Skip to main content
  1. Docs
  2. Administration
  3. Access & Identity
  4. Role-Based Access Control (RBAC)
  5. Scopes

Scopes

    Scopes are the most granular level of access control in Pulumi Cloud’s RBAC system. Each scope represents a specific action that can be performed on a resource, such as reading stack configurations or updating environment settings. Scopes are the building blocks of permission sets, which are then bundled into roles to create comprehensive access control configurations.

    Pulumi Cloud’s configurable RBAC features are only available in the Pulumi Enterprise or Business Critical editions. To learn more, see the pricing page.

    How Scopes Work

    Scopes follow a consistent naming pattern: object:action. For example:

    • stack:read - Allows reading stack configurations
    • environment:write - Allows modifying environment settings
    • team:create - Allows creating new teams

    Scopes are always associated with a specific entity type (like stacks, environments, insights accounts, etc.) and can only be used within permission sets that match that entity type. This ensures that permission sets remain logically grouped and can’t mix actions across different types of resources.

    You can use scopes to build custom permission sets, which allow you to combine commonly related scopes to create meaningful access patterns. For example, a “Stack Manager” permission set might include scopes like:

    • stack:read
    • stack:write
    • stack:delete
    • stack_deployment:create

    Default Role Assignments

    Many scopes are automatically granted through default roles in Pulumi Cloud. For example:

    • Organization admins have access to all scopes.
    • Regular members have access to basic read and write scopes for common operations.
    • Billing managers have access to billing-related scopes only.

    Available scopes

    You can view the list of available scopes, organized by entity type:

    • Permission sets: Reusable bundles of related scopes for a single entity type. You grant them on entities or use them to set a role’s organization access level.
    • Entities and organization-level access: The objects that permission sets are granted on (stacks, environments, and Insights accounts), plus the organization-level access that governs org-wide operations.
    • Roles: Collections of permission sets applied to entities and combined with an organization access level. You assign a role to users, teams, and machine tokens.
    • Teams: Groups of users that can be assigned roles and entity access. Each member inherits the union of the team’s roles on top of their own role.