Users
When you sign up for a HashiCorp Cloud Platform (HCP) account for the first time, the HCP Portal takes you to the create organization page to set up your organization. You can invite additional users to the organization so that they can access the resources.
This page describes how to add users to your HashiCorp Cloud Platform (HCP) account and manage their access to resources.
Invite users
Use the following procedure to invite users into your organization using email. Organization admin role is required to invite and manage users.
Note
If Single Sign-On is enabled, manage the users through the configured identity providers instead. The option to manually invite users as described in this section will not be available.
- Log into HCP Portal and choose your organization.
- Click Access Control (IAM) in the sidebar and click +Invite user.
- Enter their email address and click Add. You can repeat this step to continue adding users.
- Choose a role from the Assign role drop-down menu and click Invite. Refer to the User Permissions for information about the roles you can assign.
Manage users
You can remove user access or change roles from the Users screen. You must have admin permissions to invite and manage users.
- Log into HCP Portal and choose your organization.
- Click Access Control (IAM) in the sidebar.
- Click on a user name.
- You can perform the following actions:
- Click Remove to delete the user from your organization.
- Choose a new role from the Role drop-down menu.
- Click Save.
User permissions
HCP uses a role-based access controls (RBAC) system to enable members of your organizations and projects to perform actions in HCP and interact with resources. Some HCP applications allow you to assign roles for specific resources, such as an HCP Packer bucket. Refer to the specific HCP application documentation for more information.
Inheritance
Users inherit role permissions according to the following hierarchy:
- Role assigned in the organization.
- Role assigned in the project.
- Role assigned for the resource.
For example, a user assigned the viewer
role in an organization also has viewer
role permissions for projects within the organization. Moreover, a user assigned the contributor
role in a project also has contributor
role permissions for resources within the project.
Precedence
Role permissions assigned for specific HCP entities take precedence over inherited roles according to the following order:
- A role assigned for a resource takes precedence over a role inherited from a project.
- A role assigned for project takes precedence over the role assigned for an organization.
For example, a user assigned the viewer
role in an organization and a contributor
role in a specific project has viewer
role permissions across the organization but contributor
role permissions to the project. Moreover, a user assigned the viewer
role for the
project or organization and assigned the contributor
role for a specific resource
within the project has viewer
role permissions across the project and contributor
role permissions for the specific resource.
Organization
The following tables describe role permissions scoped to the organization level.
HCP Organization Permissions | No role | Browser | Viewer | Contributor | Admin | Owner |
---|---|---|---|---|---|---|
Add and delete users | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
Manage user permissions | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
View users and groups | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Manage service principals | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
Manage groups | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
View current billing status | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
Create projects | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
View projects | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
View project resources | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
Request Organization deletion | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
Note
A user can be a part of an organization with no roles assigned directly to them via the SSO default role settings or IAM settings. For least-privileged purposes, the user will have a limited experience within the platform until an Admin assigns an Organization or Project scoped role to the user.
Project
The following tables describe role permissions scope to the project level.
HCP Project Permissions | Browser | Viewer | Contributor | Admin | App Manager | App Secrets Reader |
---|---|---|---|---|---|---|
View project | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
View project resources | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
Edit project permissions | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ |
Delete project | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ |
Create and delete project resources | ❌ | ❌ | ✅ | ✅ | ✅ (Vault Secrets resources) | ❌ |
Manage project service principals | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ |
Manage group role for project | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ |
App Manager & App Secrets Reader roles
You can now assign the App Manager and App Secrets Reader roles to Users, Service Principals, and Groups at the Project Level using the IAM tab in the UI.
Refer to the HCP Vault Secrets documentation for more details.
Assign a project role
To narrow the scope of user permissions, you can set a role on the project level. To add a user to a project, you have to invite the user to the organization first.
- Select the target project.
- Click Access Control (IAM) in the sidebar.
- Select the username.
- From the Role drop-down menu, choose a project-level role to assign to the user. Refer to the project role tables for information about the roles you can assign.