docs/documentation/platform/access-controls/additional-privileges.mdx
Infisical's role-based access controls let you define predefined permission sets for users and machine identities. However, there are cases where a specific user or machine identity needs access beyond what their assigned roles provide — without creating an entirely new role.
Additional Privileges let you grant scoped, fine-grained permissions to individual users or machine identities within a project. Use them when you need to:
Additional privileges can be configured through the Infisical Dashboard or the API. The steps below apply to both users and machine identities.
<Tabs> <Tab title="Infisical UI"> <Steps> <Step title="Select the user or machine identity"> Navigate to the **Access Controls** page of your project and click on the user or machine identity you want to grant additional privileges to. 
</Step>
<Step title="Add additional privileges">
In the member detail view, click the **Add Additional Privileges** button. This opens a configuration panel for the new privilege.
</Step>
<Step title="Add policies">
Click the **Add Policies** button to open the policy selector dropdown.
</Step>
<Step title="Select the policies to apply">
Choose the policies you want to include in this additional privilege from the dropdown.
</Step>
<Step title="Configure the privilege">
Fill in the privilege details and configure each policy you selected:
- **Privilege Name** — A slug-friendly identifier for the privilege.
- **Duration** — How long the privilege remains active. Defaults to **Permanent**. Set a limited duration for [temporary access](/documentation/platform/access-controls/temporary-access) grants.
- **Policies** — The specific permission policies (e.g., read/write access to certain secret paths) included in this privilege.
</Step>
<Step title="Save the privilege">
Click **Save** to apply the additional privilege. It takes effect immediately.
</Step>
<Step title="Verify the privilege">
The new additional privilege now appears in the member's detail page. You can edit or remove it at any time from here.
</Step>
</Steps>
To create an additional privilege for a machine identity, make a `POST` request to the [Create Identity Privilege](/api-reference/endpoints/identity-specific-privilege/v2/create) endpoint:
```bash
curl --request POST \
--url https://us.infisical.com/api/v2/identity-project-additional-privilege \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
"identityId": "<identity-id>",
"projectId": "<project-id>",
"slug": "read-secrets-prod",
"permissions": [
{
"subject": "secrets",
"action": ["read", "readValue"],
"conditions": {
"environment": {
"$eq": "production"
}
}
}
]
}'
```
### Sample Response
```json
{
"privilege": {
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"slug": "read-secrets-prod",
"isTemporary": false,
"temporaryMode": null,
"temporaryRange": null,
"temporaryAccessStartTime": null,
"temporaryAccessEndTime": null,
"permissions": [
{
"subject": "secrets",
"action": ["read", "readValue"],
"conditions": {
"environment": {
"$eq": "production"
}
}
}
],
"createdAt": "2024-09-01T12:00:00.000Z",
"updatedAt": "2024-09-01T12:00:00.000Z"
}
}
```
For the full list of request parameters, supported subjects, actions, and condition operators, see the [API reference](/api-reference/endpoints/identity-specific-privilege/v2/create).