Organization-Level Default Roles
Organization roles apply across the entire organization and cascade down to all projects (including sub-projects) and environments.Organization User
The basic role for organization members. Provides:- View organization variables, templates, and modules
- View modules from the private module registry
- View providers from the private provider registry
Organization Admin
Full administrative access to the organization. Includes all available permissions across the platform, including:- All Organization User permissions
- Edit organization settings and variables
- Create and edit templates, modules, and providers
- Create and edit custom roles
- View and edit dashboards
- View audit logs
- Manage billing information
- Move environments between projects
- Manage credentials and VCS connections
- All project and environment permissions
Project-Level Default Roles
Project roles apply to specific projects and cascade down to:- All sub-projects within that project
- All environments within the project and its sub-projects
Project Viewer
Read-only access to project resources. Provides:- All Organization User permissions
- View project settings, templates, variables, and environments
- Read Terraform state files
- View drift causes
Project Planner
Can create and plan deployments but cannot apply changes. Provides:- All Project Viewer permissions
- Run plans (create environments, redeploy, destroy - requires approval)
Project Deployer
Can deploy and manage environments. Provides:- All Project Planner permissions
- Run applies (deploy without requiring approval)
- Edit environment settings
- Write to Terraform state files
- Abort running deployments
Project Admin
Full administrative access to the project. Provides:- All Project Deployer permissions
- Edit project settings and variables
- Manage project templates
- Archive environments
- Lock/unlock environments
- Override max TTL settings
- Create cross-project environments
- Force unlock workspaces
- Create new projects
- Assign roles on environments
- Create VCS environments
- Edit VCS environment settings
- Import environments
- Manage credentials and VCS connections
Environment-Level Default Roles
Environment roles apply to specific environments only.Environment Viewer
Read-only access to a specific environment. Provides:- All Organization User permissions
- View environment details, settings, variables, and logs
- Read Terraform state files
- View drift causes
Environment Planner
Can plan changes to a specific environment. Provides:- All Environment Viewer permissions
- Run plans (requires approval)
Environment Deployer
Can deploy changes to a specific environment. Provides:- All Environment Planner permissions
- Run applies (deploy without requiring approval)
- Edit environment settings
- Write to Terraform state files
- Abort running deployments
Environment Admin
Full administrative access to a specific environment. Provides:- All Environment Deployer permissions
- Archive the environment
- Lock/unlock the environment
- Override max TTL settings
- Force unlock workspace
- Assign roles on the environment
- Edit allow remote apply settings
Next Steps
Manage Users
Learn how to invite and manage users in your organization
Manage Teams
Learn how to create and manage teams to simplify permission management
Custom Roles
Create and manage custom roles with tailored permissions
Assigning Roles
Step-by-step guides for assigning these roles to users and teams