docs/documentation/getting-started/concepts/platform-hierarchy.mdx
Infisical is structured around organizations and projects, allowing teams to manage multiple products, access scopes, and use cases within a single account while keeping boundaries and responsibilities clearly defined.
An organization typically represents a company or high-level entity (e.g. Acme Corp). It acts as the umbrella for all projects, members, and billing settings.
Users are invited to an organization and assigned organization-level roles that determine what they can manage—such as members, machine identities, and billing details.
A project belongs to an organization and defines a specific scope of work. Each project has a product type such as Secrets Management, PAM, or PKI that determines what features are available in that project.
For example:
A Secrets Management project manages application secrets across environments.
A PAM project enables access management for infrastructure.
A PKI project manages certificate authorities and X.509 certificate workflows.
Users are added to a project and assigned project-level roles that determine what they can manage—such as secrets, access policies, or certificate authorities. A user can have different roles across projects, allowing for flexible and fine-grained access control that reflects how teams operate in practice.
Projects are isolated in terms of configuration, permissions, and product workflows.
Access is managed independently at both the organization and project level.
All projects within an organization share the same billing and user directory.
Teams can adopt Infisical incrementally—starting with one product and expanding as needed.