Permissions
Divio Cloud uses a combined Role-Based Access Control (RBAC) and Relation-Based Access Control (ReBAC) model to give you fine-grained control over who can do what inside your organisation.
Permissions are defined through security groups (roles), and applied based on a user’s relationship to specific resources such as organisations, applications, environments, and addons.
This means that while security groups define what a user can do (RBAC), the scope of those permissions depends on where they are applied (ReBAC).
Permissions are scoped at four levels:
- Organisation – billing, users, global configuration, and organisation-wide settings.
- Application – application configuration, deployments, addons, and app-level operations.
- Environment – individual environments (e.g.
test,staging,live), their deployments, environment variables, and logs. - Addon – addon configuration, provisioning, and addon-level operations.
Each user is assigned to one or more security groups, and each security group grants access to resources at these levels.
Default Security Groups
Divio Cloud ships with a set of default security groups that should cover most common setups. At a glance:
| Security Group | Organisation | Application | Environment | Addon |
|---|---|---|---|---|
| Organisation Owner | Full access | Full access | Full access | Full access |
| Organisation Admin | Most features (no transfer) | Full access | Full access | Full access |
| Billing Admin | Limited access to billing only | Limited access | No access | No access |
| Application Administrators | Limited access | Full access | Full access | No access |
| Environment Administrators | Limited access | Limited access | Full access | Limited access |
| Environment Guests | Limited access | Limited access | Limited access | Limited access |
| Addon Administrators | Limited access | Limited access | Limited access | Full access |
Limited access means minimal visibility at that scope, just enough to navigate to the resources they have permissions for (no write operations, no destructive actions).
Security Group Details
Organisation Owner
The Organisation Owner has full control over the entire organisation:
- Manage users and their security groups.
- Manage subscriptions, invoices, and billing details.
- Create, modify, and delete applications.
- Configure all organisation-level settings.
- Transfer ownership to another user.
- Delete the organisation.
If no separate billing email is configured, the organisation owner is used as the default contact. The user who creates the organisation is automatically assigned the Organisation Owner security group.
Organisation Admin
The Organisation Admin has almost the same capabilities as the owner, but with one important restriction:
- Can manage users and their security groups.
- Can manage subscriptions, invoices, and billing details.
- Can create and manage applications.
- Can configure organisation settings.
Cannot:
- Transfer organisation ownership.
- Delete the organisation.
In practice, this security group is ideal for people who should administrate day-to-day operations but should not be able to perform irreversible, high-impact actions.
Billing Admin
The Billing Admin has only access to the billing section of the organisation. Members of this security group can change the organisation's billing information and download invoices.
They have limited access to applications (their subscriptions), but no access to environments, or addons of an organisation.
Application Administrators
The Application Administrators security group has full access to a specific application, its environments, and its addons, but limited visibility into the rest of the organisation:
- Can deploy the application.
- Can manage application settings and configuration.
- Can manage application environments (including deployments and environment variables).
- Can manage application addons.
- Can access application logs and metrics.
and more...
Cannot:
- See or modify billing information.
- Manage users at the organisation level.
- Access invoices.
- Access organisation-wide configuration unrelated to their application.
Use this security group for engineers who are responsible for one or more applications, without exposing sensitive organisational data.
Environment Administrators
The Environment Administrators security group is scoped to one or more specific environments of an application:
- Can deploy to the assigned environment(s).
- Can manage environment-specific settings (for example environment variables, deployments, and addons within that environment).
- Can access logs, metrics, and status for the assigned environment(s).
This security group:
- Inherits the restrictions of the Application Administrators for organisation-level access.
- Has read-only access to the application outside of the assigned environments (enough to navigate, no write access).
- Cannot modify settings that affect all environments of an application.
- Cannot see environments they are not explicitly granted access to.
This security group is a good fit for people who should operate or maintain a single environment (e.g. production) without touching others.
Environment Guests
The Environment Guests security group provides read-only access to a specific environment:
- Can view the assigned environment's status, logs, and related information.
- Can inspect configuration where necessary to understand the environment.
Cannot:
- Trigger deployments.
- Change any settings.
- Modify application or organisation-level configuration.
Guests only see as much application or organisational information as is required to access the environment they are invited to. This security group is useful for external collaborators, auditors, or stakeholders who need insight but no write access.
Addon Administrators
The Addon Administrators security group has full access to specific addons:
- Can manage addon settings and configuration.
Cannot:
- See or modify billing information.
- Manage users at the organisation level.
- Manage applications they have no access to.
Use this security group for teams or individuals who are responsible for managing specific addons without needing broader application or environment access.
Custom Security Groups
For more advanced setups, Divio Cloud supports custom security groups (available to enterprise clients). Custom security groups allow you to:
- Define your own combinations of permissions.
- Align Divio security groups with your internal security model.
- Sync security groups between your Identity Provider (IdP) and Divio Cloud, so access is managed centrally.
If you're interested in custom security groups or an enterprise setup, contact our support team and we'll help you design a setup that works for your organisation.