Get up to speed with Doppler's team management and workplace permissions model.
Workplace permissions are assigned at the user level with three tiers of access: Collaborator, Admin, and Owner.
Two workplace owners recommended
For security, Doppler staff are not able to change a user's level of access. If only a single owner exists for a workplace and that account is unable to sign in, your workplace is effectively blocked from performing operations requiring Owner access. We strongly recommend you have two workplace owners as a backup in case one of the owners is unable to sign in. The second account can be a special "admin-only" account that is only used in emergencies.
Default Workplace Permissions
Workplace owners can configure the default workplace and project permission levels assigned to new users from the Team page, then clicking the Roles tab.
We recommend using our default provided access levels although smaller companies may want to make this less restrictive to reduce having to manually grant project permissions on a per user basis.
Exercise your best judgment and follow the principle of least privilege to ensure you're taking advantage of Doppler's fine-grained access controls. This ensures team members only have access to the secrets for the environments they need to manage.
For increased security, we recommend Owners verify a domain via the Settings page as early on as possible so only email accounts belonging to that domain can be added to a workplace.
Adding Workplace Users
Users can be added to Doppler using four methods:
- Send Invite
- Self-Serve via Email Single Sign-On
- SAML Single Sign-On
Users can be manually invited to join a workplace from the Team page. The account must be able to receive mail in order to retrieve the confirmation code which must be entered prior to the user being allowed to access the workplace.
Self-Serve via Email Single Sign-On
If domain verification has been completed, Email Single Sign-On can be enabled via the Team page and allows any user with an email for that domain to self-register their Doppler account at https://dashboard.doppler.com/login.
This is a simple and fast method to give your entire team or company access on a self-serve basis.
SAML Single Sign-On
Doppler supports SAML Single Sign-On for managing workplace access and authentication using your Single Sign-On provider.
Doppler supports SCIM for managing workplace access, authentication, and dynamic provisioning of Doppler accounts and user group mapping.
SCIM requires an Enterprise subscription.
User access permissions can be viewed from the Team page with Owner permissions required in order to add or remove users from a workplace via the dashboard.
You can view the access permissions for a specific user by clicking the user's name with the details screen displaying what projects they can access and what user groups groups they belong to.
Workplace owners and admins have full access to every project and environment while collaborators need to be assigned project access manually (unless SCIM is used for dynamic provisioning and project group assignment).
See our dedicated project permissions guide to learn more.
Groups requires an Enterprise subscription
Get in touch to set up an Enterprise trial or request an upgrade to your Team subscription for the User Groups feature only.
Workplaces using email account-based access and SAML will use the dashboard to remove users from Team page by clicking the Remove link.
Updated 5 months ago