Terraform
Organization permissions
Organization-level permissions apply to all projects, Stacks, and workspaces within an organization.
Background
If you are in an HCP Terraform organization, you can manage user access and permissions through teams. Refer to the following topics for information about setting permissions in HCP Terraform:
- Set permissions
- Project permissions reference
- Workspace permissions reference
- Effective permissions provides information about competing permissions.
Note
In HashiCorp Cloud Platform (HCP) Europe organizations, you manage user access through HCP groups. HCP roles automatically grant permissions in HCP Terraform, and you can add additional fine-grained roles within HCP Terraform itself. To learn more about HCP roles, refer to HCP group roles. To learn more about HCP Europe, refer to Use HCP Terraform in Europe.
All organization permissions
The following table summarizes the available organization-level permission categories. Click on a specific permission to learn more about what that permission grants.
| Permission category | Description |
|---|---|
| Project permissions | Control access to projects across the organization. |
| Workspace permissions | Control access to workspaces across the organization. |
| Team permissions | Control team management capabilities for the organization. If you are using an HCP Europe organization, refer to Group permissions instead. |
| Settings permissions | Control access to governance and infrastructure tools. |
| Private registry permissions | Control access to the organization's private registry. |
| Public registry permissions | Control access to the public registry. |
Project permissions
The following table summarizes the available organization-level permissions for projects. Click on a specific permission name to learn more about that permission level.
| Permission name | Description |
|---|---|
| None | No access to projects, and access must be granted individually. |
| View all projects | Can view all project names in the organization. |
| Manage all projects | Can create, edit, and delete projects, and manage team access to all projects. |
Note
In HCP Europe organizations, you cannot assign Project permissions to a group in HCP Terraform. Instead, assign an HCP role that grants Project permissions to a group, then HCP Terraform automatically inherits those permissions. To learn more about which HCP roles grant which permissions, refer to HCP group roles.
None
Members do not have access to projects or workspaces and Stacks. You can grant permissions to individual projects or workspaces and Stacks through Project Permissions or Workspace Permissions.
View all projects
Members can view all projects within the organization. This lets users:
- View project names in a given organization.
Manage all projects
Members can create and manage all projects and workspaces or Stacks within the organization. In addition to the permissions granted when enabling the Manage all workspaces permission, this also lets users perform the following actions:
- Manage other teams' access to all projects.
- Create, edit, and delete projects that are otherwise only available to organization owners.
- Create, read, update, and delete Stacks.
- Initiate, cancel, or apply runs for Stacks.
- Move workspaces and Stacks between projects.
Workspace permissions
The following table summarizes the available organization-level permissions for workspaces. Click on a specific permission name to learn more about that permission level.
| Permission name | Description |
|---|---|
| None | No access to workspaces, and access must be granted individually. |
| View all workspaces | Can view information about all workspaces. |
| Manage all workspaces | Admin permissions on all workspaces and can create workspaces. |
None
Members do not have access to projects or workspaces. You can grant permissions to individual projects or workspaces through Project Permissions or Workspace Permissions.
View all workspaces
Members can view all workspaces within the organization. This lets users view information and features relevant to each workspaces, such as runs, state versions, variables.
Manage all workspaces
Members can create and manage all workspaces within the organization. This lets users perform the following actions:
- Any action that requires admin permissions in those workspaces.
- Create new workspaces within the organization's Default Project, which is an action that is otherwise only available to organization owners.
- Create, update, and delete variable sets.
Group Permissions
In HashiCorp Cloud Platform (HCP) Europe organizations, you manage user access through HCP groups, and use group permissions instead of team permissions. To learn more, refer to Use HCP Terraform in Europe.
You cannot manually assign Group permissions to a group in HCP Terraform. Instead, you must assign an HCP role to that group which grants Group permissions, then HCP Terraform automatically inherits those permissions. To learn more about which HCP roles grant group permissions, refer to HCP group roles.
Team permissions
Note
Team permissions are not available in HCP Europe organizations. To learn more, refer to Group permissions.
Team permissions are available in standard HCP Terraform organizations.
| Permission name | Description |
|---|---|
| Manage membership | Invite, remove, and add users to the team |
| Manage teams | Create, update, delete teams and generate tokens |
| Manage organization access | Update team organization access settings |
| Include secret teams | Access and modify secret teams |
| Allow member token management | Control team token management for team members |
You can enable the following team management permissions in HCP Terraform:
- Manage membership
- Manage teams
- Manage organization access
Each permission level grants users the ability to perform specific actions and each progressively requires prerequisite permissions.
For example, you must have the Manage teams permission to grant another user the Manage teams permission, and that user must already have Manage membership permissions. To grant a user Manage organization access, a user must already have Manage membership and Manage teams permissions.
Manage membership
Allows members to invite users to the organization, remove users from the organization, and add or remove users from teams within the organization.
This permission grants the ability to view the list of users within the organization, and to view the organization access of other visible teams. It does not permit the creation of teams, the ability to modify the settings of existing teams, or the ability to view secret teams.
In order to modify the membership of a team, the user must be a member of a team with the Manage membership permissions enabled and the Visible setting must be enabled for the team. The user can also be a member of the team if the Visible setting is disabled. In order to remove a user from the organization, the holder of this permission must have visibility into all of the teams which the user is a member of.
Assign with caution
Owners of large organizations can use this permission to delegate membership management to another trusted team and should only grant this permission to teams of trusted users. Users with this permission are able to add themselves to any visible team and inherit the permissions of any visible team.
Manage teams
Allows members to create, update, and delete teams. It also lets members generate and revoke tokens.
This permission grants the ability to update a team's names, SSO IDs, and token management permissions, but does not allow access to organization settings. On its own, this permission does not allow users to create, update, delete, or otherwise access secret teams.
The manage teams permission confers all permissions granted by the manage membership permission.
This permission allows owners of large organizations to delegate team management to another trusted team. You should only grant it to teams of trusted users.
Assign with caution
Users with this permission can update or delete any visible team. Because this permission also confers the manage membership permission, a user with the manage teams permission can add themselves to any visible team.
Manage organization access
Allows members to update a team's organization access settings.
On its own, this permission does not allow users to create, update, delete, or otherwise access secret teams. This permission confers all of the permissions granted by the manage teams and manage membership permissions.
This permission allows owners of large organizations to delegate team management to another trusted team. You should only grant it to teams of trusted users.
Assign with caution
Members with this permission can update all organization access settings for any team visible to them.
Include secret teams
Allows members access to secret teams at the level permitted by that user's team permissions setting.
This permission modifies existing team management permissions. Members with this permission can access secret teams up to the level permitted by other team management permissions. For example, if a user has permission to include secret teams and manage teams, that user can create secret teams.
Allow member token management
Allows owners and members with manage teams permissions to enable and disable team token management for team members. This permission defaults to true.
When member token management is enabled, members will be able to perform actions on team tokens, including generating and revoking a team token.
When member token management is disabled, members will be unable to perform actions on team tokens, including generating and revoking a team token.
Settings permissions
The following permissions control access to governance and infrastructure tools.
| Permission name | Description |
|---|---|
| Manage policies | Create, edit, read, list and delete Sentinel policies |
| Manage policy overrides | Override soft-mandatory policy checks |
| Manage run tasks | Create, edit, and delete run tasks |
| Manage version control settings | Manage VCS providers and SSH keys |
| Manage agent pools | Create, edit, and delete agent pools |
Manage policies
Allows members to create, edit, read, list and delete the organization's Sentinel policies.
This permission implicitly gives permission to read runs on all workspaces, which is necessary to set enforcement of policy sets.
Manage run tasks
Allows members to create, edit, and delete run tasks on the organization.
Manage policy overrides
Allows members to override soft-mandatory policy checks.
This permission implicitly gives permission to read runs on all workspaces, which is necessary to override policy checks.
Manage VCS settings
Allows members to manage the set of VCS providers and SSH keys available within the organization.
Manage agent pools
Allows members to create, edit, and delete agent pools within their organization.
This permission implicitly grants access to read all workspaces and projects, which is necessary for agent pool management.
Private registry permissions
The following permissions control access to the organization's private registry.
| Permission name | Description |
|---|---|
| Manage modules | Publish and delete modules in private registry |
| Manage providers | Publish and delete providers in private registry |
Manage private modules
Allow members to publish and delete modules in the organization's private registry.
Manage private providers
Allow members to publish and delete providers in the organization's private registry.
Public registry permissions
The following permissions control access to providers and modules using an organization's claimed namespaces in the public registry.
| Permission name | Description |
|---|---|
| Manage public modules | Publish and delete modules for the organization in the public registry |
| Manage public providers | Publish and delete providers for the organization in the public registry |
Manage public modules
Allow members to publish and delete modules for the organization in the public registry.
Manage public providers
Allow members to publish and delete providers for the organization in the public registry.
Organization owners
Note
If you are using an HCP Europe organization, there is no organization owners team because you manage users with HCP groups. To learn more, refer to HCP group roles.
Every organization has an Owners team whose members have the maximum available permissions within the organization. This includes all organization-level permissions and the highest level of permissions on every workspace and Stack.
There are also some actions within an organization that are only available to owners. These are generally actions that affect the permissions and membership of other teams, or are otherwise fundamental to the organization's security and integrity.
The organization owners team has the following permissions:
| Permission | Description |
|---|---|
| Manage all projects | Admin permissions on every project. |
| Manage all workspaces | Admin permissions on every workspace. |
| Manage membership | Invite/remove users and manage team membership. |
| Manage teams | Create, update, delete teams and generate tokens. |
| Manage organization access | Update team organization access settings. |
| Include secret teams | View and manage all secret teams. |
| Allow member token management | Control team token management for members. |
| Manage policies | Create, edit, delete Sentinel policies. |
| Manage policy overrides | Override soft-mandatory policy checks. |
| Manage run tasks | Create, edit, delete run tasks. |
| Manage version control settings | Manage VCS providers and SSH keys. |
| Manage agent pools | Create, edit, delete agent pools. |
| Manage modules | Publish and delete modules in private registry. |
| Manage providers | Publish and delete providers in private registry. |
| Manage public modules | Publish and delete modules in public registry. Only available in HCP Terraform. |
| Manage public providers | Publish and delete providers in public registry. Only available in HCP Terraform. |
| Manage all organization settings | Control organization-wide settings. Only available for the owners team. |
| Manage organization billing | Control billing and subscriptions. Only available for the owners team, and only available in HCP Terraform. |
| Delete organization | Permanently delete the organization. Only available for the owners team. |
HCP group roles
In an HCP Europe organization, you manage user access through groups. To learn how to set up groups and assign users to them in HCP, refer to Groups. To learn more about HCP Terraform in Europe, refer to Use HCP Terraform in Europe.
You can assign permissions to HCP groups in two ways:
- HCP roles - You can assign HCP roles to groups in the HashiCorp Cloud Platform (HCP), and these roles automatically grant permissions in HCP Terraform.
- [HCP Terraform roles](/terraform/cloud-docs/users-teams-organizations/permissions/set-permissions#set-organization-level-permissions - Assign additional permissions at the organization, project, and workspace level to further refine group access in HCP Terraform.
Each permission a user is granted is additive. HCP Terraform grants a user the highest permissions possible, regardless of whether that permission was set by an HCP or HCP Terraform role.
The following table lists which organization-level permissions each HCP role automatically grants in HCP Terraform:
| HCP Terraform organization permission | Admin | Contributor | Viewer |
|---|---|---|---|
| Owner-level permissions | ✅ | ❌ | ❌ |
| View all projects | ✅ | ✅ | ✅ |
| Manage all projects | ✅ | ✅ | ❌ |
| View all workspaces | ✅ | ✅ | ✅ |
| Manage all workspaces | ✅ | ✅ | ❌ |
| Manage organization access | ✅ | ❌ | ❌ |
| Include secret groups | ✅ | ❌ | ❌ |
| Manage policies | ✅ | ❌ | ❌ |
| Manage policy overrides | ✅ | ❌ | ❌ |
| Manage run tasks | ✅ | ❌ | ❌ |
| Manage version control settings | ✅ | ❌ | ❌ |
| Manage agent pools | ✅ | ❌ | ❌ |
| Manage private registry modules | ✅ | ❌ | ❌ |
| Manage private registry providers | ✅ | ❌ | ❌ |
| Manage public registry modules | ✅ | ❌ | ❌ |
| Manage public registry providers | ✅ | ❌ | ❌ |
| Members can manage API tokens | ✅ | ✅ | ❌ |