Permissions
Divio Cloud uses a role-based access control (RBAC) system to give you fine-grained control over who can do what inside your organization. Permissions are scoped at four levels:
- Organization – billing, users, global configuration, and organization-wide settings.
- Application – application configuration, deployments, addons, and app-level operations.
- Environment – individual environments (e.g.
test,staging,live), their deployments, environment variables, and logs. - Addon – addon configuration, provisioning, and addon-level operations.
Each user is assigned to one or more security groups, and each security group grants access to resources at these levels.
Default Security Groups
Divio Cloud ships with a set of default security groups that should cover most common setups. At a glance:
| Security Group | Organization | Application | Environment | Addon |
|---|---|---|---|---|
| Organization Owner | Full access | Full access | Full access | Full access |
| Organization Admin | Most features (no transfer) | Full access | Full access | Full access |
| Billing Admin | Limited access to billing only | Limited access | No access | No access |
| Application Administrators | Limited access | Full access | Full access | No access |
| Environment Administrators | Limited access | Limited access | Full access | Limited access |
| Environment Guests | Limited access | Limited access | Limited access | Limited access |
| Addon Administrators | Limited access | Limited access | Limited access | Full access |
Limited access means read-only access at that scope, just enough to navigate to the resources they have permissions for (no write operations, no destructive actions).
Security Group Details
Organization Owner
The Organization Owner has full control over the entire organization:
- Manage users and their security groups.
- Manage subscriptions, invoices, and billing details.
- Create, modify, and delete applications.
- Configure all organization-level settings.
- Transfer ownership to another user.
- Delete the organization.
If no separate billing email is configured, the organization owner is used as the default contact. The user who creates the organization is automatically assigned the Organization Owner security group.
Organization Admin
The Organization Admin has almost the same capabilities as the owner, but with one important restriction:
- Can manage users and their security groups.
- Can manage subscriptions, invoices, and billing details.
- Can create and manage applications.
- Can configure organization settings.
Cannot:
- Transfer organization ownership.
- Delete the organization.
In practice, this security group is ideal for people who should administrate day-to-day operations but should not be able to perform irreversible, high-impact actions.
Billing Admin
The Billing Admin has only access to the billing section of the organization. Members of this security group can change the organization's billing information and download invoices.
They have limited access to applications (their subscriptions), but no access to environments, or addons of an organization.
Application Administrators
The Application Administrators security group has full access to a specific application, its environments, and its addons, but limited visibility into the rest of the organization:
- Can deploy the application.
- Can manage application settings and configuration.
- Can manage application environments (including deployments and environment variables).
- Can manage application addons.
- Can access application logs and metrics.
and more...
Cannot:
- See or modify billing information.
- Manage users at the organization level.
- Access invoices.
- Access to organization-wide configuration unrelated to their application.
Use this security group for engineers who are responsible for one or more applications, without exposing sensitive organizational data.
Environment Administrators
The Environment Administrators security group is scoped to one or more specific environments of an application:
- Can deploy to the assigned environment(s).
- Can manage environment-specific settings (for example environment variables, deployments, and addons within that environment).
- Can access logs, metrics, and status for the assigned environment(s).
This security group:
- Inherits the restrictions of the Application Administrators for organization-level access.
- Has read-only access to the application outside of the assigned environments (enough to navigate, no write access).
- Cannot modify settings that affect all environments of an application.
- Cannot see environments they are not explicitly granted access to.
This security group is a good fit for people who should operate or maintain a single environment (e.g. production) without touching others.
Environment Guests
The Environment Guests security group provides read-only access to a specific environment:
- Can view the assigned environment's status, logs, and related information.
- Can inspect configuration where necessary to understand the environment.
Cannot:
- Trigger deployments.
- Change any settings.
- Modify application or organization-level configuration.
Guests only see as much application or organizational information as is required to access the environment they are invited to. This security group is useful for external collaborators, auditors, or stakeholders who need insight but no write access.
Addon Administrators
The Addon Administrators security group has full access to specific addons:
- Can manage addon settings and configuration.
Cannot:
- See or modify billing information.
- Manage users at the organization level.
- Manage applications they have no access to.
Use this security group for teams or individuals who are responsible for managing specific addons without needing broader application or environment access.
Custom Security Groups
For more advanced setups, Divio Cloud supports custom security groups (available to enterprise clients). Custom security groups allow you to:
- Define your own combinations of permissions.
- Align Divio security groups with your internal security model.
- Sync security groups between your Identity Provider (IdP) and Divio Cloud, so access is managed centrally.
If you're interested in custom security groups or an enterprise setup, contact our support team and we'll help you design a setup that works for your organization.