Project Permissions

Overview

Infisical’s project permissions system follows a role-based access control (RBAC) model built on a subject-action-object framework. At the project level, these permissions determine what actions users/machines can perform on various resources within a specific project. Each permission consists of:

Subject: The resource the permission applies to (e.g., secrets, members, settings)
Action: The operation that can be performed (e.g., read, create, edit, delete)

Some project-level resources—specifically secrets, secret-folders, secret-imports, dynamic-secrets, secret-syncs, secret-rotation, identity, app-connections, mcp-endpoints, and pam-accounts—support conditional permissions and permission inversion for more granular access control. Conditions allow you to specify criteria (like environment, secret path, tags, app connection ID, identity ID, resource name, or endpoint name) that must be met for the permission to apply.

Available Project Permissions

Below is a comprehensive list of all available project-level subjects and their supported actions.

Core Platform & Access Control

Subject: `role`

Action	Description
`read`	View project roles and their assigned permissions
`create`	Create new project roles
`edit`	Modify existing project roles
`delete`	Remove project roles

Subject: `member`

Action	Description
`read`	View project members
`create`	Add new members to the project
`edit`	Modify member details
`delete`	Remove members from the project
`grant-privileges`	Change permission levels of project members

Subject: `groups`

Action	Description
`read`	View project groups
`create`	Create new groups within the project
`edit`	Modify existing groups
`delete`	Remove groups from the project
`grant-privileges`	Change permission levels of project groups

Subject: `identity`

Supports conditions and permission inversion.

Action	Description	Condition keys
`read`	View project identities	`identityId`
`create`	Add new identities to project	`identityId`
`edit`	Modify project identities	`identityId`
`delete`	Remove identities from project	`identityId`
`grant-privileges`	Change permission levels of project identities	`identityId`

Subject: `settings`

Action	Description
`read`	View project settings
`create`	Add new project configuration settings
`edit`	Modify project settings
`delete`	Remove project settings

Subject: `environments`

Action	Description
`read`	View project environments
`create`	Add new environments to the project
`edit`	Modify existing environments
`delete`	Remove environments from the project

Subject: `tags`

Action	Description
`read`	View project tags
`create`	Create new tags for organizing resources
`edit`	Modify existing tags
`delete`	Remove tags from the project

Subject: `project`

Action	Description
`edit`	Modify workspace settings
`delete`	Delete the workspace

Subject: `ip-allowlist`

Action	Description
`read`	View IP allowlists
`create`	Add new IP addresses or ranges to allowlists
`edit`	Modify existing IP allowlist entries
`delete`	Remove IP addresses from allowlists

Subject: `audit-logs`

Action	Description
`read`	View audit logs of actions performed within the project

Subject: `integrations`

Action	Description
`read`	View configured integrations
`create`	Add new third-party integrations
`edit`	Modify integration settings
`delete`	Remove integrations

Subject: `webhooks`

Action	Description
`read`	View webhook configurations
`create`	Add new webhooks
`edit`	Modify webhook endpoints or triggers
`delete`	Remove webhooks

Subject: `service-tokens`

Action	Description
`read`	View service tokens
`create`	Create new service tokens for API access
`edit`	Modify token properties
`delete`	Revoke or remove service tokens

Subject: `app-connections`

Supports conditions and permission inversion.

Action	Description	Condition keys
`read-app-connections`	View app connection configurations	`connectionId`
`create-app-connections`	Create new app connections	`connectionId`
`edit-app-connections`	Modify existing app connections	`connectionId`
`delete-app-connections`	Remove app connections	`connectionId`
`connect-app-connections`	Use app connections	`connectionId`

Secrets Management

Subject: `secrets`

Supports conditions and permission inversion.

Action	Description	Condition keys
`read`	View secrets and their values. This action is the equivalent of granting both `describeSecret` and `readValue`. The `read` action is considered legacy. You should use the `describeSecret` and/or `readValue` actions instead.	`environment`, `secretPath`, `secretName`, `secretTags`
`describeSecret`	View secret details such as key, path, metadata, tags, and more. If you are using the API, you can pass `viewSecretValue: false` to the API call to retrieve secrets without their values.	`environment`, `secretPath`, `secretName`, `secretTags`
`readValue`	View the value of a secret. In order to read secret values, the `describeSecret` action must also be granted.	`environment`, `secretPath`, `secretName`, `secretTags`
`create`	Add new secrets to the project	`environment`, `secretPath`, `secretName`, `secretTags`
`edit`	Modify existing secret values	`environment`, `secretPath`, `secretName`, `secretTags`
`delete`	Remove secrets from the project	`environment`, `secretPath`, `secretName`, `secretTags`
`importSecret`	Import secrets	`environment`
`duplicateSecret`	Duplicate secrets	`environment`, `secretPath`, `secretName`

Subject: `secret-folders`

Supports conditions and permission inversion.

Action	Description	Condition keys
`read`	View secret folders	`environment`, `secretPath`
`create`	Create new folders	`environment`, `secretPath`
`edit`	Modify folder properties	`environment`, `secretPath`
`delete`	Remove secret folders	`environment`, `secretPath`

Subject: `secret-imports`

Supports conditions and permission inversion.

Action	Description	Condition keys
`read`	View secret imports	`environment`, `secretPath`
`create`	Create secret imports	`environment`, `secretPath`
`edit`	Modify secret imports	`environment`, `secretPath`
`delete`	Remove secret imports	`environment`, `secretPath`

Subject: `secret-event-subscriptions`

Action	Description
`subscribe-to-creation-events`	Subscribe to events when secrets are created
`subscribe-to-update-events`	Subscribe to events when secrets are updated
`subscribe-to-deletion-events`	Subscribe to events when secrets are deleted
`subscribe-to-import-mutation-events`	Subscribe to events when secrets are modified through imports

Subject: `secret-rollback`

Action	Description
`read`	View secret versions and snapshots
`create`	Roll back secrets to snapshots

Subject: `commits`

Action	Description
`read`	View commits and changes across folders
`perform-rollback`	Roll back commits changes and restore folders to previous state

Subject: `secret-approval`

Action	Description
`read`	View approval policies and requests
`create`	Create new approval policies
`edit`	Modify approval policies
`delete`	Remove approval policies
`allow-change-bypass`	Allow request creators to merge changes without approval in break-glass situations
`allow-access-bypass`	Allow request creators to access secrets without approval in break-glass situations

Subject: `secret-approval-request`

Action	Description
`read`	List and view all secret approval requests in the project

Project admins and users with Secret Approval Requests (secret-approval-request) Read can view all approval requests; others only see requests where they are committer or approver. Secret values in requests follow secrets.readValue for the secret’s environment/path, or reviewer access.

Subject: `secret-rotation`

Supports conditions and permission inversion.

Action	Description	Condition keys
`read`	View secret rotation configurations	`environment`, `secretPath`, `connectionId`
`read-generated-credentials`	View the generated credentials of a rotation	`environment`, `secretPath`, `connectionId`
`create`	Set up secret rotation configurations	`environment`, `secretPath`, `connectionId`
`edit`	Modify secret rotation configurations	`environment`, `secretPath`, `connectionId`
`rotate-secrets`	Rotate the generated credentials of a rotation	`environment`, `secretPath`, `connectionId`
`delete`	Remove secret rotation configurations	`environment`, `secretPath`, `connectionId`

Subject: `secret-syncs`

Supports conditions and permission inversion.

Action	Description	Condition keys
`read`	View secret synchronization configurations	`environment`, `secretPath`, `connectionId`
`create`	Create new sync configurations	`environment`, `secretPath`, `connectionId`
`edit`	Modify existing sync settings	`environment`, `secretPath`, `connectionId`
`delete`	Remove sync configurations	`environment`, `secretPath`, `connectionId`
`sync-secrets`	Execute synchronization of secrets between systems	`environment`, `secretPath`, `connectionId`
`import-secrets`	Import secrets from sync sources	`environment`, `secretPath`, `connectionId`
`remove-secrets`	Remove secrets from sync destinations	`environment`, `secretPath`, `connectionId`

Subject: `dynamic-secrets`

Supports conditions and permission inversion.

Action	Description	Condition keys
`read-root-credential`	View dynamic secret configurations	`environment`, `secretPath`, `metadata`
`create-root-credential`	Create dynamic secrets	`environment`, `secretPath`, `metadata`
`edit-root-credential`	Edit dynamic secrets	`environment`, `secretPath`, `metadata`
`delete-root-credential`	Remove dynamic secrets	`environment`, `secretPath`, `metadata`
`lease`	Create dynamic secret leases	`environment`, `secretPath`, `metadata`

Key Management Service (KMS)

Subject: `kms`

Action	Description
`edit`	Modify project KMS settings

Subject: `cmek`

Action	Description
`read`	View Customer-Managed Encryption Keys
`create`	Add new encryption keys
`edit`	Modify key properties
`delete`	Remove encryption keys
`encrypt`	Use keys for encryption operations
`decrypt`	Use keys for decryption operations
`sign`	Use keys for signing operations
`verify`	Use keys for signature verification operations
`export-private-key`	Export key material (private key for asymmetric, secret key for symmetric)

Public Key Infrastructure (PKI)

Subject: `certificate-authorities`

Action	Description
`read`	View certificate authorities
`create`	Create new certificate authorities
`edit`	Modify CA configurations
`delete`	Remove certificate authorities

Subject: `certificates`

Action	Description
`read`	View certificates
`read-private-key`	Read certificate private key
`create`	Issue new certificates
`delete`	Revoke or remove certificates

Subject: `certificate-profiles`

Action	Description
`read`	View certificate profiles
`create`	Create new certificate profiles
`edit`	Modify profile configurations
`delete`	Remove certificate profiles
`issue-cert`	Issue new certificates

Subject: `certificate-policies`

Action	Description
`read`	View certificate policies
`create`	Create new certificate policies
`edit`	Modify policy configurations
`delete`	Remove certificate policies

Subject: `pki-alerts`

Action	Description
`read`	View PKI alert configurations
`create`	Create new alerts for certificate expiry or other PKI events
`edit`	Modify alert settings
`delete`	Remove PKI alerts

Subject: `pki-collections`

Action	Description
`read`	View PKI resource collections
`create`	Create new collections for organizing PKI resources
`edit`	Modify collection properties
`delete`	Remove PKI collections

Subject: `pki-discovery`

Action	Description
`read`	View PKI discovery configurations
`create`	Create new discovery jobs
`edit`	Modify discovery job configurations
`delete`	Remove discovery jobs
`run-scan`	Trigger discovery scans

Subject: `pki-certificate-installations`

Action	Description
`read`	View certificate installations
`edit`	Modify certificate installations
`delete`	Remove certificate installations

Secret Scanning

Subject: `secret-scanning-data-sources`

Action	Description
`read-data-sources`	View Data Sources
`create-data-sources`	Create new Data Sources
`edit-data-sources`	Modify Data Sources
`delete-data-sources`	Remove Data Sources
`read-data-source-resources`	View Data Source Resources
`read-data-source-scans`	View Data Source Scans
`trigger-data-source-scans`	Trigger Data Source Secret Scans

Subject: `secret-scanning-findings`

Action	Description
`read-findings`	View Secret Scanning Findings
`update-findings`	Update Secret Scanning Findings

Subject: `secret-scanning-configs`

Action	Description
`read-configs`	View Secret Scanning Project Configuration
`update-configs`	Update Secret Scanning Project Configuration

Agent Sentinel

Subject: `mcp-endpoints`

Supports conditions and permission inversion.

Action	Description	Condition keys
`read`	View MCP endpoints	`name`
`create`	Create new MCP endpoints	`name`
`edit`	Modify MCP endpoint configurations	`name`
`delete`	Remove MCP endpoints	`name`
`connect`	Connect AI clients to MCP endpoints	`name`

Privileged Access Management (PAM)

Subject: `pam-accounts`

Supports conditions and permission inversion.

Action	Description	Condition keys
`read`	View PAM accounts the identity is allowed to use	`resourceName`, `accountName`
`access`	Request or use access to PAM accounts	`resourceName`, `accountName`

Condition Operators

When defining conditions for permissions, you can use the following operators to match values:

Operator	Description	Type
`$eq`	Equals (exact string match)	`string`
`$ne`	Not equals	`string`
`$in`	In array (matches any value in list)	`string[]`
`$glob`	Glob pattern matching (supports `*` and `?` wildcards)	`string`
`$elemMatch`	Element match for nested objects/arrays	`object`

Condition Keys Reference

The following condition keys can be used to restrict permissions. Each key is available only for specific subjects as indicated in the tables above.

Condition key	Description	Type
`environment`	The environment slug (e.g., dev, staging, prod)	`string`
`secretPath`	The path within an environment (e.g., /app/config)	`string`
`secretName`	The name of a specific secret	`string`
`secretTags`	Tags associated with secrets	`string[]`
`metadata`	Key-value metadata pairs (use with `$elemMatch`)	`object`
`connectionId`	Connection identifier for rotations/syncs	`string`
`identityId`	Machine identity identifier	`string`
`name`	Resource name	`string`
`resourceName`	PAM resource name	`string`
`accountName`	PAM account name	`string`

Usage Examples

These permission objects are used when creating or updating custom project roles via the API. Each permission in the permissions array defines what actions a role can perform on which resources.

Creating a role with production-only secret access

Create a custom role that can only read secrets in the production environment:

curl --request POST \
  --url https://app.infisical.com/api/v1/projects/{projectId}/roles \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "slug": "production-reader",
    "name": "Production Reader",
    "permissions": [
      {
        "subject": "secrets",
        "action": ["describeSecret", "readValue"],
        "conditions": {
          "environment": { "$eq": "production" }
        }
      }
    ]
  }'

Creating a role with path-scoped access

Create a role that can only manage secrets under /app/config/:

curl --request POST \
  --url https://app.infisical.com/api/v1/projects/{projectId}/roles \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "slug": "config-manager",
    "name": "Config Manager",
    "permissions": [
      {
        "subject": "secrets",
        "action": ["describeSecret", "readValue", "edit"],
        "conditions": {
          "secretPath": { "$glob": "/app/config/**" }
        }
      }
    ]
  }'

Creating a role for PAM access to specific resources

Create a role that grants PAM access only to specific database resources:

curl --request POST \
  --url https://app.infisical.com/api/v1/projects/{projectId}/roles \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "slug": "db-readonly-access",
    "name": "Database Read-Only Access",
    "permissions": [
      {
        "subject": "pam-accounts",
        "action": ["read", "access"],
        "conditions": {
          "resourceName": { "$in": ["prod-db-1", "prod-db-2"] },
          "accountName": { "$glob": "readonly-*" }
        }
      }
    ]
  }'

Getting Started

Platform Reference

Connectivity

Authentication Methods

Self-host Infisical

Internals

Contributing

​Overview

​Available Project Permissions

​Core Platform & Access Control

​Subject: role

​Subject: member

​Subject: groups

​Subject: identity

​Subject: settings

​Subject: environments

​Subject: tags

​Subject: project

​Subject: ip-allowlist

​Subject: audit-logs

​Subject: integrations

​Subject: webhooks

​Subject: service-tokens

​Subject: app-connections

​Secrets Management

​Subject: secrets

​Subject: secret-folders

​Subject: secret-imports

​Subject: secret-event-subscriptions

​Subject: secret-rollback

​Subject: commits

​Subject: secret-approval

​Subject: secret-approval-request

​Subject: secret-rotation

​Subject: secret-syncs

​Subject: dynamic-secrets

​Key Management Service (KMS)

​Subject: kms

​Subject: cmek

​Public Key Infrastructure (PKI)

​Subject: certificate-authorities

​Subject: certificates

​Subject: certificate-profiles

​Subject: certificate-policies

​Subject: pki-alerts

​Subject: pki-collections

​Subject: pki-discovery

​Subject: pki-certificate-installations

​Secret Scanning

​Subject: secret-scanning-data-sources

​Subject: secret-scanning-findings

​Subject: secret-scanning-configs

​Agent Sentinel

​Subject: mcp-endpoints

​Privileged Access Management (PAM)

​Subject: pam-accounts

​Condition Operators

​Condition Keys Reference

​Usage Examples

​Creating a role with production-only secret access

​Creating a role with path-scoped access

​Creating a role for PAM access to specific resources

Overview

Available Project Permissions

Core Platform & Access Control

Subject: `role`

Subject: `member`

Subject: `groups`

Subject: `identity`

Subject: `settings`

Subject: `environments`

Subject: `tags`

Subject: `project`

Subject: `ip-allowlist`

Subject: `audit-logs`

Subject: `integrations`

Subject: `webhooks`

Subject: `service-tokens`

Subject: `app-connections`

Secrets Management

Subject: `secrets`

Subject: `secret-folders`

Subject: `secret-imports`

Subject: `secret-event-subscriptions`

Subject: `secret-rollback`

Subject: `commits`

Subject: `secret-approval`

Subject: `secret-approval-request`

Subject: `secret-rotation`

Subject: `secret-syncs`

Subject: `dynamic-secrets`

Key Management Service (KMS)

Subject: `kms`

Subject: `cmek`

Public Key Infrastructure (PKI)

Subject: `certificate-authorities`

Subject: `certificates`

Subject: `certificate-profiles`

Subject: `certificate-policies`

Subject: `pki-alerts`

Subject: `pki-collections`

Subject: `pki-discovery`

Subject: `pki-certificate-installations`

Secret Scanning

Subject: `secret-scanning-data-sources`

Subject: `secret-scanning-findings`

Subject: `secret-scanning-configs`

Agent Sentinel

Subject: `mcp-endpoints`

Privileged Access Management (PAM)

Subject: `pam-accounts`

Condition Operators

Condition Keys Reference

Usage Examples

Creating a role with production-only secret access

Creating a role with path-scoped access

Creating a role for PAM access to specific resources