Skip to main content
  1. Docs
  2. Administration
  3. Access & Identity
  4. Role-Based Access Control (RBAC)
  5. Permission Sets

Permission Sets

    Permission sets in Pulumi Cloud are predefined bundles of scopes that are commonly used together. They provide a convenient way to grant related access rights to an entity (resource) or set of entities (resources).

    Every permission set belongs to a specific entity type (stacks, environments, or insights accounts) and can only include scopes of that same type.

    Pulumi Cloud’s configurable RBAC features are only available in the Pulumi Enterprise or Business Critical editions. To learn more, see the pricing page.

    Default permission sets

    Pulumi Cloud provides several default permission sets that you can use to quickly get started:

    Stack permission sets

    Permission setDescriptionIncluded Scopes
    Stack ReadBasic read-only access to stacks. Allows for running previews.stack:read, stack:export, stack:encrypt, stack:decrypt, stack_deployment:read, stack_deployment_settings:read, stack_access:read, stack_schedule:read
    Stack WriteAbility to update stack configurations and run stack updates.Stack Read, + stack:import, stack:cancel_update, stack:write, stack_deployment_settings:write, stack_deployment_settings:encrypt, stack_deployment_cache:read, stack_tags:update, stack_schedule:update, stack_schedule:create, stack_schedule:pause, stack_schedule:resume, stack_schedule:delete, stack_deployment:create, stack_webhook:create, stack_webhook:update, stack_webhook:delete, stack_webhook:read
    Stack AdminGrants full control over stack operations.Stack Write, + stack:delete, stack_access:update, stack:transfer, stack:rename

    Environment permission sets

    Permission setDescriptionIncluded Scopes
    Environment ReadBasic read-only access to environments.environment:read, environment:rotate_history, environment_version:read, environment_schedule:read, environment_tag:read
    Environment OpenAbility to read the environment and access environment secrets.Environment Read, + environment:open, environment:clone, environment_version:open, environment_version:read
    Environment WriteAbility to modify environment settings.Environment Open, + environment:write, environment:rotate, environment_version:create, environment_version:update, environment_version:delete, environment_version:retract, environment_tag:create, environment_tag:update, environment_tag:delete, environment_schedule:create, environment_schedule:update, environment_schedule:pause, environment_schedule:resume, environment_schedule:delete, environment_webhook:read, environment_webhook:create, environment_webhook:update, environment_webhook:delete
    Environment AdminFull control over environment operations.Environment Write, + environment:delete

    Insights account permission sets

    Permission setDescriptionIncluded Scopes
    Account ReadBasic read-only access to insights accounts.insights_account:read, insights_account_scan:read, insights_account_access:read
    Account WriteAbility to modify insights accounts.Account Read, + insights_account:update, insights_account:scan, insights_account_scan:update, insights_account_scan:cancel, insights_account_scan:pause, insights_account_scan:resume
    Account AdminFull control over insights accounts.Account Write, + insights_account:delete, insights_account_access:update

    Organization settings permission sets

    These permission sets bundle organization-level (global) scopes. Rather than granting access to a specific entity, they set a role’s organization access level — the permissions for org-wide operations such as billing, member management, and creating resources.

    Permission setDescriptionIncluded Scopes
    Read OnlyView-only organization access: usage, members, stacks, environments, teams, and Insights accounts; read deployments, integrations, services, templates, and resources. No create, update, or delete.ai_conversations:read, deployments:read, deployments:read_usage, environment:list_deleted, environment_tags:list, policy_groups:read, policy_pack:read, policy_results:read, integrations:read, org_member:read, organization_annotations:read, organization:read_usage, project_annotations:read, resources:dashboard, resources:search, saml:read, tags:read, team:read, templates:read, services:read
    StandardMember-level organization access: everything Read Only allows, plus creating environments and using deployments, integrations, services, and resources. Excludes billing and member or organization admin settings. (Creating stacks, teams, and Insights accounts is governed separately by the org-wide capability toggles, not this permission set.)Read Only, + ai_conversations:create, ai_conversations:update, environment:create, integrations:update, project_annotations:update, project:decrypt, project:encrypt, services:create, services:write, services:admin, insights_policy_evaluator:read, insights_policy_evaluator:delete, insights_policy_evaluator:ensure, insights_policy_evaluator:update, insights_policy_queue:read
    Organization Settings BillingBilling access.deployments:read_usage, org_member:read, organization:billing, organization:read_usage, resources:dashboard, saml:read, team:read

    Custom permission sets

    Creating custom permission sets

    To create a custom permission set, you must be an organization admin.

    1. Visit Settings > Access management and select the Permission sets tab.
    2. To create a new permission set, select Create custom permission set within the associated entity group.
    3. Provide a unique name for the permission set. Optionally, but recommended, provide a description to contextualize the permission set and its purpose.
    4. Select the scopes you would like to bundle within this permission set.
    5. Select Create permission set. The panel closes and your new permission set appears on the permission sets page.

    You can now assign this custom permission set to roles within your organization.

    A custom permission set cannot be deleted while it is in use by one or more roles. Remove the permission set from those roles before deleting it.
    • Scopes: The most granular access rights in Pulumi Cloud, written as object:action. Each scope belongs to one entity type and is the building block of permission sets.
    • Entities and organization-level access: The objects that permission sets are granted on (stacks, environments, and Insights accounts), plus the organization-level access that governs org-wide operations.
    • Roles: Collections of permission sets applied to entities and combined with an organization access level. You assign a role to users, teams, and machine tokens.
    • Teams: Groups of users that can be assigned roles and entity access. Each member inherits the union of the team’s roles on top of their own role.