DigitalOcean Teams

Validated on November 15, 2018 • Posted on June 19, 2018

DigitalOcean teams allow you to invite multiple users to access and manage shared resources (like Droplets, Load Balancers, and Spaces) without sharing login credentials or billing information.

Teams are useful for project leaders and business owners who want to share control of server infrastructure with trusted collaborators, such as developers and system administrators. They’re available to anyone with a DigitalOcean account at no additional cost.

How-Tos

Team Membership

Once you’ve created a team, the team page will display profile details for your team, along with a list of members:

Team Settings

You can see a team member’s current Role, whether a team member has enabled two-factor authentication in the 2 FA column, and whether they have accepted your invitation to the team under the Status column.

By clicking the Actions drop-down, you can change a member’s current role or remove them from the team. To invite more members to the team, click the Invite Members button. There is no limit to the number of members a team can have or the number of members who can have a given role.

A compromise of any one team member’s account would effectively give an attacker access to all of your DigitalOcean resources. Because of this, we recommend requiring that all members of a team use very strong passwords and enable two-factor authentication.

Team Roles

Once an individual has accepted an invitation to your team, they can occupy one of three roles:

  • Owner: Has full control over the account, including billing and team settings. Appropriate for users who need to manage both the account’s billing and team settings.

  • Billing: Has access to manage payment and billing information, read only access to resources, and no access to team settings. Appropriate for users who need to manage billing, but who do not manage technical resources or team membership.

  • Member: Does not have access to team’s billing or team settings, but can manage everything else. Appropriate for users who only require the ability to manage the team’s server infrastructure resources, such as Droplets.

Remember that the Member and Owner roles have full control over the team’s Droplets and related resources via the control panel and API, similar to a normal user.

Team owners can remove any member’s control panel and API access by deleting that member from the team. However, DigitalOcean does not manage the contents of a Droplet after it is created, so removing access to an existing Droplet via SSH keys and other credentials must be done independently. As with any shared network resource, organizations should plan in advance for revoking credentials on multi-user Droplets when team members depart.

Team Resources

Most team resources, such as Droplets and public SSH keys, are viewable by all members of a team account. However, there are a few types of resources that are specific to particular members:

  • Personal access tokens are unique to the member that generated it.
  • Droplet password emails are sent to the member that created the related Droplet.
  • Support ticket emails are sent to any member that participated in a particular support ticket.

All other account resources can be viewed or managed by every member of a team, depending on their role, including Droplets, public SSH keys, images, developer applications and authorized applications (API), support tickets, referral codes, and security history.

Billing and Security

Team owners and billers can manage the billing settings on the Billing tab:

Billing Tab

Billing emails will be sent to email addresses belonging to the Team Owner and Billing Role member.

The Security tab displays the option to switch between Google SSO and a DigitalOcean username and password. It also displays SSH keys and security history, which includes Droplet and team management events with the IP address of the user that triggered the event and a timestamp (GMT).