Overview
Infisical’s project permissions system follows a role-based access control (RBAC) model built on a subject-action-object framework. At the project level, these permissions determine what actions users/machines can perform on various resources within a specific project.
Each permission consists of:
- Subject: The resource the permission applies to (e.g., secrets, members, settings)
- Action: The operation that can be performed (e.g., read, create, edit, delete)
Some project-level resources—specifically secrets
, secret-folders
, secret-imports
, and dynamic-secrets
—support conditional permissions and permission inversion for more granular access control. Conditions allow you to specify criteria (like environment, secret path, or tags) that must be met for the permission to apply.
Available Project Permissions
Below is a comprehensive list of all available project-level subjects and their supported actions.
Subject: role
Action | Description |
---|
read | View project roles and their assigned permissions |
create | Create new project roles |
edit | Modify existing project roles |
delete | Remove project roles |
Subject: member
Action | Description |
---|
read | View project members |
create | Add new members to the project |
edit | Modify member details |
delete | Remove members from the project |
grant-privileges | Change permission levels of project members |
Subject: groups
Action | Description |
---|
read | View project groups |
create | Create new groups within the project |
edit | Modify existing groups |
delete | Remove groups from the project |
grant-privileges | Change permission levels of project groups |
Subject: identity
Action | Description |
---|
read | View project identities |
create | Add new identities to project |
edit | Modify project identities |
delete | Remove identities from project |
grant-privileges | Change permission levels of project identities |
Subject: settings
Action | Description |
---|
read | View project settings |
create | Add new project configuration settings |
edit | Modify project settings |
delete | Remove project settings |
Subject: environments
Action | Description |
---|
read | View project environments |
create | Add new environments to the project |
edit | Modify existing environments |
delete | Remove environments from the project |
Action | Description |
---|
read | View project tags |
create | Create new tags for organizing resources |
edit | Modify existing tags |
delete | Remove tags from the project |
Subject: workspace
Action | Description |
---|
edit | Modify workspace settings |
delete | Delete the workspace |
Subject: ip-allowlist
Action | Description |
---|
read | View IP allowlists |
create | Add new IP addresses or ranges to allowlists |
edit | Modify existing IP allowlist entries |
delete | Remove IP addresses from allowlists |
Subject: audit-logs
Action | Description |
---|
read | View audit logs of actions performed within the project |
Subject: integrations
Action | Description |
---|
read | View configured integrations |
create | Add new third-party integrations |
edit | Modify integration settings |
delete | Remove integrations |
Subject: webhooks
Action | Description |
---|
read | View webhook configurations |
create | Add new webhooks |
edit | Modify webhook endpoints or triggers |
delete | Remove webhooks |
Subject: service-tokens
Action | Description |
---|
read | View service tokens |
create | Create new service tokens for API access |
edit | Modify token properties |
delete | Revoke or remove service tokens |
Secrets Management
Subject: secrets
Supports conditions and permission inversion
Action | Description | Notes |
---|
read | View secrets and their values | This action is the equivalent of granting both describeSecret and readValue . The read action is considered legacy. You should use the describeSecret and/or readValue actions instead. |
describeSecret | View secret details such as key, path, metadata, tags, and more | If you are using the API, you can pass viewSecretValue: false to the API call to retrieve secrets without their values. |
readValue | View the value of a secret. | In order to read secret values, the describeSecret action must also be granted. |
create | Add new secrets to the project | |
edit | Modify existing secret values | |
delete | Remove secrets from the project | |
Subject: secret-folders
Supports conditions and permission inversion
Action | Description |
---|
read | View secret folders |
create | Create new folders |
edit | Modify folder properties |
delete | Remove secret folders |
Subject: secret-imports
Supports conditions and permission inversion
Action | Description |
---|
read | View secret imports |
create | Create secret imports |
edit | Modify secret imports |
delete | Remove secret imports |
Subject: secret-rollback
Action | Description |
---|
read | View secret versions and snapshots |
create | Roll back secrets to snapshots |
Subject: secret-approval
Action | Description |
---|
read | View approval policies and requests |
create | Create new approval policies |
edit | Modify approval policies |
delete | Remove approval policies |
Subject: secret-rotation
Action | Description |
---|
read | View secret rotation policies |
create | Set up automatic secret rotation |
edit | Modify rotation schedules or policies |
delete | Remove rotation policies |
Subject: secret-syncs
Action | Description |
---|
read | View secret synchronization configurations |
create | Create new sync configurations |
edit | Modify existing sync settings |
delete | Remove sync configurations |
sync-secrets | Execute synchronization of secrets between systems |
import-secrets | Import secrets from sync sources |
remove-secrets | Remove secrets from sync destinations |
Subject: dynamic-secrets
Supports conditions and permission inversion
Action | Description |
---|
read-root-credential | View dynamic secret configurations |
create-root-credential | Create dynamic secrets |
edit-root-credential | Edit dynamic secrets |
delete-root-credential | Remove dynamic secrets |
lease | Create dynamic secret leases |
Key Management Service (KMS)
Subject: kms
Action | Description |
---|
edit | Modify project KMS settings |
Subject: cmek
Action | Description |
---|
read | View Customer-Managed Encryption Keys |
create | Add new encryption keys |
edit | Modify key properties |
delete | Remove encryption keys |
encrypt | Use keys for encryption operations |
decrypt | Use keys for decryption operations |
Public Key Infrastructure (PKI)
Subject: certificate-authorities
Action | Description |
---|
read | View certificate authorities |
create | Create new certificate authorities |
edit | Modify CA configurations |
delete | Remove certificate authorities |
Subject: certificates
Action | Description |
---|
read | View certificates |
create | Issue new certificates |
delete | Revoke or remove certificates |
Subject: certificate-templates
Action | Description |
---|
read | View certificate templates |
create | Create new certificate templates |
edit | Modify template configurations |
delete | Remove certificate templates |
Subject: pki-alerts
Action | Description |
---|
read | View PKI alert configurations |
create | Create new alerts for certificate expiry or other PKI events |
edit | Modify alert settings |
delete | Remove PKI alerts |
Subject: pki-collections
Action | Description |
---|
read | View PKI resource collections |
create | Create new collections for organizing PKI resources |
edit | Modify collection properties |
delete | Remove PKI collections |
SSH Certificate Management
Subject: ssh-certificate-authorities
Action | Description |
---|
read | View SSH certificate authorities |
create | Create new SSH certificate authorities |
edit | Modify SSH CA configurations |
delete | Remove SSH certificate authorities |
Subject: ssh-certificates
Action | Description |
---|
read | View SSH certificates |
create | Issue new SSH certificates |
edit | Modify SSH certificate properties |
delete | Revoke or remove SSH certificates |
Subject: ssh-certificate-templates
Action | Description |
---|
read | View SSH certificate templates |
create | Create new SSH certificate templates |
edit | Modify SSH template configurations |
delete | Remove SSH certificate templates |