Additional Privileges

Infisical’s role-based access controls let you define predefined permission sets for users and machine identities. However, there are cases where a specific user or machine identity needs access beyond what their assigned roles provide — without creating an entirely new role. Additional Privileges let you grant scoped, fine-grained permissions to individual users or machine identities within a project. Use them when you need to:

Grant access to a specific secret path that the member’s current role doesn’t cover.
Provide temporary, time-bound access for a particular task or incident.
Layer extra permissions on top of existing roles without affecting other members who share those roles.

If you find yourself assigning the same additional privileges repeatedly, consider creating a custom role instead.

Adding Additional Privileges

Additional privileges can be configured through the Infisical Dashboard or the API. The steps below apply to both users and machine identities.

Infisical UI
API

Select the user or machine identity

Navigate to the Access Controls page of your project and click on the user or machine identity you want to grant additional privileges to. Select a member

Add additional privileges

In the member detail view, click the Add Additional Privileges button. This opens a configuration panel for the new privilege.

Add policies

Click the Add Policies button to open the policy selector dropdown.

Select the policies to apply

Choose the policies you want to include in this additional privilege from the dropdown. Policy selector dropdown

Configure the privilege

Fill in the privilege details and configure each policy you selected:

Privilege Name — A slug-friendly identifier for the privilege.
Duration — How long the privilege remains active. Defaults to Permanent. Set a limited duration for temporary access grants.
Policies — The specific permission policies (e.g., read/write access to certain secret paths) included in this privilege.

Save the privilege

Click Save to apply the additional privilege. It takes effect immediately.

Verify the privilege

The new additional privilege now appears in the member’s detail page. You can edit or remove it at any time from here. Additional privilege created

The API for managing additional privileges is only supported for machine identities. To manage additional privileges for users, use the Infisical UI.

To create an additional privilege for a machine identity, make a POST request to the Create Identity Privilege endpoint:

curl --request POST \
  --url https://us.infisical.com/api/v2/identity-project-additional-privilege \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "identityId": "<identity-id>",
    "projectId": "<project-id>",
    "slug": "read-secrets-prod",
    "permissions": [
      {
        "subject": "secrets",
        "action": ["read", "readValue"],
        "conditions": {
          "environment": {
            "$eq": "production"
          }
        }
      }
    ]
  }'

Sample Response

{
  "privilege": {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "slug": "read-secrets-prod",
    "isTemporary": false,
    "temporaryMode": null,
    "temporaryRange": null,
    "temporaryAccessStartTime": null,
    "temporaryAccessEndTime": null,
    "permissions": [
      {
        "subject": "secrets",
        "action": ["read", "readValue"],
        "conditions": {
          "environment": {
            "$eq": "production"
          }
        }
      }
    ],
    "createdAt": "2024-09-01T12:00:00.000Z",
    "updatedAt": "2024-09-01T12:00:00.000Z"
  }
}

For the full list of request parameters, supported subjects, actions, and condition operators, see the API reference.

Getting Started

Platform Reference

Connectivity

Authentication Methods

Self-host Infisical

Internals

Contributing

Additional Privileges

Adding Additional Privileges

Sample Response

Getting Started

Platform Reference

Connectivity

Authentication Methods

Self-host Infisical

Internals

Contributing

​Adding Additional Privileges

​Sample Response

Adding Additional Privileges

Sample Response