Skip to main content
Default roles are built-in, non-editable roles that come with every env zero organization. These roles provide standard permission sets for common use cases and cannot be modified or deleted.

โ€‹
Organization-Level Default Roles

Organization roles apply across the entire organization and cascade down to all projects (including sub-projects) and environments.

โ€‹
Organization User

The basic role for organization members. Provides:
  • View organization variables, templates, and modules
  • View modules from the private module registry
  • View providers from the private provider registry
This is the default role assigned when a custom role is deleted from a user at the organization level.

โ€‹
Organization Admin

Full administrative access to the organization. Includes all available permissions across the platform, including:
  • All Organization User permissions
  • Edit organization settings and variables
  • Create and edit templates, modules, and providers
  • Create and edit custom roles
  • View and edit dashboards
  • View audit logs
  • Manage billing information
  • Move environments between projects
  • Manage credentials and VCS connections
  • All project and environment permissions

โ€‹
Project-Level Default Roles

Project roles apply to specific projects and cascade down to:
  • All sub-projects within that project
  • All environments within the project and its sub-projects

โ€‹
Project Viewer

Read-only access to project resources. Provides:
  • All Organization User permissions
  • View project settings, templates, variables, and environments
  • Read Terraform state files
  • View drift causes

โ€‹
Project Planner

Can create and plan deployments but cannot apply changes. Provides:
  • All Project Viewer permissions
  • Run plans (create environments, redeploy, destroy - requires approval)

โ€‹
Project Deployer

Can deploy and manage environments. Provides:
  • All Project Planner permissions
  • Run applies (deploy without requiring approval)
  • Edit environment settings
  • Write to Terraform state files
  • Abort running deployments

โ€‹
Project Admin

Full administrative access to the project. Provides:
  • All Project Deployer permissions
  • Edit project settings and variables
  • Manage project templates
  • Archive environments
  • Lock/unlock environments
  • Override max TTL settings
  • Create cross-project environments
  • Force unlock workspaces
  • Create new projects
  • Assign roles on environments
  • Create VCS environments
  • Edit VCS environment settings
  • Import environments
  • Manage credentials and VCS connections

โ€‹
Environment-Level Default Roles

Environment roles apply to specific environments only.

โ€‹
Environment Viewer

Read-only access to a specific environment. Provides:
  • All Organization User permissions
  • View environment details, settings, variables, and logs
  • Read Terraform state files
  • View drift causes

โ€‹
Environment Planner

Can plan changes to a specific environment. Provides:

โ€‹
Environment Deployer

Can deploy changes to a specific environment. Provides:
  • All Environment Planner permissions
  • Run applies (deploy without requiring approval)
  • Edit environment settings
  • Write to Terraform state files
  • Abort running deployments

โ€‹
Environment Admin

Full administrative access to a specific environment. Provides:
  • All Environment Deployer permissions
  • Archive the environment
  • Lock/unlock the environment
  • Override max TTL settings
  • Force unlock workspace
  • Assign roles on the environment
  • Edit allow remote apply settings

โ€‹
Next Steps

Manage Users

Learn how to invite and manage users in your organization

Manage Teams

Learn how to create and manage teams to simplify permission management

Custom Roles

Create and manage custom roles with tailored permissions

Assigning Roles

Step-by-step guides for assigning these roles to users and teams