HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Users

This page describes how to add users to your HashiCorp Cloud Platform (HCP) account and manage their access to resources.

Introduction

When you sign up for a HashiCorp Cloud Platform (HCP) account for the first time, the HCP Portal takes you to the create organization page to set up your organization. You can invite additional users to the organization so that they can access the resources.

Invite users

Use the following procedure to invite users into your organization using email. Organization admin role is required to invite and manage users.

Note

If Single Sign-On is enabled, manage the users through the configured identity providers instead.

  1. Log into HCP Portal and choose your organization.
  2. Click Access Control (IAM) in the sidebar and click +Invite user.
  3. Enter their email address and click Add. You can repeat this step to continue adding users.
  4. Choose a role from the Assign role drop-down menu and click Invite. Refer to the User Permissions for information about the roles you can assign.

Resend a pending invite

To resend an invite to a specific user:

  1. Click Access Control (IAM) in the sidebar.
  2. Click Pending invites.
  3. Click on the dropdown of the user you want to resend an invite to and click Resend invite.

Manage users

You can remove user access or change roles from the Users screen. You must have admin permissions to invite and manage users.

  1. Log into HCP Portal and choose your organization.
  2. Click Access Control (IAM) in the sidebar.
  3. Click on a user name.
  4. You can perform the following actions:
    • Click Remove to delete the user from your organization.
    • Choose a new role from the Role drop-down menu.
  5. Click Save.

User permissions

HCP uses a role-based access control (RBAC) system to enable members of your organizations and projects to perform actions in HCP and interact with resources. Some HCP applications allow you to assign roles for specific resources, such as an HCP Packer bucket. Refer to the individual HCP service's documentation for more information.

Types of Roles

You can configure HCP roles for an organization at two levels:

  • Basic roles control permissions from all services in an organization. Basic roles are useful when you initially set up and adopt HCP, but you should replace them with fine-grained roles when adding production workloads.
  • Fine-grained roles control permissions for one or more services. We recommend using fine-grained roles for access management when using HCP to manage production workloads and interact with production networks.

Inheritance

Each resource in an HCP organization has an IAM policy associated with it that sets the level of access allowed on that resource. This IAM policy is a data structure that provides a mapping of roles to principals assigned to that resource.

Role Permission Inheritance

Users inherit role permissions according to the following hierarchy:

  1. Role assigned in the organization.
  2. Role assigned in the project.
  3. Role assigned for the resource.

Permissions are inherited through the resource hierarchy. And they are effective for the resource they are assigned to and all of that resource's descendants.

For example, a user assigned the viewer role in an organization also has viewer role permissions for projects within the organization. Similarly, a user assigned the contributor role in a project also has contributor role permissions for resources within the project.

If a user has a viewer role in an organization and an admin role on a project in the same organization, the user receives a concatenation of viewer and admin role permissions within that specific project.

Access management

For more information about permissions, the different types of roles and how they can be used within HCP, checkout the Access Management page.

Edit this page on GitHub