Skip to main content
Group accounts by who needs access to them. This is the core design principle of Infisical PAM. If the same 10 people need access to the same 5 databases, put those databases in one folder. If a different team needs access to different databases, create a separate folder for them. Common patterns:
  • By teambackend-team, data-engineering, platform
  • By departmentengineering, finance, operations
  • By applicationcheckout-service, payments, user-auth
  • By environment — if different people manage dev vs prod
The right pattern depends on your organization. Folder-level permissions are the primary way to grant access, though you can also assign access directly on individual accounts when needed.

Creating a Folder

1

Navigate to Accounts

Go to Privileged Access Management → Accounts and click Create Folder.
2

Configure the folder

FieldDescription
NameA unique name (e.g., platform-team, checkout-service, us-west-prod)
DescriptionOptional context about what this folder contains
Click Create.
Once created, you can start adding accounts to it. But first, you’ll probably want to set up who can manage this folder.

Managing Access

Access to a folder is controlled through memberships. You assign users or groups a role, and that role determines what they can do.

Adding Members

1

Open the folder

Click on the folder to open its detail page.
2

Go to Permissions

Click the Permissions tab.
3

Add a member

Click Assign Access and configure:
FieldDescription
User/GroupWho you’re granting access to
RoleWhat they can do (see roles below)
ExpiresOptional expiration date for temporary access
Click Add.

Roles

RoleWhat they can do
AdminFull control — accounts, folders, sessions, memberships
ConnectorLaunch sessions and connect to accounts
AuditorView audit logs and session recordings
When you assign a role on a folder, it applies to all accounts inside that folder. This is the main way to grant access — you don’t have to set up permissions on each account individually.

Time-Bound Access

For contractors or temporary team members, set an expiration when adding the membership. The access is automatically revoked when it expires — no manual cleanup needed.

Groups vs Individual Users

You can grant access to individual users or to groups:
  • Individual users — straightforward, easy to audit
  • Groups — access follows group membership; when someone joins or leaves the group, their folder access updates automatically
Groups are managed at the organization level and can sync from identity providers like Okta or Azure AD.

Next Steps

Now that you have a folder, you’ll want to add accounts to it. But before that, you might want to set up templates to define what rules apply to those accounts.

Templates

Define session rules before adding accounts.

Accounts

Add databases and servers to your folder.