DigitalOcean

Simple and secure Identity and Access Management

Easily manage access to your infrastructure, keep your systems secure, and support compliance across your critical resources.

Get started

Support for Single Sign-On is Here

Single Sign-On (SSO) with Okta is here, giving you quick, easy, and secure authentication for your organization.

Learn more

Identity and Access Management tools

Single Sign-On

Single Sign-On (SSO) allows you and your team to access multiple cloud environments across DigitalOcean with one set of login credentials via your Identity Provider (IdP). SSO helps to streamline authentication across resources, improves security, and simplifies resource management for both users and administrators.

Teams

Teams centralize access control for collaborating users, and roles define their permissions within the team based on responsibilities, applying the principle of least privilege. With both predefined and custom roles, teams can further granularize access control.

API Tokens

API tokens let you give apps exactly the access they need, nothing more, nothing less. It's a simple way to automate tasks, keep things secure, and make your workflows run more smoothly.

Common use cases for Identity and Access Management

Quickly granting secure, role-appropriate access

Predefined roles are ideal for giving users the right level of access without manual configuration. For example, you can assign a Financial Analyst the predefined role of Billing Viewer so they can perform their job responsibilities.

Enforcing least privilege access for unique workflows

Custom roles are used when predefined roles are too broad, allowing organizations to tailor permissions precisely to match specific job functions or compliance requirements.

Automating infrastructure and integrating with external tools

API tokens are perfect for securely authenticating applications or scripts that need programmatic access to cloud resources, like CI/CD pipelines or monitoring tools.

Centralizing user authentication across services with one Identity Provider

SSO is most valuable in organizations that want to improve security and simplify login experiences by enabling users to access multiple cloud services with one corporate identity, i.e. through Okta.

Managing multiple teams under one organization

Group teams under one organization to keep billing, access, and permissions in one place, while still giving each team the flexibility to work independently.

Why Identity and Access Management matters

Learn how our built-in Identity and Access Management tools help to safeguard your cloud resources.

Check out our product documentation

Enhanced security

IAM gives you control over who can access what—and when—helping you stay secure by enforcing the principle of least privilege and reducing the risk of threats.

Operational efficiency

Our IAM tools automate user provisioning and access approvals, reducing manual work. They simplify onboarding and ensure users have the right permissions from day one.

Improved regulatory compliance

IAM often helps teams meet industry and government regulations (i.e. SOC 2, GDPR, and HIPAA) by providing fine-grained controls.

Explore our custom scope product documentation

Take a closer look at our documentation on how to customize your scopes on Personal Access Tokens (PATs)

Learn more

Manage permissions with Role-Based Access Control

Empower teams while protecting your cloud environment.

Read our product documentation

Minimize security risks

Limit user access to essential resources only, which helps minimize unauthorized access and protect sensitive data.

Improved compliance

RBAC provides clear, auditable access controls, helping organizations to meet regulatory requirements and simplify compliance audits.

Streamlined access

Streamline permission management by assigning users to predefined roles, reducing IT workload, improving productivity, and minimizing errors.

Resources hub

Dive into the details

Explore our product documentation to read up on features, team roles, and possible modifications to your roles.

Go to RBAC product docs

World-class support

Superior support services are designed to meet your needs, whether you are a startup, a digital native enterprise (DNE), or anything in between.

Get help

Frequently asked questions

What is Role-Based Access Control Management?

Role-Based Access Control (RBAC) is a way to manage who can access what in your systems. Instead of giving permissions to individual users one by one, you instead assign roles such as "Modifier" or "Billing Viewer". Each role then has a specific set of permissions. This method makes it easier to keep access aligned with someone's job responsibilities and helps keep your systems secure.

What is a predefined role in role-based access control management?

A predefined role is a built-in role that comes with a set of permissions already assigned. These roles are created to match common responsibilities for team members, such as managing billing or account ownership. With predefined roles, you can quickly assign the right level of access.

What is a custom role in role-based access management?
A custom role is a role you create by choosing specific permissions from the full set available in DigitalOcean. Instead of using a predefined role, you define exactly what actions, like creating, reading, updating, or deleting, a user can take on which resources. This gives you fine-grained control over access across your team. Lastly, custom roles also apply to a user's personal access tokens (PATs).
What roles are available today within the DigitalOcean cloud console?
Aside from any custom role you create, the following predefined roles are available:
  1. Owner: The Owner role grants full administrative control over an entire team and its resources.
  2. Member: The Member role grants full administrative control over the resources within a team, but does not permit access to billing details or team settings.
  3. Modifier: The Modifier role permits users to update but does not allow them to delete resources. This role is ideal for teams who wish to protect sensitive resources from deletion while still allowing members to manage them.
  4. Biller: The Biller role grants full administrative control over billing related information and does not allow control over team settings.
  5. Billing Viewer: The Billing Viewer role permits read-only access to billing information only, giving users insight into billing details for cost analysis, transparency and governance without exposing sensitive operational controls.
  6. Resource Viewer: The Viewer role permits read-only access to resources, ideal for audit or compliance purposes. Users with this role will not have permission to create, update, or delete resources.
What are the ideal use cases for predefined roles?
Predefined roles are a simple way to enforce the desired level of privilege for users based on their functional roles within the team. It is a helpful, simple alternative to having to customize Custom Scopes for API Tokens usage. Additionally, panel-only users will welcome predefined roles given its availability in the DigitalOcean Cloud Control Panel.
What are the ideal use cases for custom roles?
Custom roles are ideal when the predefined roles don't quite match the specific responsibilities of your team members. For example, you might allow a user to manage Droplets but not Databases, or to view usage data without the ability to change resources, all according to their job responsibilities.
When should I use predefined roles?
DigitalOcean recommends always enforcing the principle of least privilege wherever, and as often, as possible. Predefined roles are recommended for all customers to use and deploy based on the operational requirements of their team.
How do I apply roles through the Console and the API?
In the DigitalOcean Control Panel, you can manage team roles in Settings. From this tab, you can update a member's role or invite new members with specific roles through a straightforward, guided experience. Previously, Team Management has not had a supported Public API. With the introduction of RBAC, DigitalOcean has included new Team Management API's to manage users and roles. Please see the DigitalOcean API Reference.
Will this capability be API-only? Or is it available in the Cloud Control Panel UI?

No. Predefined roles for RBAC are available in the Cloud Control Panel. This feature will accommodate panel-only users. It should also be available to larger, more sophisticated users of the DigitalOcean API to also use predefined roles. There is no configuration disparity between the product experiences whether a user is a panel or an API user.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.