Access Management

This topic describes HCP's access management features. You can set roles and permissions at either the organization level , project level or resource level to secure access to HCP resources.

Roles and permissions

HCP uses a role-based access control (RBAC) system to enable members of your organizations and projects to perform actions in HCP and interact with resources. Some HCP applications allow you to assign roles for specific resources, such as an HCP Packer bucket. Refer to the individual HCP service's documentation for more information.

Types of Roles

You can configure HCP roles for an organization at two levels:

Basic roles control permissions from all services in an organization. Basic roles are useful when you initially set up and adopt HCP, but you should replace them with fine-grained roles when adding production workloads.
Fine-grained roles control permissions for one or more services. We recommend using fine-grained roles for access management when using HCP to manage production workloads and interact with production networks.

Inheritance

Each resource in an HCP organization has an IAM policy associated with it that sets the level of access allowed on that resource. This IAM policy is a data structure that provides a mapping of roles to principals assigned to that resource.

Role Permission Inheritance

Users inherit role permissions according to the following hierarchy:

Role assigned in the organization.
Role assigned in the project.
Role assigned for the resource.

Permissions are inherited through the resource hierarchy. And they are effective for the resource they are assigned to and all of that resource's descendants.

For example, a user assigned the viewer role in an organization also has viewer role permissions for projects within the organization. Similarly, a user assigned the contributor role in a project also has contributor role permissions for resources within the project.

If a user has a viewer role in an organization and an admin role on a project in the same organization, the user receives a concatenation of viewer and admin role permissions within that specific project.

Add new role assignment

To assign roles at a fine-grained level using the HCP platform, users must have one of the following permissions:

owner role for the HCP organization
admin role for the HCP organization
Organization IAM policies administrator role

To assign a new role:

At the top, click the dropdown to open the organization and project selector. Select View all organizations.
Click the name of the organization.
From the Organization dashboard, click Access Control (IAM).
Click Add new assignment. If you are not an organization's owner, this option does not appear.
Enter the user's email address.

You can change the user's role assignment and the service associated with that role assignment using the drop-down menus. When you set a role assignment for all services, it sets the user's role in the organization.

Organization level roles and permissions

The following table describes the roles and permissions available at the organizational level.

HCP Organization Permissions	Owner	Admin	Contributor	Viewer	Browser	No role
Add and delete users	✅	✅	❌	❌	❌	❌
Manage user permissions	✅	✅	❌	❌	❌	❌
Add or remove owners	✅	❌	❌	❌	❌	❌
View users	✅	✅	✅	✅	✅	✅
View groups	✅	✅	✅	✅	✅	✅
Manage service principals	✅	✅	❌	❌	❌	❌
Manage groups	✅	✅	❌	❌	❌	❌
View current billing status	✅	✅	✅	✅	❌	❌
Create projects	✅	✅	✅	❌	❌	❌
View projects	✅	✅	✅	✅	✅	❌
View project resources	✅	✅	✅	✅	❌	❌
Request Organization deletion	✅	❌	❌	❌	❌	❌
Manage SSO configuration	✅	✅	❌	❌	❌	❌
Manage billing resources	✅	✅	❌	❌	❌	❌

The following tables provide additional ways to understand permissions, based on needs such as billing and SSO management.

HCP organization permissions	Organization IAM policies administrator	Project Creator
Add and delete users	❌	❌
Manage user permissions	✅	❌
View users	✅	✅
View groups	✅	✅
Manage service principals	❌	❌
Manage groups	❌	❌
View current billing status	❌	❌
Create projects	❌	✅
View projects	✅	❌
View project resources	❌	❌
Request organization deletion	❌	❌
Manage SSO and SCIM configuration	❌	❌
Manage billing resources	❌	❌

HCP Organization permissions	Billing administrator
Add and delete users	❌
Manage user permissions	❌
View users	✅
View groups	✅
Manage service principals	❌
Manage groups	❌
View current billing status	✅
Create projects	❌
View projects	✅
View project resources	❌
Request organization deletion	❌
Manage SSO and SCIM configuration	❌
Manage billing resources	✅

HCP organization permissions	Group administrator	SSO administrator
Add and delete users	❌	❌
Manage user permissions	❌	❌
View users	✅	✅
View groups	✅	✅
Manage service principals	❌	❌
Manage groups	✅	❌
View current billing status	❌	❌
Create projects	❌	❌
View projects	❌	❌
View project resources	❌	❌
Request organization deletion	❌	❌
Manage SSO and SCIM configuration	❌	✅
Manage billing resources	❌	❌

HCP Terraform organization permission	Admin	Contributor	Viewer
Owner-level permissions	✅	❌	❌
View all projects	✅	✅	✅
Manage all projects	✅	✅	❌
View all workspaces	✅	✅	✅
Manage all workspaces	✅	✅	❌
Manage organization access	✅	❌	❌
Include secret groups	✅	❌	❌
Manage policies	✅	❌	❌
Manage policy overrides	✅	❌	❌
Manage run tasks	✅	❌	❌
Manage version control settings	✅	❌	❌
Manage agent pools	✅	❌	❌
Manage private registry modules	✅	❌	❌
Manage private registry providers	✅	❌	❌
Manage public registry modules	✅	❌	❌
Manage public registry providers	✅	❌	❌
Members can manage API tokens	✅	✅	❌

To learn more about each permission, refer to HCP Terraform organization permissions.

A user can be a part of an organization with no roles assigned directly to them through the SSO default role settings or IAM settings. To enforce least-privileged access, new users will have a limited experience within the platform until an Admin assigns either an organization or project role to the user.

View current role assignments

To view a list of current role assignments in an organization, perform the following steps:

At the top, click the dropdown to open the organization and project selector. Select View all organizations.
Click the name of the organization.
From the Organization dashboard, click Access Control (IAM).

The Role assignments page lists the currently assigned roles and provides an interface to search and filter the current assignments.

Project level roles and permissions

The following tables describe role permissions scope to the project level.

HCP project permissions	Owner	Admin	Contributor	Viewer	Browser
View project	✅	✅	✅	✅	✅
View project resources	✅	✅	✅	✅	❌
Edit project permissions	✅	✅	❌	❌	❌
Delete project	✅	✅	❌	❌	❌
Create and delete project resources	✅	✅	✅	❌	❌
Manage project service principals	✅	✅	❌	❌	❌

HCP project permissions	App manager	App secrets reader	Integration manager	Integration reader
View project	✅	✅	❌	❌
View project resources	✅	✅	❌	❌
Edit project permissions	❌	❌	❌	❌
Delete project	❌	❌	❌	❌
Create and delete project Vault Secrets resources	✅	❌	❌	❌
Manage project service principals	❌	❌	❌	❌
Create sync integrations	❌	❌	✅	❌
Manage sync integrations	❌	❌	✅	❌
Delete sync integrations	❌	❌	✅	❌
Connect sync integrations	❌	❌	✅	❌
Disconnect sync integrations	❌	❌	✅	❌
Get integrations	❌	❌	✅	✅
List integrations	❌	❌	✅	✅
Create integrations	✅	❌	✅	❌
Update integrations	✅	❌	✅	❌
Delete integrations	✅	❌	✅	❌
Read rotating secrets	✅	✅	✅	❌
Create rotating secrets	❌	❌	✅	❌
Edit rotating secrets	✅	❌	✅	❌
Delete rotating secrets	✅	❌	✅	❌
Generate dynamic secrets credentials	✅	✅	✅	❌
Create dynamic secrets	❌	❌	✅	❌
Edit dynamic secrets	❌	❌	✅	❌
Delete dynamic secrets	✅	❌	✅	❌

From the IAM tab in the HCP UI, you can assign the App Manager, App Secrets Reader, Integration Manager, or Integration Reader roles to Users, Service Principals, and Groups at the Project level.

Refer to the HCP Vault Secrets documentation for more details.

HCP project permissions	Project IAM policies administrator
View project	✅
View project resources	❌
Edit project permissions	✅
Delete project	❌
Create and delete project resources	❌
Manage project service principals	❌
Manage group role for project	✅

HCP Terraform permission name	Admin role	Contributor role	Viewer
Read project	✅	✅	✅
Update project	✅	❌	❌
Delete project	✅	❌	❌
Create workspaces	✅	❌	❌
Move workspaces	✅	❌	❌
Delete workspaces	✅	❌	❌
Manage teams	✅	❌	❌
Apply runs	✅	❌	❌
Plan runs	✅	❌	❌
Read runs	✅	❌	✅
Read and write variables	✅	❌	❌
Read variables	✅	❌	✅
Manage variable sets	✅	❌	❌
Read variable sets	✅	❌	❌
Read and write state	✅	❌	❌
Read state	✅	❌	✅
Download Sentinel mocks	✅	❌	❌
Lock/unlock workspaces	✅	❌	❌
Manage workspace Run Tasks	✅	❌	❌

To learn more about each permission, refer to HCP Terraform project permissions.

Assign a project role

To narrow the scope of user permissions, you can set a role on the project level. To add a user to a project, you have to invite the user to the organization first.

Select the target project.
Click Access Control (IAM) in the sidebar to navigate to the project’s role assignments list.
Select the username.
Select one or more roles to set the user’s permissions for the project. Refer to the project role tables for information about the roles you can assign.
Click Save.

Role names and role IDs

To interact with the HCP Access Management system using the HCP Terraform provider or public APIs, you must properly format the role IDs you reference. The following able lists role names and the formatting of their Role IDs.

Role name	Role ID
Owner	`roles/owner`
Admin	`roles/admin`
Contributor	`roles/contributor`
Viewer	`roles/viewer`
Browser	`roles/resource-manager.browser`

Role Name	Role ID
App Manager	`roles/secrets.app-manager`
App Secrets Reader	`roles/secrets.app-secret-reader`
Integration Manager	`roles/secrets.integration-manager`
Integration Reader	`roles/secrets.integration-reader`

Role name	Role ID
Project IAM policies administrator	`roles/resource-manager.project-iam-policies-admin`
Organization IAM policies administrator	`roles/resource-manager.org-iam-policies-admin`
Project Creator	`roles/resource-manager.project-creator`

Role Name	Role ID
Group Administrator	`roles/iam.group-admin`
SSO Administrator	`roles/iam.sso-admin`