Groups & Roles
Groups and roles can be manually assigned in Coder. For production deployments, these can also be managed and synced by the identity provider.
Groups
Groups are logical segmentations of users in Coder and can be used to control which templates developers can use. For example:
- Users within the
devops
group can access theAWS-VM
template - Users within the
data-science
group can access theJupyter-Kubernetes
template
Roles
Roles determine which actions users can take within the platform.
Auditor | User Admin | Template Admin | Owner | |
---|---|---|---|---|
Add and remove Users | ✅ | ✅ | ||
Manage groups (enterprise) (premium) | ✅ | ✅ | ||
Change User roles | ✅ | |||
Manage ALL Templates | ✅ | ✅ | ||
View ALL Workspaces | ✅ | ✅ | ||
Update and delete ALL Workspaces | ✅ | |||
Run external provisioners | ✅ | ✅ | ||
Execute and use ALL Workspaces | ✅ | |||
View all user operation Audit Logs | ✅ | ✅ |
A user may have one or more roles. All users have an implicit Member role that may use personal workspaces.
Custom Roles BetaPremium
Starting in v2.16.0, Premium Coder deployments can configure custom roles on the Organization level. You can create and assign custom roles in the dashboard under Organizations -> My Organization -> Roles.
Note: This requires a Premium license. Contact your account team for more details.
Example roles
- The
Banking Compliance Auditor
custom role cannot create workspaces, but can read template source code and view audit logs - The
Organization Lead
role can access user workspaces for troubleshooting purposes, but cannot edit templates - The
Platform Member
role cannot edit or create workspaces as they are created via a third-party system
Custom roles can also be applied to headless user accounts:
- A
Health Check
role can view deployment status but cannot create workspaces, manage templates, or view users - A
CI
role can update manage templates but cannot create workspaces or view users
Creating custom roles
Clicking "Create custom role" opens a UI to select the desired permissions for a given persona.
From there, you can assign the custom role to any user in the organization under the Users settings in the dashboard.
Note that these permissions only apply to the scope of an organization, not across the deployment.
Security notes
A malicious Template Admin could write a template that executes commands on the
host (or coder server
container), which potentially escalates their privileges
or shuts down the Coder server. To avoid this, run
external provisioners.
In low-trust environments, we do not recommend giving users direct access to edit templates. Instead, use CI/CD pipelines to update templates with proper security scans and code reviews in place.