Add a note about additive/effective permissions #882
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
mkam
reviewed
Apr 15, 2025
| @@ -16,7 +16,9 @@ description: >- | |||
|
|
|||
| HCP Terraform's access model is team-based. In order to perform an action within an HCP Terraform organization, users must belong to a team that has been granted the appropriate permissions. | |||
|
|
|||
| The permissions model is split into organization-level, project-level, and workspace-level permissions. Additionally, every organization has a special team named "owners", whose members have maximal permissions within the organization. | |||
| The permissions model is split into organization-level, project-level, and workspace-level permissions. These permissions are additive, meaning that a user on a team is allowed to perform the most permissive action that has been granted on a resource, regardless of the level at which it was granted. For example, if a team has a workspace "read" permission at the organization-level, and they have admin access on a single workspace, users on that team can still apply runs -- the organization-level permission doesn't take precedence over the workspace permissions. When configuring permissions at a particular level, it's important to remember that that team may have permissions above or below the hierarchy that grant a higher level of permission than what's currently being configured. A team's _effective permissions_ are the sum of the permissions that have been granted to them across the entire organization hierarchy. | |||
There was a problem hiding this comment.
Suggested change
| The permissions model is split into organization-level, project-level, and workspace-level permissions. These permissions are additive, meaning that a user on a team is allowed to perform the most permissive action that has been granted on a resource, regardless of the level at which it was granted. For example, if a team has a workspace "read" permission at the organization-level, and they have admin access on a single workspace, users on that team can still apply runs -- the organization-level permission doesn't take precedence over the workspace permissions. When configuring permissions at a particular level, it's important to remember that that team may have permissions above or below the hierarchy that grant a higher level of permission than what's currently being configured. A team's _effective permissions_ are the sum of the permissions that have been granted to them across the entire organization hierarchy. | |
| The permissions model is split into organization-level, project-level, and workspace-level permissions. These permissions are additive, meaning that a user on a team is allowed to perform the most permissive action that has been granted on a resource, regardless of the level at which it was granted. For example, if a team has a workspace "read" permission at the organization-level, and they have admin access on a single workspace, users on that team can still apply runs on that workspace -- the organization-level permission doesn't take precedence over the workspace permissions. When configuring permissions at a particular level, it's important to remember that that team may have permissions above or below the hierarchy that grant a higher level of permission than what's currently being configured. A team's _effective permissions_ are the sum of the permissions that have been granted to them across the entire organization hierarchy. |
Also, was thinking this could be two paragraphs because it's looking kind of dense in the preview:
https://terraform-docs-common-git-jbonhag-additive-per-062ddc-hashicorp.vercel.app/terraform/cloud-docs/users-teams-organizations/permissions
There was a problem hiding this comment.
I love this suggestion! I hope you don't mind that I expanded on this a bit, I tried reworking it for flow and I came up with:
Suggested change
| The permissions model is split into organization-level, project-level, and workspace-level permissions. These permissions are additive, meaning that a user on a team is allowed to perform the most permissive action that has been granted on a resource, regardless of the level at which it was granted. For example, if a team has a workspace "read" permission at the organization-level, and they have admin access on a single workspace, users on that team can still apply runs -- the organization-level permission doesn't take precedence over the workspace permissions. When configuring permissions at a particular level, it's important to remember that that team may have permissions above or below the hierarchy that grant a higher level of permission than what's currently being configured. A team's _effective permissions_ are the sum of the permissions that have been granted to them across the entire organization hierarchy. | |
| The HCP Terraform permissions model is split into three levels, you can set organization-level, project-level, and workspace-level permissions. Each permission level is additive, granting a user the highest level of permissions possible, regardless of which level set that permission. | |
| A team's _effective permissions_ is the sum of the permissions granted to that team from all permission levels. For example, if a team has the **View all workspaces** permission at the organization-level and **Admin** permission on a specific workspace, then users on that team have the effective permission of **Admin** on that workspace. An organization-level permission does not take precedence over a workspace-level permission. | |
| We recommend following the principle of least privilege when configuring permissions, only giving teams access to the resources they need for their job function. When configuring permissions at a particular level, remember that a team may have permissions above or below in the hierarchy that grant a higher level of permission than what you are currently configuring. |
Let me know what you think and feel free to push back if anything doesn't feel good about it!
rkoron007
approved these changes
Apr 18, 2025
| @@ -16,7 +16,9 @@ description: >- | |||
|
|
|||
| HCP Terraform's access model is team-based. In order to perform an action within an HCP Terraform organization, users must belong to a team that has been granted the appropriate permissions. | |||
|
|
|||
| The permissions model is split into organization-level, project-level, and workspace-level permissions. Additionally, every organization has a special team named "owners", whose members have maximal permissions within the organization. | |||
| The permissions model is split into organization-level, project-level, and workspace-level permissions. These permissions are additive, meaning that a user on a team is allowed to perform the most permissive action that has been granted on a resource, regardless of the level at which it was granted. For example, if a team has a workspace "read" permission at the organization-level, and they have admin access on a single workspace, users on that team can still apply runs -- the organization-level permission doesn't take precedence over the workspace permissions. When configuring permissions at a particular level, it's important to remember that that team may have permissions above or below the hierarchy that grant a higher level of permission than what's currently being configured. A team's _effective permissions_ are the sum of the permissions that have been granted to them across the entire organization hierarchy. | |||
There was a problem hiding this comment.
I love this suggestion! I hope you don't mind that I expanded on this a bit, I tried reworking it for flow and I came up with:
Suggested change
| The permissions model is split into organization-level, project-level, and workspace-level permissions. These permissions are additive, meaning that a user on a team is allowed to perform the most permissive action that has been granted on a resource, regardless of the level at which it was granted. For example, if a team has a workspace "read" permission at the organization-level, and they have admin access on a single workspace, users on that team can still apply runs -- the organization-level permission doesn't take precedence over the workspace permissions. When configuring permissions at a particular level, it's important to remember that that team may have permissions above or below the hierarchy that grant a higher level of permission than what's currently being configured. A team's _effective permissions_ are the sum of the permissions that have been granted to them across the entire organization hierarchy. | |
| The HCP Terraform permissions model is split into three levels, you can set organization-level, project-level, and workspace-level permissions. Each permission level is additive, granting a user the highest level of permissions possible, regardless of which level set that permission. | |
| A team's _effective permissions_ is the sum of the permissions granted to that team from all permission levels. For example, if a team has the **View all workspaces** permission at the organization-level and **Admin** permission on a specific workspace, then users on that team have the effective permission of **Admin** on that workspace. An organization-level permission does not take precedence over a workspace-level permission. | |
| We recommend following the principle of least privilege when configuring permissions, only giving teams access to the resources they need for their job function. When configuring permissions at a particular level, remember that a team may have permissions above or below in the hierarchy that grant a higher level of permission than what you are currently configuring. |
Let me know what you think and feel free to push back if anything doesn't feel good about it!
| The permissions model is split into organization-level, project-level, and workspace-level permissions. Additionally, every organization has a special team named "owners", whose members have maximal permissions within the organization. | ||
| The permissions model is split into organization-level, project-level, and workspace-level permissions. These permissions are additive, meaning that a user on a team is allowed to perform the most permissive action that has been granted on a resource, regardless of the level at which it was granted. For example, if a team has a workspace "read" permission at the organization-level, and they have admin access on a single workspace, users on that team can still apply runs -- the organization-level permission doesn't take precedence over the workspace permissions. When configuring permissions at a particular level, it's important to remember that that team may have permissions above or below the hierarchy that grant a higher level of permission than what's currently being configured. A team's _effective permissions_ are the sum of the permissions that have been granted to them across the entire organization hierarchy. | ||
|
|
||
| Additionally, every organization has a special team named "owners", whose members have maximal permissions within the organization. |
There was a problem hiding this comment.
Can we remove this sentence because
Suggested change
| Additionally, every organization has a special team named "owners", whose members have maximal permissions within the organization. | |
| Every organization also has a special team called the **Owners** team, whose members have the maximum available permissions within the organization. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
Added a note about how the HCP Terraform permission model is additive, so that a user's effective permissions is the sum of their permissions up and down the organization hierarchy.
Why
We call out this behavior in the HCP Terraform UI itself (and link to this permissions page), but it may not be clear how/why this is the case. This note is intended to help make the HCP Terraform permission model a bit more understandable.
Merge Checklist
If items do not apply to your changes, add (N/A) and mark them as complete.
Pull Request
Content
website/redirects.jsfor moved, renamed, or deleted pages.Reviews