Creating and Managing Teams
DigitalOcean teams allow you to invite multiple users to access and manage shared resources, such as Droplets, Load Balancers, Spaces and more, without having to share login credentials or billing information.
Teams are recommended for project leaders and business owners who want to share control of server infrastructure with trusted collaborators, such as developers and system administrators.
This tutorial will explain how teams work and how you can use the feature.
How to Create a Team
To create a team account, log into the DigitalOcean Control Panel.
Note: Before creating a team account, be sure that you understand the implications of allowing multiple users to control your DigitalOcean account. You may want to skip this section until you read the rest of this tutorial and have a solid understanding of how team accounts work.
Next, open the account dropdown by clicking on the arrow on the top right, next to your avatar.
Select Create a team. Enter a Team name and the primary Contact email for your team:
If you would like all of your existing resources (such as Droplets, floating IPs, and domains) to be managed under this team account, check the box next to Convert your existing account into a team account. Be careful with this option, as it is not currently reversible.
Click Continue.
Next, you’ll be prompted to choose a billing method. Select a credit card from the list of cards already associated with your account, and click Select Credit Card to continue.
Finally, you’ll be prompted to invite team members. Type one or more e-mail addresses, and press the Invite team members button. If you want to defer this step until later, instead click No thanks, I’ll send invitations later.
At this point, you should have a new team. Click the Visit Team Page button to view details.
Team Membership and Roles
The team page will display a handful of profile details for your team, along with a list of members:
You can see a team member’s current Role, whether a team member has enabled two-factor authentication in the 2 FA column, and whether they have accepted your invitation to the team under the Status column. By clicking the Actions drop-down, you can change a member’s current role, or remove them from the team. To invite more members to the team, click the Invite Members button.
Warning: It is strongly recommended that you require all members of your team to use very strong passwords and enable two-factor authentication, since a compromise of any one team member’s account would effectively give an attacker access to all of your DigitalOcean resources.
Once an individual has accepted an invite to your team, they can occupy one of three roles:
- Owner: Has full control over the account, including billing and team settings. Appropriate for users who need to manage both the account’s billing and team settings.
- Billing: Has access to manage payment and billing information, read only access to resources, and no access to team settings. Appropriate for users who need to manage billing, but who do not manage technical resources or team membership.
- Member: Does not have access to team’s billing or team settings, but can manage everything else. Appropriate for users who only require the ability to manage the team’s server infrastructure resources, such as Droplets.
Remember that the Member and Owner roles have full control over the team’s Droplets and related resources via the Control Panel and API, similar to a normal user.
Note: While a team owner can remove any member’s Control Panel and API access by deleting them from the team, removing access to any existing Droplets via SSH keys and other credentials must be done independently, as DigitalOcean does not manage the contents of a Droplet after it is created. As with any shared network resource, organizations should plan in advance for revoking credentials on multi-user Droplets when team members depart.
Billing Settings
Team owners and billers can manage the billing settings on the *Billing** tab:
Billing emails will be sent to email addresses belonging to the Team Owner and Billing Role member.
Team Resources
Most team resources, such as Droplets and public SSH keys, are viewable by all members of a team account, but there are a few types of resources that are specific to particular members.
Member Specific Resources
The following items are unique to particular members:
- Personal Access Tokens are unique to the member that generated it
- Droplet password emails are sent to the member that created the related Droplet
- Support ticket emails are sent to any member that participated in a particular support ticket
Team Wide Resources
All other account resources can be viewed or managed by every member of a team, depending on their role, including:
- Droplets
- Public SSH Keys
- Images
- Developer Applications (API)
- Authorized Applications (API)
- Support Tickets
- Referral Code
- Security History
Security History
The Security tab displays the option to switch between Google SSO and a DigitalOcean username and password. Next it displays your SSH key settings, followed by the Security history.
The security history includes Droplet and team management events, with the IP address of the user that triggered the event, and a timestamp (GMT).
Deactivate a Team
To a deactivate a team, first:
- Remove all resources (Droplets, Load Balancers, Domains, etc.) associated with the team.
Next:
- Select the team from the User menu
- Click Team in the Account section of the main navigation.
- Click the Edit Team Profile Button
- Click the Deactivate Team button.
- Confirm by clicking Deactivate Team.
You’ll receive confirmation that the team has been deactivated, and it will no longer appear in the Control Panel. Once a team is deactivated, you can use the name again to create a new team.