Terraform
Organization permissions
Organization-level permissions apply to all projects, Stacks, and workspaces within an organization.
Background
If you are in an HCP Terraform organization, you can manage user access and permissions through teams. Refer to the following topics for information about setting permissions in HCP Terraform:
- Set permissions
- Project permissions reference
- Workspace permissions reference
- Effective permissions provides information about competing permissions.
All organization permissions
The following table summarizes the available organization-level permission categories. Click on a specific permission to learn more about what that permission grants.
| Permission category | Description |
|---|---|
| Project permissions | Control access to projects across the organization. |
| Workspace permissions | Control access to workspaces across the organization. |
| Team permissions | Control team management capabilities for the organization. |
| Settings permissions | Control access to governance and infrastructure tools. |
| Private registry permissions | Control access to the organization's private registry. |
| Public registry permissions | Control access to the public registry. |
| Policy overrides | Controls teams' ability to override failed policy checks for policies with an enforcement level set to Soft mandatory. |
Project permissions
The following table summarizes the available organization-level permissions for projects. Click on a specific permission name to learn more about that permission level.
| Permission name | Description |
|---|---|
| None | No access to projects, and access must be granted individually. |
| View all projects | Can view all project names in the organization. |
| Manage all projects | Can create, edit, and delete projects, and manage team access to all projects. |
None
Members do not have access to projects or workspaces and Stacks. You can grant permissions to individual projects or workspaces and Stacks through Project Permissions or Workspace Permissions.
View all projects
Members can view all projects within the organization. This lets users:
- View project names in a given organization.
Manage all projects
Members can create and manage all projects and workspaces or Stacks within the organization. In addition to the permissions granted when enabling the Manage all workspaces permission, this also lets users perform the following actions:
- Manage other teams' access to all projects.
- Create, edit, and delete projects that are otherwise only available to organization owners.
- Create, read, update, and delete Stacks.
- Initiate, cancel, or apply runs for Stacks.
- Move workspaces and Stacks between projects.
Workspace permissions
The following table summarizes the available organization-level permissions for workspaces. Click on a specific permission name to learn more about that permission level.
| Permission name | Description |
|---|---|
| None | No access to workspaces, and access must be granted individually. |
| View all workspaces | Can view information about all workspaces. |
| Manage all workspaces | Admin permissions on all workspaces and can create workspaces. |
None
Members do not have access to projects or workspaces. You can grant permissions to individual projects or workspaces through Project Permissions or Workspace Permissions.
View all workspaces
Members can view all workspaces within the organization. This lets users view information and features relevant to each workspaces, such as runs, state versions, variables.
Manage all workspaces
Members can create and manage all workspaces within the organization. This lets users perform the following actions:
- Any action that requires admin permissions in those workspaces.
- Create new workspaces within the organization's Default Project, which is an action that is otherwise only available to organization owners.
- Create, update, and delete variable sets.
Team permissions
Team permissions are available in standard HCP Terraform organizations.
| Permission name | Description |
|---|---|
| Manage membership | Invite, remove, and add users to the team |
| Manage teams | Create, update, delete teams and generate tokens |
| Manage organization access | Update team organization access settings |
| Include secret teams | Access and modify secret teams |
| Allow member token management | Control team token management for team members |
You can enable the following team management permissions in HCP Terraform:
- Manage membership
- Manage teams
- Manage organization access
Each permission level grants users the ability to perform specific actions and each progressively requires prerequisite permissions.
For example, you must have the Manage teams permission to grant another user the Manage teams permission, and that user must already have Manage membership permissions. To grant a user Manage organization access, a user must already have Manage membership and Manage teams permissions.
Manage membership
Allows members to invite users to the organization, remove users from the organization, and add or remove users from teams within the organization.
This permission grants the ability to view the list of users within the organization, and to view the organization access of other visible teams. It does not permit the creation of teams, the ability to modify the settings of existing teams, or the ability to view secret teams.
In order to modify the membership of a team, the user must be a member of a team with the Manage membership permissions enabled and the Visible setting must be enabled for the team. The user can also be a member of the team if the Visible setting is disabled. In order to remove a user from the organization, the holder of this permission must have visibility into all of the teams which the user is a member of.
Manage teams
Allows members to create, update, and delete teams. It also lets members generate and revoke tokens.
This permission grants the ability to update a team's names, SSO IDs, and token management permissions, but does not allow access to organization settings. On its own, this permission does not allow users to create, update, delete, or otherwise access secret teams.
The manage teams permission confers all permissions granted by the manage membership permission.
This permission allows owners of large organizations to delegate team management to another trusted team. You should only grant it to teams of trusted users.
Manage organization access
Allows members to update a team's organization access settings.
On its own, this permission does not allow users to create, update, delete, or otherwise access secret teams. This permission confers all of the permissions granted by the manage teams and manage membership permissions.
This permission allows owners of large organizations to delegate team management to another trusted team. You should only grant it to teams of trusted users.
Include secret teams
Allows members access to secret teams at the level permitted by that user's team permissions setting.
This permission modifies existing team management permissions. Members with this permission can access secret teams up to the level permitted by other team management permissions. For example, if a user has permission to include secret teams and manage teams, that user can create secret teams.
Allow member token management
Allows owners and members with manage teams permissions to enable and disable team token management for team members. This permission defaults to true.
When member token management is enabled, members will be able to perform actions on team tokens, including generating and revoking a team token.
When member token management is disabled, members will be unable to perform actions on team tokens, including generating and revoking a team token.
Settings permissions
The following permissions control access to governance and infrastructure tools.
| Permission name | Description |
|---|---|
| Manage policies | Create, edit, read, list and delete Sentinel policies |
| Manage run tasks | Create, edit, and delete run tasks |
| Manage version control settings | Manage VCS providers and SSH keys |
| Manage agent pools | Create, edit, and delete agent pools |
Manage policies
Allows members to create, edit, read, list and delete the organization's Sentinel policies.
This permission implicitly gives permission to read runs on all workspaces, which is necessary to set enforcement of policy sets.
Manage run tasks
Allows members to create, edit, and delete run tasks on the organization.
Manage VCS settings
Allows members to manage the set of VCS providers and SSH keys available within the organization.
Manage agent pools
Allows members to create, edit, and delete agent pools within their organization.
This permission implicitly grants access to read all workspaces and projects, which is necessary for agent pool management.
Private registry permissions
The following permissions control access to the organization's private registry.
| Permission name | Description |
|---|---|
| Manage modules | Publish and delete modules in the private registry |
| Manage providers | Publish and delete providers in the private registry |
| Manage Stack component configurations | Publish and delete Stack component configurations in the private registry |
Manage private modules
Allow members to publish and delete modules in the organization's private registry.
Manage private providers
Allow members to publish and delete providers in the organization's private registry.
Manage Stack component configurations
Allow members to publish and delete Stack component configurations in the organization's private registry.
Policy overrides
Policy override settings only apply to policies that have a Soft mandatory enforcement level. Refer to Policy enforcement levels for more information.
| Permission name | Description |
|---|---|
| No policy overrides | Teams can't override failed Soft mandatory policy evaluations. |
| Delegate policy overrides | Allow project and workspace managers to grant override permissions for Soft mandatory policy evaluations. When this setting is enabled for a team, its members can override failed policy evaluations on projects and workspaces that they manage. |
| Manage policy overrides | Team members can override failed Soft mandatory policy evaluations in all workspaces. |
No policy overrides
Teams can’t override failed Soft mandatory policy evaluations.
Delegate policy overrides
Allow project and workspace managers to grant override permissions for Soft mandatory policy evaluations. When this setting is enabled, team members can't override failed policies unless the project or workspace manager manually enables the Allow policy overrides setting in their project or workspace.
Refer to the projects and workspaces team permission references for more information.
Manage policy overrides
Team members can override failed Soft mandatory policy evaluations in all workspaces.
This setting also gives teams read access to all workspaces in the organization. To prevent read access, enable the Delegate policy overrides setting instead.
Refer to the projects and workspaces team permission references for more information.
Organization owners
Every organization has an Owners team whose members have the maximum available permissions within the organization. This includes all organization-level permissions and the highest level of permissions on every workspace and Stack.
There are also some actions within an organization that are only available to owners. These are generally actions that affect the permissions and membership of other teams, or are otherwise fundamental to the organization's security and integrity.
The organization owners team has the following permissions:
| Permission | Description |
|---|---|
| Manage all projects | Admin permissions on every project. |
| Manage all workspaces | Admin permissions on every workspace. |
| Manage membership | Invite/remove users and manage team membership. |
| Manage teams | Create, update, delete teams and generate tokens. |
| Manage organization access | Update team organization access settings. |
| Include secret teams | View and manage all secret teams. |
| Allow member token management | Control team token management for members. |
| Manage policies | Create, edit, delete Sentinel policies. |
| Manage policy overrides | Override soft-mandatory policy checks. |
| Manage run tasks | Create, edit, delete run tasks. |
| Manage version control settings | Manage VCS providers and SSH keys. |
| Manage agent pools | Create, edit, delete agent pools. |
| Manage IP allowlists | Create, edit, delete IP allowlists. |
| Manage modules | Publish and delete modules in private registry. |
| Manage providers | Publish and delete providers in private registry. |
| Manage public modules | Publish and delete modules in public registry. Only available in HCP Terraform. |
| Manage public providers | Publish and delete providers in public registry. Only available in HCP Terraform. |
| Manage all organization settings | Control organization-wide settings. Only available for the owners team. |
| Manage organization billing | Control billing and subscriptions. Only available for the owners team, and only available in HCP Terraform. |
| Delete organization | Permanently delete the organization. Only available for the owners team. |