Reorder Environments | enclave_project_environment_order | Environments | ā | Allows the user to change the order of Environments on the main project config page. Note that this only impacts the order they're displayed in on the dashboard. |
| Rename Environments | enclave_project_environment_rename | Environments | ā | Allows the user to rename Environments. |
| Manage Environment Settings | enclave_project_environment_settings_manage | Environments | ā | Allows the user to enable or disable Personal Configs for Environments they have access to. |
| Create Config | enclave_project_config_create | Config | Manage Secrets | Allows the user to create configs in Environments they have access to. |
| Delete Config | enclave_project_config_delete | Config | ā | Allows the user to delete configs in Environments they have access to. |
| Duplicate Config | enclave_project_config_duplicate | Config | Create Config | Allows the user to duplicate configs in Environments they have access to. |
| Rename Config | enclave_project_config_rename | Config | ā | Allows the user to rename configs in the Environments they have access to. |
| Lock Config | enclave_project_config_lock | Config | ā | Allows the user to lock and unlock configs in the Environments they have access to. Locking a config prevents it from being renamed or deleted until unlocked. |
| Manage Service Tokens | enclave_project_config_service_tokens | Config Tools | View Secrets | Allows the user to create, roll, and delete service tokens for configs in the project. |
| Manage Trusted IPs | enclave_project_config_trusted_ips | Config Tools | View Secrets | Allows the user to add, remove, and update Trusted IPs for configs they have access to. |
| Manage Config Secrets Referencing | enclave_config_secrets_referencing | Config Tools | View Secrets | Allows the user to enable or disable Secret Referencing at the config level for any configs they have access to. |
| Toggle Config Inheritance | enclave_config_toggle_inheritable | Config Tools | View Secrets | Allows the user to toggle the inheritable status of a config for any configs they have access to via Config Inheritance. |
| View Config Logs | enclave_config_logs | Config Logs | View Secrets | Allows the user to view the Activity Log for a config. |
| Rollback Change | enclave_project_config_logs_rollback | Config Logs | View Config Logs, Manage Secrets | Allows the user to rollback a secret change from the Activity Log for a config they have access to. |
| View Config Access Logs | enclave_config_access_logs | Access Logs | View Secrets | Allows the user to view the Access Logs for configs they have access to. |
| View Secrets | enclave_project_config_secrets_read | Secrets | ā | Allows the user to view Secrets in the configs they have access to. |
| Manage Secrets | enclave_project_config_secrets_write | Secrets | View Secrets | Allows the user to create, modify or delete Secrets in configs they have access to. |
| Approve Change Requests | enclave_config_change_request_review | Change Requests | View Secrets | Allows the user to review Change Requests to approve them. |
| Assign Change Request Policies | enclave_config_change_request_policy_manage | Change Requests | ā | Allows the user to manage Change Request policy assignments for configs they have access to. |
| Lease Dynamic Secrets | enclave_project_config_dynamic_secrets_leases_write | Dynamic Secrets | View Dynamic Secrets, View Secrets | Allows the user to lease a Dynamic Secret when fetching secrets from a config that contains them. |
| View Dynamic Secrets | enclave_project_config_dynamic_secrets_read | Dynamic Secrets | ā | Allows the user to view Dynamic Secrets that have been created in configs they have access to. |
| Manage Dynamic Secret | enclave_project_config_dynamic_secrets_manage | Dynamic Secrets | View Dynamic Secrets, Lease Dynamic Secrets | Allows the user to create, modify, or delete Dynamic Secrets for configs they have access to. |
| View Rotated Secrets | enclave_project_config_rotated_secrets_read | Rotated Secrets | View Secrets | Allows the user to view Rotated Secrets that been created in configs they have access to. |
| Manage Rotated Secrets | enclave_project_config_rotated_secrets_manage | Rotated Secrets | View Rotated Secrets | Allows the user to create, modify, or delete Rotated Secrets for configs they have access to. |
| Manage Syncs | enclave_config_syncs_manage | Syncs | ā | Allows the user to create, modify, or delete Syncs for configs the project. |
Updated about 1 month ago