Skip to main content

Team Management

Manage team access to your projects with role-based access control (RBAC) and environment scopes.

Role Hierarchy

dotset uses a four-tier role system with hierarchical permissions:
RoleScopesRead SecretsWrite SecretsManage TeamDelete Project
OwnerAll✅ All members
AdminAll✅ Members only
MemberAssigned only
ReadonlyAssigned only✅ (masked)
Higher roles can only manage users at lower permission levels. Admins cannot remove other Admins or Owners.

Environment Scopes

Each project has three environment scopes:
  • development — Local development secrets
  • staging — Pre-production testing
  • production — Live production secrets
Members and Readonly users can be assigned to specific scopes, limiting their access to only those environments. 
# Add member with specific scopes
dotset team add [email protected] --role member --scopes development,staging

# Add readonly user for production auditing
dotset team add [email protected] --role readonly --scopes production

CLI Commands

List Team Members

dotset team list
Output: 
Team Members (4)
┌─────────────────────────┬──────────┬─────────────────────────┐
│ Email                   │ Role     │ Scopes                  │
├─────────────────────────┼──────────┼─────────────────────────┤
[email protected]       │ owner    │ all                     │
[email protected]       │ admin    │ all                     │
[email protected]         │ member   │ development, staging    │
[email protected]     │ readonly │ production              │
└─────────────────────────┴──────────┴─────────────────────────┘

Add Team Member

dotset team add <email> --role <role> [--scopes <scopes>]
Options:
  • --role — One of: admin, member, readonly
  • --scopes — Comma-separated: development, staging, production (optional for admin)
When you add a member, they receive an email invitation to join the project.

Update Member Role

dotset team update <email> --role <new-role> [--scopes <scopes>]

Remove Team Member

dotset team remove <email>
Removing a team member immediately revokes their access. Any service tokens they created remain active until manually revoked.

Service Tokens

Service tokens provide programmatic access for CI/CD pipelines without requiring user credentials.

Create Token

dotset tokens create <name> --scopes <scopes> [--readonly] [--expires <duration>]
Options:
  • --scopes — Required. Comma-separated environment scopes
  • --readonly — Token can only read secrets, not write
  • --expires — Token expiration (e.g., 30d, 90d, 1y)
# Production-only readonly token for CI
dotset tokens create ci-deploy --scopes production --readonly --expires 90d
The token value is only shown once. Store it securely in your CI/CD secrets.

List Tokens

dotset tokens list

Revoke Token

dotset tokens revoke <name>

Dashboard

All team management is also available in the dashboard:
  1. Navigate to your project
  2. Click the Members tab
  3. Add, edit, or remove team members
  4. View and manage service tokens in the Tokens tab

Best Practices

Least Privilege

Assign the minimum role and scopes needed for each team member’s responsibilities

Scope Isolation

Keep production access limited to those who need it

Token Expiration

Set expiration dates on service tokens, especially for production

Regular Audits

Review team access periodically and remove inactive members