Expanding DigitalOcean’s Role-Based Access Controls with custom roles

Today, we are excited to announce our latest Role-Based Access Control (RBAC) feature, custom roles. With custom roles, teams can now assign permissions to individuals that are precisely aligned with their operational and security requirements, reinforcing the principle of least privilege. This allows for more precise permission management, which helps to enhance overall infrastructure security by reducing the risk of over-privileged accounts. Custom roles give you full control over who can do what on your projects, improving the overall security of your cloud resources.

In this blog post, we will walk through what custom roles are, how they work, key features, when to use them, and how they can help your team.

What are custom roles?

Custom roles are user-defined sets of permissions that allow organizations to tailor access control to their specific needs, beyond what’s available in predefined roles. In other words, custom roles let you create your own set of permissions instead of relying only on default, predefined roles (like Viewer, Billing Viewer, etc.) that may not work for you. Now, users can define more detailed custom permissions that target specific resources and needs. For example, a user may only need read access to Droplets, but write access to Kubernetes.

Hear what a DigitalOcean customer had to say about using custom roles. This customer is a Co-founder of a revenue management company:

“Custom roles helped me bring my team onto the platform without granting blanket access. This feature helped me manage access for other users within my company, and it is an advancement towards more secure collaboration, which is crucial."

Key features of custom roles

Custom roles have three primary functions for the modern, digital-native business with multiple teams:

• Define specific permissions

  • You can select individual permissions from the available IAM permissions that match the specific tasks a user needs to perform.

  • You can avoid granting permissions not required for a specific role, helping you maintain tighter control over your environment.

• Control access to resources

  • Granular controls limit the actions a user can perform to very specific tasks such as read-only access or managing user roles.

  • Granular controls are implemented when the user defines a custom role with specific permissions for certain resources. These controls will apply to resources utilized in all projects.

• Improve security and governance

  • Administrators can help make sure that users only have the permissions they need, minimizing the risk of privilege misuse or insider threats.

A revenue management company Co-founder said “DigitalOcean’s custom roles helped me bring my team onto the platform without granting blanket access. This feature helped me manage access for other users within my company, and it is an advancement towards more secure collaboration, which is crucial."

When to use custom roles vs. predefined roles

DigitalOcean recommends following the principle of least privilege by using custom roles whenever possible. But constraints like limited time or resources may restrict how much time you spend on user access management. This is where predefined roles prove to be helpful! For many common scenarios, predefined roles, like Owner, Member, Modifier, Biller, Billing Viewer, and Resource Viewer, are a quick and efficient way to assign access. If granular access control isn’t necessary, these roles—available conveniently in the cloud control panel—cover standard use cases.

Custom roles are best when predefined roles don’t align with the specific responsibilities of your team, or members of other teams that are working on a given project. For example, you might need to give a user read-only access to Droplets but write access to Kubernetes, or let someone manage App Platform while restricting access to Droplets. Since these abilities aren’t covered in predefined roles, you’d need custom roles to tailor those permissions.

How custom roles benefit your team

Custom roles offer a wealth of benefits to organizations, small and large alike. They include:

• Operational flexibility: With custom roles, you can define roles for part-time contributors, contractors, or specialized team members without over-privileging them.

• Better collaboration: Projects that require different teams (Engineering, Marketing, Operations) which can quickly become complex in terms of user permissions. With custom roles, you can set clear boundaries around who can access what, based on the specific responsibilities of each team member, especially in fast-growing groups.

• Improved security and compliance: Custom roles help to enforce guardrails for sensitive actions like destroying resources or accessing billing information.

• Principle of least privilege: A rule of thumb in the Identity and Access Management sphere, it helps reduce the chances of a security breach, reduce malware spread, and improve overall system stability and security.

Resources to get started

• Start building with DigitalOcean today by signing up for a cloud account

• View our RBAC product documentation to learn more about the custom roles.

• Learn more about the power of RBAC and other Identity and Access Management products

• Contact our sales team or connect with a DigitalOcean partner who can help advise you on architecture reviews, deployments, and other infrastructure assistance

• Interested in migrating to DigitalOcean? Learn more here