From 5b9925a2797ab1d62728eccf8128e01bf4c56b60 Mon Sep 17 00:00:00 2001
From: Mauricio Siu <siumauricio@icloud.com>
Date: Tue, 17 Mar 2026 23:46:34 -0600
Subject: [PATCH] feat: introduce Custom Roles and Audit Logs for Enterprise
 users

- Added documentation for Custom Roles, allowing Enterprise users to create tailored roles with granular permissions.
- Introduced a new Audit Logs section, detailing how to track actions performed by organization members for security and compliance.
- Updated meta.json to include references to the new features.

These enhancements provide greater control and visibility for Enterprise users, improving overall user management and compliance capabilities.
---
 .../content/docs/core/(Users)/permissions.mdx |   8 +
 .../docs/core/enterprise/audit-logs.mdx       |  53 ++++
 .../docs/core/enterprise/audit-logs.txt       |  44 ----
 .../docs/core/enterprise/custom-roles.mdx     | 241 ++++++++++++++++++
 .../content/docs/core/enterprise/index.mdx    |   5 +-
 apps/docs/content/docs/core/meta.json         |   1 +
 6 files changed, 306 insertions(+), 46 deletions(-)
 create mode 100644 apps/docs/content/docs/core/enterprise/audit-logs.mdx
 delete mode 100644 apps/docs/content/docs/core/enterprise/audit-logs.txt
 create mode 100644 apps/docs/content/docs/core/enterprise/custom-roles.mdx

diff --git a/apps/docs/content/docs/core/(Users)/permissions.mdx b/apps/docs/content/docs/core/(Users)/permissions.mdx
index 8825097..4239ec7 100644
--- a/apps/docs/content/docs/core/(Users)/permissions.mdx
+++ b/apps/docs/content/docs/core/(Users)/permissions.mdx
@@ -53,3 +53,11 @@ You can also grant permissions to specific users for accessing particular projec
 #### Project Permissions
 
 Based on your projects and services, you can assign permissions to specific users to give them access to particular projects or services. You can also select specific environments within projects, allowing you to grant granular access control at the environment level.
+
+## Enterprise: Custom Roles & Additional Permissions
+
+With an **Enterprise** license, you can go beyond the default roles and create **Custom Roles** with granular permissions. This gives you full control over what each team member can do — covering areas like deployments, environment variables, servers, certificates, backups, monitoring, audit logs, and more.
+
+Enterprise permissions include over 25 permission categories with fine-grained actions (Read, Create, Update, Delete, Deploy, Cancel, Restore, Write) across all resources.
+
+[Learn more about Custom Roles →](/docs/core/enterprise/custom-roles)
diff --git a/apps/docs/content/docs/core/enterprise/audit-logs.mdx b/apps/docs/content/docs/core/enterprise/audit-logs.mdx
new file mode 100644
index 0000000..0e559fa
--- /dev/null
+++ b/apps/docs/content/docs/core/enterprise/audit-logs.mdx
@@ -0,0 +1,53 @@
+---
+title: Audit Logs
+description: Track all actions performed by members in your organization
+---
+
+Audit Logs give Enterprise users complete visibility into every action performed within the organization. Every create, update, delete, login, logout, deployment, and configuration change is recorded — giving you a full trail for security, compliance, and debugging.
+
+## Overview
+
+Audit Logs are available in **Settings → Audit Logs**. Each entry captures:
+
+| Field | Description |
+| --- | --- |
+| **Timestamp** | When the action occurred. |
+| **User** | The email of the user who performed the action. |
+| **Action** | The type of action — `Created`, `Updated`, `Deleted`, `Deployed`, `Login`, `Logout`. |
+| **Resource** | The type of resource affected (e.g. `application`, `Custom Role`, `Settings`, `Session`, `Domain`). |
+| **Name** | The name or identifier of the resource. |
+| **Role** | The role of the user at the time of the action (e.g. `owner`, `developer`, `member`). |
+| **Metadata** | Additional context when available. |
+
+## What is Logged
+
+Audit Logs track every meaningful action in your organization:
+
+- **Authentication** — User logins, logouts, and session events.
+- **User Management** — Creating, updating, or removing users and changing role assignments.
+- **Custom Roles** — Creating, updating, or deleting custom roles.
+- **Projects & Services** — Creating, updating, deploying, and deleting applications, databases, and compose stacks.
+- **Domains** — Adding or removing custom domains.
+- **Environment Variables** — Changes to service, project, and environment-level variables.
+- **Settings** — Updates to organization settings, whitelabel configuration, and version updates.
+- **Infrastructure** — Changes to servers, registries, certificates, SSH keys, and S3 destinations.
+- **Backups & Schedules** — Creating, updating, or deleting backups, volume backups, and scheduled jobs.
+- **Notifications** — Changes to notification providers.
+
+## Filtering
+
+You can filter audit log entries to quickly find what you're looking for:
+
+- **By user** — Search for actions performed by a specific user.
+- **By name** — Search for actions on a specific resource name.
+- **By action** — Filter by action type (Created, Updated, Deleted, etc.).
+- **By resource** — Filter by resource type (application, Settings, Custom Role, etc.).
+
+## Use Cases
+
+- **Security investigations** — Identify who made a specific change and when.
+- **Compliance** — Maintain evidence of access control and change management for SOC 2, GDPR, and internal policies.
+- **Debugging** — Trace deployment failures or configuration issues back to the change that caused them.
+- **Team visibility** — Understand what actions team members are performing across the organization.
+
+For questions about audit log retention or integration with external logging systems, [contact us](https://dokploy.com/contact).
diff --git a/apps/docs/content/docs/core/enterprise/audit-logs.txt b/apps/docs/content/docs/core/enterprise/audit-logs.txt
deleted file mode 100644
index 9dbd992..0000000
--- a/apps/docs/content/docs/core/enterprise/audit-logs.txt
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Audit logs
-description: Track user actions and changes for compliance and security
----
-
-## What is logged
-
-Typical events include:
-
-- **Authentication** — Logins, logouts, failed attempts, SSO redirects.
-- **Users and access** — User creation, updates, deletion, role changes, invite/revoke.
-- **Resources** — Creation, update, and deletion of projects, applications, compose stacks, databases, domains, environment variables, and similar resources.
-- **Deployments** — Deploy triggers, rollbacks, and related actions.
-- **Settings** — Changes to organization, security, and whitelabel settings (where applicable).
-
-Each entry usually includes:
-
-- **Timestamp** (UTC)
-- **Actor** (user ID, email, or service account)
-- **Action** (e.g. `user.login`, `application.create`, `compose.deploy`)
-- **Resource** (type and identifier)
-- **Details** (e.g. old/new values or reason, when relevant)
-- **IP address** (when available)
-
-## Accessing audit logs
-
-1. Go to **Settings** → **Audit logs** (or **Organization** → **Audit logs** in Enterprise).
-2. Use filters by date range, user, action type, or resource.
-3. Export results (e.g. CSV or JSON) for external tools or compliance reviews.
-
-## Retention and storage
-
-- Retention period and storage backend (e.g. database, external logging) depend on your Enterprise agreement.
-- Configure retention and any archiving according to your compliance and security policies.
-
-## Compliance
-
-Audit logs help support:
-
-- **SOC 2** — Evidence of access control and change management.
-- **GDPR** — Documentation of access to and changes in personal data and configurations.
-- **Internal policies** — Review of who changed what and when.
-
-For retention, export formats, or integration with your SIEM or log pipeline, [contact us](https://dokploy.com/contact).
diff --git a/apps/docs/content/docs/core/enterprise/custom-roles.mdx b/apps/docs/content/docs/core/enterprise/custom-roles.mdx
new file mode 100644
index 0000000..76625b9
--- /dev/null
+++ b/apps/docs/content/docs/core/enterprise/custom-roles.mdx
@@ -0,0 +1,241 @@
+---
+title: Custom Roles
+description: Create custom roles with granular permissions for your organization members
+---
+
+Custom Roles let Enterprise users go beyond the default **Owner**, **Admin**, and **Member** roles by creating tailored roles with fine-grained permissions. Assign exactly the access each team member needs — no more, no less.
+
+## Overview
+
+In the free version, Dokploy provides three built-in roles: **Owner**, **Admin**, and **Member**. Members have a limited, fixed set of permissions. With Enterprise, you can create **custom roles** that combine any of the available permissions below, then assign those roles to users in your organization.
+
+To manage custom roles, go to **Settings → Custom Roles**.
+
+## Available Permissions
+
+Custom roles are built by combining permissions from the following categories:
+
+### Users
+
+Manage organization members, invitations, and roles.
+
+- **Read** — View the list of users and their roles.
+- **Create** — Invite new members to the organization.
+- **Update** — Edit user details and role assignments.
+- **Delete** — Remove members from the organization.
+
+### Projects
+
+Manage project creation and deletion.
+
+- **Create** — Create new projects.
+- **Delete** — Delete existing projects.
+
+### Services
+
+Manage services (applications, databases, compose) within projects.
+
+- **Create** — Create new services inside projects.
+- **Read** — View services and their configurations.
+- **Delete** — Remove services from projects.
+
+### Environments
+
+Manage environment creation, viewing, and deletion.
+
+- **Create** — Create new environments within projects.
+- **Read** — View environments and their settings.
+- **Delete** — Remove environments.
+
+### Docker
+
+Access to Docker containers, images, and volumes management.
+
+- **Read** — View Docker containers, images, and volumes.
+
+### SSH Keys
+
+Manage SSH key configurations for servers and repositories.
+
+- **Read** — View existing SSH keys.
+- **Create** — Add new SSH keys.
+- **Delete** — Remove SSH keys.
+
+### Git Providers
+
+Access to Git providers (GitHub, GitLab, Bitbucket, Gitea).
+
+- **Read** — View connected Git providers.
+- **Create** — Connect new Git providers.
+- **Delete** — Remove Git provider connections.
+
+### Traefik Files
+
+Access to the Traefik file system configuration.
+
+- **Read** — View Traefik configuration files.
+- **Write** — Edit Traefik configuration files.
+
+### API / CLI
+
+Access to API keys and CLI usage.
+
+- **Read** — View and use API keys and CLI.
+
+### Volumes
+
+Manage persistent volumes and mounts attached to services.
+
+- **Read** — View volumes and their configurations.
+- **Create** — Create new volumes.
+- **Delete** — Remove volumes.
+
+### Deployments
+
+Trigger, view, and cancel service deployments.
+
+- **Read** — View deployment history and status.
+- **Deploy** — Trigger new deployments.
+- **Cancel** — Cancel running deployments.
+
+### Service Environment Variables
+
+View and edit environment variables of services.
+
+- **Read** — View service environment variables.
+- **Write** — Edit service environment variables.
+
+### Project Shared Environment Variables
+
+View and edit shared environment variables at the project level.
+
+- **Read** — View project-level shared environment variables.
+- **Write** — Edit project-level shared environment variables.
+
+### Environment Shared Environment Variables
+
+View and edit shared environment variables at the environment level.
+
+- **Read** — View environment-level shared environment variables.
+- **Write** — Edit environment-level shared environment variables.
+
+### Servers
+
+Manage remote servers and nodes.
+
+- **Read** — View server details and status.
+- **Create** — Add new servers.
+- **Delete** — Remove servers.
+
+### Registries
+
+Manage Docker image registries.
+
+- **Read** — View configured registries.
+- **Create** — Add new registries.
+- **Delete** — Remove registries.
+
+### Certificates
+
+Manage SSL/TLS certificates.
+
+- **Read** — View certificates.
+- **Create** — Add new certificates.
+- **Delete** — Remove certificates.
+
+### Backups
+
+Manage database backups and restores.
+
+- **Read** — View existing backups.
+- **Create** — Create new backups.
+- **Update** — Modify backup configurations.
+- **Delete** — Remove backups.
+- **Restore** — Restore from a backup.
+
+### Volume Backups
+
+Manage Docker volume backups and restores.
+
+- **Read** — View volume backups.
+- **Create** — Create new volume backups.
+- **Update** — Modify volume backup configurations.
+- **Delete** — Remove volume backups.
+- **Restore** — Restore from a volume backup.
+
+### Schedules
+
+Manage scheduled jobs (commands, deployments, scripts).
+
+- **Read** — View scheduled jobs.
+- **Create** — Create new scheduled jobs.
+- **Update** — Modify existing scheduled jobs.
+- **Delete** — Remove scheduled jobs.
+
+### Domains
+
+Manage custom domains assigned to services.
+
+- **Read** — View configured domains.
+- **Create** — Add new domains.
+- **Delete** — Remove domains.
+
+### S3 Destinations
+
+Manage S3-compatible backup destinations (AWS, Cloudflare R2, etc.).
+
+- **Read** — View configured S3 destinations.
+- **Create** — Add new S3 destinations.
+- **Delete** — Remove S3 destinations.
+
+### Notifications
+
+Manage notification providers (Slack, Discord, Telegram, etc.).
+
+- **Read** — View notification providers.
+- **Create** — Add new notification providers.
+- **Update** — Modify notification configurations.
+- **Delete** — Remove notification providers.
+
+### Logs
+
+View service and deployment logs.
+
+- **Read** — View logs.
+
+### Monitoring
+
+View server and service metrics (CPU, RAM, disk).
+
+- **Read** — View monitoring metrics.
+
+### Audit Logs
+
+View the audit log of actions performed in the organization.
+
+- **Read** — View audit log entries.
+
+## Creating a Custom Role
+
+1. Go to **Settings → Custom Roles**.
+2. Click **Create Role**.
+3. Enter a name for the role (e.g. `developer`, `viewer`, `deployer`).
+4. Select the permissions you want to assign to this role.
+5. Click **Save**.
+
+## Assigning a Custom Role
+
+1. Go to **Settings → Users**.
+2. Select the user you want to update.
+3. Change their role to the custom role you created.
+4. Click **Save**.
+
+The user will immediately have access based on the permissions defined in their new role.
+
+## Best Practices
+
+- **Principle of least privilege** — Give each role only the permissions it needs. A developer who only deploys doesn't need access to manage users or certificates.
+- **Name roles clearly** — Use descriptive names like `deployer`, `viewer`, or `project-admin` so it's easy to understand what each role can do.
+- **Review roles regularly** — As your team and workflows evolve, revisit custom roles to ensure they still match your needs.
+
+For help configuring custom roles, [contact us](https://dokploy.com/contact).
diff --git a/apps/docs/content/docs/core/enterprise/index.mdx b/apps/docs/content/docs/core/enterprise/index.mdx
index 380e854..3533e39 100644
--- a/apps/docs/content/docs/core/enterprise/index.mdx
+++ b/apps/docs/content/docs/core/enterprise/index.mdx
@@ -8,7 +8,8 @@ description: Enterprise features for SSO, whitelabeling, and audit logs
 
 - **Single Sign-On (SSO)** — Integrate with Auth0, Keycloak, or other OIDC/SAML providers.
 - **Whitelabeling** — Rebrand the UI with your logo, colors, and domain (self-hosted only).
-{/* - **Audit logs** — Track user actions and changes for compliance and security. */}
+- **Custom Roles** — Create custom roles with granular permissions beyond the default Owner, Admin, and Member roles. [Read more →](/docs/core/enterprise/custom-roles)
+- **Audit Logs** — Track every action performed by members in your organization for security and compliance. [Read more →](/docs/core/enterprise/audit-logs)
 
 More Enterprise features are on the way. [Contact us](https://dokploy.com/contact) if you want early access or have specific requirements.
 
@@ -18,4 +19,4 @@ For pricing and to enable Enterprise features on your instance, get in touch wit
 
 **[Contact us →](https://dokploy.com/contact)**
 
-We'll help you configure SSO, whitelabeling, and audit logs for your organization.
+We'll help you configure SSO, whitelabeling, custom roles, and audit logs for your organization.
diff --git a/apps/docs/content/docs/core/meta.json b/apps/docs/content/docs/core/meta.json
index 61c9ec0..ec84982 100644
--- a/apps/docs/content/docs/core/meta.json
+++ b/apps/docs/content/docs/core/meta.json
@@ -56,6 +56,7 @@
 		"enterprise/license-keys",
 		"enterprise/sso",
 		"enterprise/whitelabeling",
+		"enterprise/custom-roles",
 		"enterprise/audit-logs",
 		"---Guides---",
 		"guides/cloudflare-tunnels",