---
title: Scopes
url: /docs/administration/access-identity/rbac/scopes/
---
Scopes are the most granular level of access control in Pulumi Cloud's RBAC system. Each scope represents a specific action that can be performed on a resource, such as reading stack configurations or updating environment settings. Scopes are the building blocks of [permission sets](/docs/administration/access-identity/rbac/permission-sets), which are then bundled into [roles](/docs/administration/access-identity/rbac/roles) to create comprehensive access control configurations.

## Scopes vs. organization-wide settings

Scopes are distinct from the **organization-wide access settings** found at **Settings** > **Access Management** (e.g., "Members can create stacks," "Members can delete stacks," "Members can create teams"). Those are separate on/off toggles that are not part of the RBAC scope system. When an org-wide setting is enabled, that capability is granted to all members unconditionally regardless of their role. When it is disabled, only members whose role includes the corresponding scope retain the capability. See the [RBAC overview](/docs/administration/access-identity/rbac/#organization-wide-settings) for a full explanation of how these two systems interact.

## How Scopes Work

Scopes follow a consistent naming pattern: `object:action`. For example:

- `stack:read` - Allows reading stack configurations
- `environment:write` - Allows modifying environment settings
- `team:create` - Allows creating new teams

Scopes are always associated with a specific [entity type](/docs/administration/access-identity/rbac/permission-sets#entity-types) (like stacks, environments, insights accounts, etc.) and can only be used within permission sets that match that entity type. This ensures that permission sets remain logically grouped and can't mix actions across different types of resources.

You can use scopes to build [custom permission sets](/docs/administration/access-identity/rbac/permission-sets#creating-custom-permission-sets), which allow you to combine commonly related scopes to create meaningful access patterns. For example, a "Stack Manager" permission set might include scopes like:

- `stack:read`
- `stack:write`
- `stack:delete`
- `stack_deployment:create`

## Default Role Assignments

Many scopes are automatically granted through [default roles](/docs/administration/access-identity/rbac/roles#default-roles) in Pulumi Cloud. For example:

- Organization admins have access to all scopes.
- Regular members have access to basic read and write scopes for common operations.
- Billing managers have access to billing-related scopes only.

## Available scopes

You can view the list of available scopes, organized by entity type:

- [Stacks](stacks)
- [Environments](environments)
- [Insights accounts](insights-accounts)
- [Organization settings](org-settings)

## Related Resources

- [Teams](/docs/administration/access-identity/rbac/teams)
- [Roles](/docs/administration/access-identity/rbac/roles)
- [Permission sets](/docs/administration/access-identity/rbac/permission-sets)