Home
Install
User Guides
Administration
Setup
Infrastructure
Users
OIDC Authentication
GitHub Authentication
Password Authentication
Headless Authentication
Groups & Roles
IDP Sync
Organizations
Quotas
Sessions & API Tokens
Templates
External Provisioners
External Auth
Integrations
Networking
Monitoring
Security
Licensing
Contributing
Tutorials
Reference
Home
/
Administration
/
Users
/
Groups & Roles

Groups & Roles

Enterprise
Premium

Groups and roles can be manually assigned in Coder. For production deployments, these can also be managed and synced by the identity provider.

Groups

Groups are logical segmentations of users in Coder and can be used to control which templates developers can use. For example:

  • Users within the devops group can access the AWS-VM template
  • Users within the data-science group can access the Jupyter-Kubernetes template

Roles

Roles determine which actions users can take within the platform.

AuditorUser AdminTemplate AdminOwner
Add and remove Users
Manage groups (enterprise) (premium)
Change User roles
Manage ALL Templates
View ALL Workspaces
Update and delete ALL Workspaces
Run external provisioners
Execute and use ALL Workspaces
View all user operation Audit Logs

A user may have one or more roles. All users have an implicit Member role that may use personal workspaces.

Custom Roles
Beta
Premium

Starting in v2.16.0, Premium Coder deployments can configure custom roles on the Organization level. You can create and assign custom roles in the dashboard under Organizations -> My Organization -> Roles.

Note: This requires a Premium license. Contact your account team for more details.

Custom roles

Example roles

  • The Banking Compliance Auditor custom role cannot create workspaces, but can read template source code and view audit logs
  • The Organization Lead role can access user workspaces for troubleshooting purposes, but cannot edit templates
  • The Platform Member role cannot edit or create workspaces as they are created via a third-party system

Custom roles can also be applied to headless user accounts:

  • A Health Check role can view deployment status but cannot create workspaces, manage templates, or view users
  • A CI role can update manage templates but cannot create workspaces or view users

Creating custom roles

Clicking "Create custom role" opens a UI to select the desired permissions for a given persona.

Creating a custom role

From there, you can assign the custom role to any user in the organization under the Users settings in the dashboard.

Assigning a custom role

Note that these permissions only apply to the scope of an organization, not across the deployment.

Security notes

A malicious Template Admin could write a template that executes commands on the host (or coder server container), which potentially escalates their privileges or shuts down the Coder server. To avoid this, run external provisioners.

In low-trust environments, we do not recommend giving users direct access to edit templates. Instead, use CI/CD pipelines to update templates with proper security scans and code reviews in place.

See an opportunity to improve our docs? Make an edit.
On this page