RBAC Scopes: Organization Settings
This document defines all the available scopes in Pulumi Cloud, organized by entity type and group.
Agent Pools
| Value | Description |
|---|---|
agent_pool:create | Create a new agent pool for running Pulumi operations. Agent pools provide isolated environments for executing infrastructure deployments. Granted by default roles: Admin |
agent_pool:delete | Remove an existing agent pool and its associated resources. This permanently deletes the pool and its configuration. Granted by default roles: Admin |
agent_pool:read | View agent pool configurations and status. This includes access to pool settings, agent status, and operational metrics. Granted by default roles: Admin |
agent_pool:update | Modify agent pool settings and configurations. This allows updating pool parameters, scaling settings, and agent configurations. Granted by default roles: Admin |
Audit Logs
| Value | Description |
|---|---|
audit_logs:export | Export audit log data for compliance and analysis purposes. This enables downloading audit records in various formats. Granted by default roles: Admin |
audit_logs:read | Access and view audit logs of organization activities. This provides visibility into system events and user actions. Granted by default roles: Admin |
AI
These scopes control access to the legacy Pulumi Copilot conversation API, currently used only by the Pulumi Copilot VS Code extension. For Pulumi’s current AI capabilities, see Pulumi Neo.
| Value | Description |
|---|---|
ai_conversations:create | Create a new Copilot conversation session. This allows users to start new conversations via the VS Code Copilot extension. Granted by default roles: Member, Admin |
ai_conversations:list_all | View all Copilot conversations across the organization. This provides administrators with visibility into all AI assistant interactions. Granted by default roles: Admin |
ai_conversations:read | Access and view the content of Copilot conversations. This allows users to read their own conversations and continue previous interactions. Granted by default roles: Member, Admin |
ai_conversations:update | Modify and continue existing Copilot conversations. This enables users to update their conversations with new questions or context. Granted by default roles: Member, Admin |
Change requests (approvals)
| Value | Description |
|---|---|
change_gate:create | Create approval rules (change gates) that require approval before deployments or changes proceed. Granted by default roles: Admin |
change_gate:update | Modify existing approval rules and their conditions. Granted by default roles: Admin |
change_gate:delete | Remove approval rules (change gates). Granted by default roles: Admin |
Deployments
| Value | Description |
|---|---|
deployments:pause | Temporarily halt all deployment operations across the organization. This is useful for maintenance or emergency situations. Granted by default roles: Admin |
deployments:read | View deployment configurations and status across the organization. This provides visibility into all deployment activities. Granted by default roles: Member, Admin |
deployments:read_usage | Access deployment usage metrics and statistics. This includes information about resource consumption and operational costs. Granted by default roles: Member, Admin, Billing Manager |
deployments:resume | Resume deployment operations after a pause. This restores normal deployment functionality across the organization. Granted by default roles: Admin |
Environments
| Value | Description |
|---|---|
environment:create | Create a new environment for managing infrastructure configurations. Environments provide isolated spaces for different deployment stages. Granted by default roles: Member, Admin |
environment:list_deleted | View a list of environments that have been recently deleted but are still recoverable. Granted by default roles: Member, Admin |
environment:restore_deleted | Recover a previously deleted environment. This restores the environment and its configurations to their previous state. Granted by default roles: Admin |
environment_tags:list | View all tags used across environments. This provides a comprehensive view of environment categorization. Granted by default permission set: Environment Read |
environment_yaml:open | Access and view environment configuration in YAML format. This provides a structured view of environment settings. Granted by default roles: Member, Admin |
Insights Accounts
| Value | Description |
|---|---|
insights_account:create | Create a new insights account. This allows setting up monitoring and analysis capabilities for infrastructure. Granted by default roles: Admin |
Insights Policy
| Value | Description |
|---|---|
policy_groups:create | Create a new group of Infrastructure as Code policies. This allows organizing related policies for better management and enforcement. Granted by default roles: Admin |
policy_groups:delete | Remove an existing group of Infrastructure as Code policies. This permanently deletes the policy group and its configurations. Granted by default roles: Admin |
policy_groups:read | View Infrastructure as Code policy group configurations. This includes access to policy definitions and enforcement rules. Granted by default roles: Member, Admin |
policy_groups:update | Modify Infrastructure as Code policy group settings. This allows updating policy definitions and enforcement parameters. Granted by default roles: Admin |
policy_pack:create | Create a new Infrastructure as Code policy pack. This allows bundling related policies for deployment and enforcement. Granted by default roles: Admin |
policy_pack:delete | Remove an existing Infrastructure as Code policy pack. This permanently deletes the policy pack and its configurations. Granted by default roles: Admin |
policy_pack:read | View Infrastructure as Code policy pack contents. This includes access to policy definitions and enforcement rules. Granted by default roles: Admin |
policy_pack:update | Modify an existing Infrastructure as Code policy pack. This allows updating policy definitions and enforcement parameters. Granted by default roles: Admin |
policy_results:create | Create policy evaluation results for an insights account. Granted by default roles: Admin |
policy_results:read | View results of Infrastructure as Code policy evaluations. This provides insights into policy compliance and violations. Granted by default roles: Admin |
policy_results:update | Update policy evaluation results and compliance data. Granted by default roles: Admin |
policy_results:delete | Delete policy evaluation results. Granted by default roles: Admin |
Membership
| Value | Description |
|---|---|
org_member:add | Add a new member to the organization. This enables expanding the team with new users. Granted by default roles: Admin |
org_member:delete | Remove a member from the organization. This revokes their access and permissions. Granted by default roles: Admin |
org_member:read | View details about organization members. This includes access to user profiles and roles. Granted by default roles: Member, Admin, Billing Manager |
org_member:set_admin | Grant or revoke admin privileges for an organization member. This controls elevated access. Granted by default roles: Admin |
org_member:update | Update organization member information and roles. This allows changing user details and permissions. Granted by default roles: Admin |
org_requests:read | View all organization requests. This provides visibility into pending and processed requests. Granted by default roles: Admin |
org_requests:update | Update or process organization requests. This allows approving or denying requests. Granted by default roles: Admin |
invites:create | Send invitations to new users to join the organization. This enables onboarding of new team members. Granted by default roles: Admin |
invites:read | View pending and sent invitations for organization membership. This provides visibility into user onboarding status. Granted by default roles: Admin |
OIDC
| Value | Description |
|---|---|
oidc_issuers:create | Register a new OIDC issuer for authentication. This allows adding new identity providers for user login. Granted by default roles: Admin |
oidc_issuers:delete | Remove an existing OIDC issuer. This permanently deletes the identity provider configuration. Granted by default roles: Admin |
oidc_issuers:read | View OIDC issuer configurations. This includes access to identity provider details and settings. Granted by default roles: Admin |
oidc_issuers:regenerate_thumbprints | Regenerate security thumbprints for an OIDC issuer. This is used to maintain secure authentication. Granted by default roles: Admin |
oidc_issuers:update | Modify OIDC issuer settings. This allows updating identity provider details and authentication parameters. Granted by default roles: Admin |
auth_policies:read | View authentication policy configurations. This includes access to OIDC, SAML, and other identity provider settings. Granted by default roles: Admin |
auth_policies:update | Modify authentication policies and identity provider settings. This allows updating security configurations. Granted by default roles: Admin |
Organization
| Value | Description |
|---|---|
organization:billing | Manage billing settings and payment methods for the organization. This includes access to invoices and payment history. Granted by default roles: Admin, Billing Manager |
organization:change_backend | Change the backend infrastructure for the organization. This is used for advanced configuration and migration. Granted by default roles: Admin |
organization:delete | Delete the organization and all its resources. This is a permanent and irreversible action. Granted by default roles: Admin |
organization:read_usage | View usage statistics and metrics for the organization. This includes resource consumption and cost data. Granted by default roles: Member, Admin, Billing Manager |
organization:rename | Change the name of the organization. This updates the organization’s display name across the platform. Granted by default roles: Admin |
organization:transfer_stacks | Transfer ownership of stacks between organizations. This is used for organizational restructuring or migration. Granted by default roles: Admin |
organization:update | Update organization settings and configurations. This allows changing metadata, policies, and preferences. Granted by default roles: Admin |
org_integrations:read | View organization-level integration settings. This includes access to all configured integrations. Granted by default roles: Admin |
org_integrations:update | Update organization-level integration settings. This allows modifying or removing integrations. Granted by default roles: Admin |
integrations:read | View configuration settings on a per-resource level. This includes access to settings for third-party services and tools. Granted by default roles: Member, Admin |
integrations:update | Manage integration settings on a per-resource level. This allows updating or reconfiguring third-party service connections. Granted by default roles: Member, Admin |
Organization Tokens
| Value | Description |
|---|---|
org_token:create | Create a new organization API token. This enables programmatic access to organization resources. Granted by default roles: Admin |
org_token:delete | Delete an existing organization API token. This revokes programmatic access. Granted by default roles: Admin |
org_token:read | View organization API tokens. This includes access to token details and usage. Granted by default roles: Admin |
Organization Webhooks
| Value | Description |
|---|---|
organization_webhook:create | Create a new webhook for organization events. This enables integration with external systems for event notifications. Granted by default roles: Admin |
organization_webhook:delete | Delete an existing organization webhook. This removes the integration and stops event delivery. Granted by default roles: Admin |
organization_webhook:read | View organization webhook configurations. This includes access to webhook endpoints and event triggers. Granted by default roles: Admin |
organization_webhook:update | Modify an existing organization webhook. This allows updating endpoint URLs and event subscriptions. Granted by default roles: Admin |
Project
| Value | Description |
|---|---|
project:decrypt | Allows decrypting sensitive project-level data and secrets. Granted by default roles: Member, Admin |
project:encrypt | Allows encrypting sensitive project-level data and secrets. Granted by default roles: Member, Admin |
Resources
| Value | Description |
|---|---|
resources:dashboard | Allows viewing the resources dashboard that provides an overview of all resources across the organization. Granted by default roles: Member, Admin, Billing Manager |
resources:index | Allows accessing the main resources index page and managing resource listings. Granted by default roles: Admin |
resources:search | Allows searching and filtering through organization resources. Granted by default roles: Member, Admin |
Roles
| Value | Description |
|---|---|
role:create | Allows creating new custom roles with specific permission sets. Granted by default roles: Admin |
role:delete | Allows deleting existing custom roles. Granted by default roles: Admin |
role:read | Allows viewing role definitions and their associated permission sets. Granted by default roles: Admin |
role:update | Allows modifying existing custom roles and their permission sets. Granted by default roles: Admin |
SAML
| Value | Description |
|---|---|
saml:read | Allows viewing SAML configuration and settings for the organization. Granted by default roles: Member, Admin, Billing Manager |
saml:update | Allows configuring and updating SAML settings for the organization. Granted by default roles: Admin |
SCIM
| Value | Description |
|---|---|
scim:delete | Allows removing SCIM configurations and terminating SCIM integration. Granted by default roles: Admin |
scim:read | Allows viewing SCIM configuration and integration settings. Granted by default roles: Admin |
scim:update | Allows modifying SCIM configuration and integration settings. Granted by default roles: Admin |
Stacks
| Value | Description |
|---|---|
stack:create | Create a new stack for managing infrastructure resources. Stacks represent isolated units of deployment. Granted by default roles: Admin |
stack:list_deleted | View a list of stacks that have been recently deleted but are still recoverable. Granted by default roles: Admin |
stack:restore_deleted | Recover a previously deleted stack. This restores the stack and its configurations to their previous state. Granted by default roles: Admin |
stack_access:read | View information about the users and teams that have access to a stack. Granted by default roles: Member, Admin |
Tags
| Value | Description |
|---|---|
tags:read | Allows viewing tags and their associated resources across the organization. Granted by default roles: Member, Admin |
Teams
| Value | Description |
|---|---|
team:create | Allows creating new teams within the organization. Granted by default roles: Admin |
team:create_token | Allows generating new access tokens for team authentication. Granted by default roles: Admin |
team:delete | Allows removing teams from the organization. Granted by default roles: Admin |
team:delete_token | Allows revoking team access tokens. Granted by default roles: Admin |
team:list | Allows viewing all teams in the organization. Granted by default roles: Member, Admin, Billing Manager |
team:list_tokens | Allows viewing all active access tokens for teams. Granted by default roles: Admin |
team:read | Allows viewing team details and membership information. Granted by default roles: Member, Admin |
team:update | Allows modifying team settings and membership. Granted by default roles: Admin |
github_team:create | Create a new team that syncs with GitHub. This enables integration between Pulumi and GitHub team structures. Granted by default roles: Admin |
Templates
| Value | Description |
|---|---|
templates:read | Allows viewing and using available templates for creating new projects and stacks. Granted by default roles: Member, Admin |
Template Sources
| Value | Description |
|---|---|
templates_source:create | Allows adding new template sources to the organization. Granted by default roles: Admin |
templates_source:delete | Allows removing template sources from the organization. Granted by default roles: Admin |
templates_source:read | Allows viewing template source configurations and available templates. Granted by default roles: Admin |
templates_source:update | Allows modifying template source configurations and settings. Granted by default roles: Admin |
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.