1. Docs
  2. Administration
  3. Access & Identity
  4. Role-Based Access Control (RBAC)
  5. Scopes

Scopes

    Scopes are the most granular level of access control in Pulumi Cloud’s RBAC system. Each scope represents a specific action that can be performed on a resource, such as reading stack configurations or updating environment settings. Scopes are the building blocks of permission sets, which are then bundled into roles to create comprehensive access control configurations.

    Scopes vs. organization-wide settings

    Scopes are distinct from the organization-wide access settings found at Settings > Access Management (e.g., “Members can create stacks,” “Members can delete stacks,” “Members can create teams”). Those are separate on/off toggles that are not part of the RBAC scope system. When an org-wide setting is enabled, that capability is granted to all members unconditionally regardless of their role. When it is disabled, only members whose role includes the corresponding scope retain the capability. See the RBAC overview for a full explanation of how these two systems interact.

    How Scopes Work

    Scopes follow a consistent naming pattern: object:action. For example:

    • stack:read - Allows reading stack configurations
    • environment:write - Allows modifying environment settings
    • team:create - Allows creating new teams

    Scopes are always associated with a specific entity type (like stacks, environments, insights accounts, etc.) and can only be used within permission sets that match that entity type. This ensures that permission sets remain logically grouped and can’t mix actions across different types of resources.

    You can use scopes to build custom permission sets, which allow you to combine commonly related scopes to create meaningful access patterns. For example, a “Stack Manager” permission set might include scopes like:

    • stack:read
    • stack:write
    • stack:delete
    • stack_deployment:create

    Default Role Assignments

    Many scopes are automatically granted through default roles in Pulumi Cloud. For example:

    • Organization admins have access to all scopes.
    • Regular members have access to basic read and write scopes for common operations.
    • Billing managers have access to billing-related scopes only.

    Available scopes

    You can view the list of available scopes, organized by entity type: