Team Management

Get up to speed with Doppler's team management and workplace permissions model.

Workplace Permissions

Workplace permissions are assigned at the user level with three tiers of access: Collaborator, Admin, and Owner.


Two workplace owners recommended

For security, Doppler staff are not able to change a user's level of access. If only a single owner exists for a workplace and that account is unable to sign in, your workplace is effectively blocked from performing operations requiring Owner access. We strongly recommend you have two workplace owners as a backup in case one of the owners is unable to sign in. The second account can be a special "admin-only" account that is only used in emergencies.


Role based access requires an upgraded subscription

Role based access is available with our Team and Enterprise plans. View our plans or book a demo for more details.

Default Workplace Permissions

Workplace owners can configure the default workplace and project permission levels assigned to new users from the Team page, then clicking the Roles tab.


We recommend using our default provided access levels although smaller companies may want to make this less restrictive to reduce having to manually grant project permissions on a per user basis.

Exercise your best judgment and follow the principle of least privilege to ensure you're taking advantage of Doppler's fine-grained access controls. This ensures team members only have access to the secrets for the environments they need to manage.

Domain Verification

For increased security, we recommend Owners verify a domain via the Settings page as early on as possible so only email accounts belonging to that domain can be added to a workplace.


Adding Workplace Users

Users can be added to Doppler using four methods:

  • Send Invite
  • Self-Serve via Email Single Sign-On
  • SAML Single Sign-On
  • SCIM

Send Invite

Users can be manually invited to join a workplace from the Team page. The account must be able to receive mail in order to retrieve the confirmation code which must be entered prior to the user being allowed to access the workplace.


Self-Serve via Email Single Sign-On

If domain verification has been completed, Email Single Sign-On can be enabled via the Team page and allows any user with an email for that domain to self-register their Doppler account at

This is a simple and fast method to give your entire team or company access on a self-serve basis.


SAML Single Sign-On

Doppler supports SAML Single Sign-On for managing workplace access and authentication using your Single Sign-On provider.


Doppler supports SCIM for managing workplace access, authentication, and dynamic provisioning of Doppler accounts and user group mapping.


SAML SSO and SCIM require an upgraded subscription

SAML SSO is available with our Team plan while SCIM is exclusive to our Enterprise plan. View our plans or book a demo for more details.

User Management

User access permissions can be viewed from the Team page with Owner permissions required in order to add or remove users from a workplace via the dashboard.


You can view the access permissions for a specific user by clicking the user's name with the details screen displaying what projects they can access and what user groups groups they belong to.


Workplace owners and admins have full access to every project and environment while collaborators need to be assigned project access manually (unless SCIM is used for dynamic provisioning and project group assignment).

See our dedicated project permissions guide to learn more.


Groups requires an upgraded subscription

User Groups is standard on our Enterprise plan or can be added on to an existing Team plan. Explore pricing or book a demo for more details.

Removing Users

Workplaces using email account-based access and SAML will use the dashboard to remove users from Team page by clicking the Remove link.

2168 1124