Back to Infisical

Folders

docs/documentation/platform/pam/folders/overview.mdx

0.162.03.7 KB
Original Source

Group accounts by who needs access to them. This is the core design principle of Infisical PAM.

If the same 10 people need access to the same 5 databases, put those databases in one folder. If a different team needs access to different databases, create a separate folder for them.

Common patterns:

  • By teambackend-team, data-engineering, platform
  • By departmentengineering, finance, operations
  • By applicationcheckout-service, payments, user-auth
  • By environment — if different people manage dev vs prod

The right pattern depends on your organization. Folder-level permissions are the primary way to grant access, though you can also assign access directly on individual accounts when needed.

Creating a Folder

<Steps> <Step title="Navigate to Accounts"> Go to **Privileged Access Management → Accounts** and click **Create Folder**. </Step> <Step title="Configure the folder"> | Field | Description | |-------|-------------| | **Name** | A unique name (e.g., `platform-team`, `checkout-service`, `us-west-prod`) | | **Description** | Optional context about what this folder contains |
Click **Create**.
</Step> </Steps>

Once created, you can start adding accounts to it. But first, you'll probably want to set up who can manage this folder.

Managing Access

Access to a folder is controlled through memberships. You assign users or groups a role, and that role determines what they can do.

Adding Members

<Steps> <Step title="Open the folder"> Click on the folder to open its detail page. </Step> <Step title="Go to Permissions"> Click the **Permissions** tab. </Step> <Step title="Add a member"> Click **Assign Access** and configure:
| Field | Description |
|-------|-------------|
| **User/Group** | Who you're granting access to |
| **Role** | What they can do (see roles below) |
| **Expires** | Optional expiration date for temporary access |

Click **Add**.
</Step> </Steps>

Roles

RoleWhat they can do
AdminFull control — accounts, folders, sessions, memberships
ConnectorLaunch sessions and connect to accounts
AuditorView audit logs and session recordings

When you assign a role on a folder, it applies to all accounts inside that folder. This is the main way to grant access — you don't have to set up permissions on each account individually.

Time-Bound Access

For contractors or temporary team members, set an expiration when adding the membership. The access is automatically revoked when it expires — no manual cleanup needed.

Groups vs Individual Users

You can grant access to individual users or to groups:

  • Individual users — straightforward, easy to audit
  • Groups — access follows group membership; when someone joins or leaves the group, their folder access updates automatically

Groups are managed at the organization level and can sync from identity providers like Okta or Azure AD.

Next Steps

Now that you have a folder, you'll want to add accounts to it. But before that, you might want to set up templates to define what rules apply to those accounts.

<CardGroup cols={2}> <Card title="Templates" icon="layer-group" href="/documentation/platform/pam/templates/overview"> Define session rules before adding accounts. </Card> <Card title="Accounts" icon="user-lock" href="/documentation/platform/pam/accounts/overview"> Add databases and servers to your folder. </Card> </CardGroup>