docs/internals/permissions/organization-permissions.mdx
Infisical's organization permissions system follows a role-based access control (RBAC) model built on a subject-action-object framework. At the organization level, these permissions determine what actions users/machines can perform on various resources across the entire organization.
Each permission consists of:
Some organization-level resources—specifically app-connections—support conditional permissions and permission inversion for more granular access control.
Below is a comprehensive list of all available organization-level subjects and their supported actions, organized by functional area.
project (formerly workspace)| Action | Description |
|---|---|
create | Create new project |
sub-organization| Action | Description |
|---|---|
create | Create new sub-organizations under the root organization |
edit | Modify existing sub-organizations (e.g., rename, change slug) |
delete | Remove sub-organizations from the root organization |
direct-access | Access and switch into sub-organizations the user has membership in |
link-group | Link a root organization group to a sub-organization (and unlink it). Root org role only. |
role| Action | Description |
|---|---|
read | View organization roles and their assigned permissions |
create | Create new organization roles |
edit | Modify existing organization roles |
delete | Remove organization roles |
member| Action | Description |
|---|---|
read | View organization members |
create | Add new members to the organization |
edit | Modify member details |
delete | Remove members from the organization |
groups| Action | Description |
|---|---|
read | View organization groups |
create | Create new groups in the organization |
edit | Modify existing groups |
delete | Remove groups from the organization |
grant-privileges | Change permission levels for organization groups |
add-members | Add members to groups |
remove-members | Remove members from groups |
identity| Action | Description |
|---|---|
read | View organization identities |
create | Add new identities to organization |
edit | Modify organization identities |
delete | Remove identities from organization |
grant-privileges | Change permission levels of organization identities |
revoke-auth | Revoke authentication for identities |
create-token | Create new authentication tokens |
delete-token | Delete authentication tokens |
get-token | Retrieve authentication tokens |
secret-scanning| Action | Description |
|---|---|
read | View secret scanning results and settings |
create | Configure secret scanning |
edit | Modify secret scanning settings |
delete | Remove secret scanning configuration |
settings| Action | Description |
|---|---|
read | View organization settings |
create | Setup and configure organization settings |
edit | Modify organization settings |
delete | Remove organization settings |
incident-contact| Action | Description |
|---|---|
read | View incident contacts |
create | Set up new incident contacts |
edit | Modify incident contact settings |
delete | Remove incident contacts |
audit-logs| Action | Description |
|---|---|
read | View organization audit logs |
sso| Action | Description |
|---|---|
read | View Single Sign-On configurations |
create | Set up new SSO integrations |
edit | Modify existing SSO settings |
delete | Remove SSO configurations |
bypass-sso-enforcement | Bypass enforced SSO at login (break-glass) when the organization has "Allow admins to bypass SSO" enabled. Can be granted to custom roles to allow non-admin users to use break-glass access. |
scim| Action | Description |
|---|---|
read | View SCIM configurations |
create | Set up new SCIM provisioning |
edit | Modify existing SCIM settings |
delete | Remove SCIM configurations |
ldap| Action | Description |
|---|---|
read | View LDAP configurations |
create | Set up new LDAP integrations |
edit | Modify existing LDAP settings |
delete | Remove LDAP configurations |
billing| Action | Description |
|---|---|
read | View billing information and subscription status |
manage-billing | Manage billing details and subscription plans |
project-templates| Action | Description |
|---|---|
read | View project templates |
create | Create new project templates |
edit | Modify existing project templates |
delete | Remove project templates |
app-connectionsSupports conditions and permission inversion
| Action | Description |
|---|---|
read | View app connection configurations |
create | Create new app connections |
edit | Modify existing app connections |
delete | Remove app connections |
connect | Use app connections |
kms| Action | Description |
|---|---|
read | View organization KMS configurations |
create | Set up new KMS configurations |
edit | Modify KMS settings |
delete | Remove KMS configurations |
kmip| Action | Description |
|---|---|
setup | Configure KMIP server settings |
proxy | Act as a proxy for KMIP operations |
organization-admin-console| Action | Description |
|---|---|
access-all-projects | Access all projects within the organization |
secret-share| Action | Description |
|---|---|
manage-settings | Manage secret share settings |
gateway| Action | Description |
|---|---|
list-gateways | View all organization gateways |
create-gateways | Add new gateways to organization |
edit-gateways | Modify existing gateway settings |
delete-gateways | Remove gateways from organization |
attach-gateways | Attach gateways to resources |
gateway-pool| Action | Description |
|---|---|
list-gateway-pools | View all organization gateway pools |
create-gateway-pools | Add new gateway pools to organization |
edit-gateway-pools | Modify pool settings and manage pool gateways |
delete-gateway-pools | Remove gateway pools from organization |
attach-gateway-pools | Attach gateway pools to consumer configs |
relay| Action | Description |
|---|---|
list-relays | View all organization relays |
create-relays | Add new relays to organization |
edit-relays | Modify existing relay settings |
delete-relays | Remove relays from organization |
machine-identity-auth-template| Action | Description |
|---|---|
list-templates | View identity auth templates |
create-templates | Create new identity auth templates |
edit-templates | Modify existing identity auth templates |
delete-templates | Remove identity auth templates |
unlink-templates | Unlink identity auth templates from identities |
attach-templates | Attach identity auth templates to identities |