RBAC Scopes: Organization Settings
This document defines all the available scopes in Pulumi Cloud, organized by entity type and group.
Pulumi Cloud’s configurable RBAC features are only available in the Pulumi Enterprise or Business Critical editions. To learn more, see the pricing page.
Agent Pools
| Value | Description |
|---|---|
agent_pool:create | Create a new agent pool for running Pulumi operations. Agent pools provide isolated environments for executing infrastructure deployments. Granted by default roles: Admin |
agent_pool:delete | Remove an existing agent pool and its associated resources. This permanently deletes the pool and its configuration. Granted by default roles: Admin |
agent_pool:read | View agent pool configurations and status. This includes access to pool settings, agent status, and operational metrics. Granted by default roles: Admin |
agent_pool:update | Modify agent pool settings and configurations. This allows updating pool parameters, scaling settings, and agent configurations. Granted by default roles: Admin |
Audit Logs
| Value | Description |
|---|---|
audit_logs:export | Export audit log data for compliance and analysis purposes. This enables downloading audit records in various formats. Granted by default roles: Admin |
audit_logs:read | Access and view audit logs of organization activities. This provides visibility into system events and user actions. Granted by default roles: Admin |
AI
These scopes control access to the legacy Pulumi Copilot conversation API, currently used only by the Pulumi Copilot VS Code extension. For Pulumi’s current AI capabilities, see Pulumi Neo.
| Value | Description |
|---|---|
ai_conversations:create | Create a new Copilot conversation session. This allows users to start new conversations via the VS Code Copilot extension. Granted by default roles: Member, Admin |
ai_conversations:list_all | View all Copilot conversations across the organization. This provides administrators with visibility into all AI assistant interactions. Granted by default roles: Admin |
ai_conversations:read | Access and view the content of Copilot conversations. This allows users to read their own conversations and continue previous interactions. Granted by default roles: Member, Admin |
ai_conversations:update | Modify and continue existing Copilot conversations. This enables users to update their conversations with new questions or context. Granted by default roles: Member, Admin |
Change requests (approvals)
| Value | Description |
|---|---|
change_gate:create | Create approval rules (change gates) that require approval before deployments or changes proceed. Granted by default roles: Admin |
change_gate:update | Modify existing approval rules and their conditions. Granted by default roles: Admin |
change_gate:delete | Remove approval rules (change gates). Granted by default roles: Admin |
Deployments
| Value | Description |
|---|---|
deployments:pause | Temporarily halt all deployment operations across the organization. This is useful for maintenance or emergency situations. Granted by default roles: Admin |
deployments:read | View deployment configurations and status across the organization. This provides visibility into all deployment activities. Granted by default roles: Member, Admin |
deployments:read_usage | Access deployment usage metrics and statistics. This includes information about resource consumption and operational costs. Granted by default roles: Member, Admin, Billing Manager |
deployments:resume | Resume deployment operations after a pause. This restores normal deployment functionality across the organization. Granted by default roles: Admin |
Environments
| Value | Description |
|---|---|
environment:create | Create a new environment for managing infrastructure configurations. Environments provide isolated spaces for different deployment stages. Granted by default roles: Member, Admin |
environment:list_deleted | View a list of environments that have been recently deleted but are still recoverable. Granted by default roles: Member, Admin |
environment:restore_deleted | Recover a previously deleted environment. This restores the environment and its configurations to their previous state. Granted by default roles: Admin |
environment_tags:list | View all tags used across environments. This provides a comprehensive view of environment categorization. Granted by default permission set: Environment Read |
environment_yaml:open | Access and view environment configuration in YAML format. This provides a structured view of environment settings. Granted by default roles: Member, Admin |
Insights Accounts
| Value | Description |
|---|---|
insights_account:create | Create a new insights account. This allows setting up monitoring and analysis capabilities for infrastructure. Granted by default roles: Admin |
Insights Policy
| Value | Description |
|---|---|
policy_groups:create | Create a new group of Infrastructure as Code policies. This allows organizing related policies for better management and enforcement. Granted by default roles: Admin |
policy_groups:delete | Remove an existing group of Infrastructure as Code policies. This permanently deletes the policy group and its configurations. Granted by default roles: Admin |
policy_groups:read | View Infrastructure as Code policy group configurations. This includes access to policy definitions and enforcement rules. Granted by default roles: Member, Admin |
policy_groups:update | Modify Infrastructure as Code policy group settings. This allows updating policy definitions and enforcement parameters. Granted by default roles: Admin |
policy_pack:create | Create a new Infrastructure as Code policy pack. This allows bundling related policies for deployment and enforcement. Granted by default roles: Admin |
policy_pack:delete | Remove an existing Infrastructure as Code policy pack. This permanently deletes the policy pack and its configurations. Granted by default roles: Admin |
policy_pack:read | View Infrastructure as Code policy pack contents. This includes access to policy definitions and enforcement rules. Granted by default roles: Admin |
policy_pack:update | Modify an existing Infrastructure as Code policy pack. This allows updating policy definitions and enforcement parameters. Granted by default roles: Admin |
policy_results:create | Create policy evaluation results for an insights account. Granted by default roles: Admin |
policy_results:read | View results of Infrastructure as Code policy evaluations. This provides insights into policy compliance and violations. Granted by default roles: Admin |
policy_results:update | Update policy evaluation results and compliance data. Granted by default roles: Admin |
policy_results:delete | Delete policy evaluation results. Granted by default roles: Admin |
Membership
| Value | Description |
|---|---|
org_member:add | Add a new member to the organization. This enables expanding the team with new users. Granted by default roles: Admin |
org_member:delete | Remove a member from the organization. This revokes their access and permissions. Granted by default roles: Admin |
org_member:read | View details about organization members. This includes access to user profiles and roles. Granted by default roles: Member, Admin, Billing Manager |
org_member:set_admin | Grant or revoke admin privileges for an organization member. This controls elevated access. Granted by default roles: Admin |
org_member:update | Update organization member information and roles. This allows changing user details and permissions. Granted by default roles: Admin |
org_requests:read | View all organization requests. This provides visibility into pending and processed requests. Granted by default roles: Admin |
org_requests:update | Update or process organization requests. This allows approving or denying requests. Granted by default roles: Admin |
invites:create | Send invitations to new users to join the organization. This enables onboarding of new team members. Granted by default roles: Admin |
invites:read | View pending and sent invitations for organization membership. This provides visibility into user onboarding status. Granted by default roles: Admin |
OIDC
| Value | Description |
|---|---|
oidc_issuers:create | Register a new OIDC issuer for authentication. This allows adding new identity providers for user login. Granted by default roles: Admin |
oidc_issuers:delete | Remove an existing OIDC issuer. This permanently deletes the identity provider configuration. Granted by default roles: Admin |
oidc_issuers:read | View OIDC issuer configurations. This includes access to identity provider details and settings. Granted by default roles: Admin |
oidc_issuers:regenerate_thumbprints | Regenerate security thumbprints for an OIDC issuer. This is used to maintain secure authentication. Granted by default roles: Admin |
oidc_issuers:update | Modify OIDC issuer settings. This allows updating identity provider details and authentication parameters. Granted by default roles: Admin |
auth_policies:read | View authentication policy configurations. This includes access to OIDC, SAML, and other identity provider settings. Granted by default roles: Admin |
auth_policies:update | Modify authentication policies and identity provider settings. Sufficient on its own to edit OIDC auth policies, regardless of the token types they reference. Granted by default roles: Admin |
Organization
| Value | Description |
|---|---|
organization:billing | Manage billing settings and payment methods for the organization. This includes access to invoices and payment history. Granted by default roles: Admin, Billing Manager |
organization:change_backend | Change the backend infrastructure for the organization. This is used for advanced configuration and migration. Granted by default roles: Admin |
organization:delete | Delete the organization and all its resources. This is a permanent and irreversible action. Granted by default roles: Admin |
organization:read_usage | View usage statistics and metrics for the organization. This includes resource consumption and cost data. Granted by default roles: Member, Admin, Billing Manager |
organization:rename | Change the name of the organization. This updates the organization’s display name across the platform. Granted by default roles: Admin |
organization:transfer_stacks | Transfer ownership of stacks between organizations. This is used for organizational restructuring or migration. Granted by default roles: Admin |
organization:update | Update organization settings and configurations. This allows changing metadata, policies, and preferences. Granted by default roles: Admin |
org_integrations:read | View organization-level integration settings. This includes access to all configured integrations. Granted by default roles: Admin |
org_integrations:update | Update organization-level integration settings. This allows modifying or removing integrations. Granted by default roles: Admin |
integrations:read | View configuration settings on a per-resource level. This includes access to settings for third-party services and tools. Granted by default roles: Member, Admin |
integrations:update | Manage integration settings on a per-resource level. This allows updating or reconfiguring third-party service connections. Granted by default roles: Member, Admin |
Organization Tokens
| Value | Description |
|---|---|
org_token:create | Create a new organization API token. This enables programmatic access to organization resources. Granted by default roles: Admin |
org_token:delete | Delete an existing organization API token. This revokes programmatic access. Granted by default roles: Admin |
org_token:read | View organization API tokens. This includes access to token details and usage. Granted by default roles: Admin |
Organization Webhooks
| Value | Description |
|---|---|
organization_webhook:create | Create a new webhook for organization events. This enables integration with external systems for event notifications. Granted by default roles: Admin |
organization_webhook:delete | Delete an existing organization webhook. This removes the integration and stops event delivery. Granted by default roles: Admin |
organization_webhook:read | View organization webhook configurations. This includes access to webhook endpoints and event triggers. Granted by default roles: Admin |
organization_webhook:update | Modify an existing organization webhook. This allows updating endpoint URLs and event subscriptions. Granted by default roles: Admin |
Project
| Value | Description |
|---|---|
project:decrypt | Allows decrypting sensitive project-level data and secrets. Granted by default roles: Member, Admin |
project:encrypt | Allows encrypting sensitive project-level data and secrets. Granted by default roles: Member, Admin |
Resources
| Value | Description |
|---|---|
resources:dashboard | Allows viewing the resources dashboard that provides an overview of all resources across the organization. Granted by default roles: Member, Admin, Billing Manager |
resources:index | Allows accessing the main resources index page and managing resource listings. Granted by default roles: Admin |
resources:search | Allows searching and filtering through organization resources. Granted by default roles: Member, Admin |
Roles
| Value | Description |
|---|---|
role:create | Allows creating new custom roles with specific permission sets. Granted by default roles: Admin |
role:delete | Allows deleting existing custom roles. Granted by default roles: Admin |
role:read | Allows viewing role definitions and their associated permission sets. Granted by default roles: Admin |
role:update | Allows modifying existing custom roles and their permission sets. Granted by default roles: Admin |
SAML
| Value | Description |
|---|---|
saml:read | Allows viewing SAML configuration and settings for the organization. Granted by default roles: Member, Admin, Billing Manager |
saml:update | Allows configuring and updating SAML settings for the organization. Granted by default roles: Admin |
SCIM
| Value | Description |
|---|---|
scim:delete | Allows removing SCIM configurations and terminating SCIM integration. Granted by default roles: Admin |
scim:read | Allows viewing SCIM configuration and integration settings. Granted by default roles: Admin |
scim:update | Allows modifying SCIM configuration and integration settings. Granted by default roles: Admin |
Stacks
| Value | Description |
|---|---|
stack:create | Create a new stack for managing infrastructure resources. Stacks represent isolated units of deployment. Granted by default roles: Admin |
stack:list_deleted | View a list of stacks that have been recently deleted but are still recoverable. Granted by default roles: Admin |
stack:restore_deleted | Recover a previously deleted stack. This restores the stack and its configurations to their previous state. Granted by default roles: Admin |
stack_access:read | View information about the users and teams that have access to a stack. Granted by default roles: Member, Admin |
Tags
| Value | Description |
|---|---|
tags:read | Allows viewing tags and their associated resources across the organization. Granted by default roles: Member, Admin |
Teams
| Value | Description |
|---|---|
team:create | Allows creating new teams within the organization. Granted by default roles: Admin |
team:create_token | Allows generating new access tokens for team authentication. Granted by default roles: Admin |
team:delete | Allows removing teams from the organization. Granted by default roles: Admin |
team:delete_token | Allows revoking team access tokens. Granted by default roles: Admin |
team:list | Allows viewing all teams in the organization. Granted by default roles: Member, Admin, Billing Manager |
team:list_tokens | Allows viewing all active access tokens for teams. Granted by default roles: Admin |
team:read | Allows viewing team details and membership information. Granted by default roles: Member, Admin |
team:update | Allows modifying team settings and membership. Granted by default roles: Admin |
github_team:create | Create a new team that syncs with GitHub. This enables integration between Pulumi and GitHub team structures. Granted by default roles: Admin |
Templates
| Value | Description |
|---|---|
templates:read | Allows viewing and using available templates for creating new projects and stacks. Granted by default roles: Member, Admin |
Template Sources
| Value | Description |
|---|---|
templates_source:create | Allows adding new template sources to the organization. Granted by default roles: Admin |
templates_source:delete | Allows removing template sources from the organization. Granted by default roles: Admin |
templates_source:read | Allows viewing template source configurations and available templates. Granted by default roles: Admin |
templates_source:update | Allows modifying template source configurations and settings. Granted by default roles: Admin |