> ## Documentation Index
> Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Organization Permissions

> Comprehensive guide to Infisical's organization-level permissions

## Overview

Infisical's organization permissions system follows a role-based access control (RBAC) model built on a subject-action-object framework. At the organization level, these permissions determine what actions users/machines can perform on various resources across the entire organization.

Each permission consists of:

* **Subject**: The resource the permission applies to (e.g., project, members, billing)
* **Action**: The operation that can be performed (e.g., read, create, edit, delete)

Some organization-level resources—specifically `app-connections`—support conditional permissions and permission inversion for more granular access control.

## Available Organization Permissions

Below is a comprehensive list of all available organization-level subjects and their supported actions, organized by functional area.

### Project Management

#### Subject: `project` (formerly workspace)

| Action           | Description                |
| ---------------- | -------------------------- |
| `create`         | Create new project         |
| `request-access` | Request access to projects |

#### Subject: `sub-organization`

| Action          | Description                                                                               |
| --------------- | ----------------------------------------------------------------------------------------- |
| `create`        | Create new sub-organizations under the root organization                                  |
| `edit`          | Modify existing sub-organizations (e.g., rename, change slug)                             |
| `delete`        | Remove sub-organizations from the root organization                                       |
| `direct-access` | Access and switch into sub-organizations the user has membership in                       |
| `link-group`    | Link a root organization group to a sub-organization (and unlink it). Root org role only. |

### Role Management

#### Subject: `role`

| Action   | Description                                            |
| -------- | ------------------------------------------------------ |
| `read`   | View organization roles and their assigned permissions |
| `create` | Create new organization roles                          |
| `edit`   | Modify existing organization roles                     |
| `delete` | Remove organization roles                              |

### User Management

#### Subject: `member`

| Action   | Description                          |
| -------- | ------------------------------------ |
| `read`   | View organization members            |
| `create` | Add new members to the organization  |
| `edit`   | Modify member details                |
| `delete` | Remove members from the organization |

#### Subject: `groups`

| Action              | Description                                      |
| ------------------- | ------------------------------------------------ |
| `read`              | View organization groups                         |
| `create`            | Create new groups in the organization            |
| `edit`              | Modify existing groups                           |
| `delete`            | Remove groups from the organization              |
| `grant-privileges`  | Change permission levels for organization groups |
| `add-identities`    | Add identities to groups                         |
| `add-members`       | Add members to groups                            |
| `remove-members`    | Remove members from groups                       |
| `remove-identities` | Remove identities from groups                    |

#### Subject: `identity`

| Action             | Description                                         |
| ------------------ | --------------------------------------------------- |
| `read`             | View organization identities                        |
| `create`           | Add new identities to organization                  |
| `edit`             | Modify organization identities                      |
| `delete`           | Remove identities from organization                 |
| `grant-privileges` | Change permission levels of organization identities |
| `revoke-auth`      | Revoke authentication for identities                |
| `create-token`     | Create new authentication tokens                    |
| `delete-token`     | Delete authentication tokens                        |
| `get-token`        | Retrieve authentication tokens                      |

### Security & Compliance

#### Subject: `secret-scanning`

| Action   | Description                               |
| -------- | ----------------------------------------- |
| `read`   | View secret scanning results and settings |
| `create` | Configure secret scanning                 |
| `edit`   | Modify secret scanning settings           |
| `delete` | Remove secret scanning configuration      |

#### Subject: `settings`

| Action   | Description                               |
| -------- | ----------------------------------------- |
| `read`   | View organization settings                |
| `create` | Setup and configure organization settings |
| `edit`   | Modify organization settings              |
| `delete` | Remove organization settings              |

#### Subject: `incident-contact`

| Action   | Description                      |
| -------- | -------------------------------- |
| `read`   | View incident contacts           |
| `create` | Set up new incident contacts     |
| `edit`   | Modify incident contact settings |
| `delete` | Remove incident contacts         |

#### Subject: `audit-logs`

| Action | Description                  |
| ------ | ---------------------------- |
| `read` | View organization audit logs |

#### Subject: `email-domains`

| Action          | Description                               |
| --------------- | ----------------------------------------- |
| `read`          | View configured email domains             |
| `create`        | Add new email domains to the organization |
| `verify-domain` | Verify ownership of an email domain       |
| `delete`        | Remove email domains                      |

### Identity Provider Integration

#### Subject: `sso`

| Action                   | Description                                                                                                                                                                                   |
| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `read`                   | View Single Sign-On configurations                                                                                                                                                            |
| `create`                 | Set up new SSO integrations                                                                                                                                                                   |
| `edit`                   | Modify existing SSO settings                                                                                                                                                                  |
| `delete`                 | Remove SSO configurations                                                                                                                                                                     |
| `bypass-sso-enforcement` | Bypass enforced SSO at login (break-glass) when the organization has "Allow admins to bypass SSO" enabled. Can be granted to custom roles to allow non-admin users to use break-glass access. |

#### Subject: `scim`

| Action   | Description                   |
| -------- | ----------------------------- |
| `read`   | View SCIM configurations      |
| `create` | Set up new SCIM provisioning  |
| `edit`   | Modify existing SCIM settings |
| `delete` | Remove SCIM configurations    |

#### Subject: `ldap`

| Action   | Description                   |
| -------- | ----------------------------- |
| `read`   | View LDAP configurations      |
| `create` | Set up new LDAP integrations  |
| `edit`   | Modify existing LDAP settings |
| `delete` | Remove LDAP configurations    |

#### Subject: `github-org-sync`

| Action   | Description                              |
| -------- | ---------------------------------------- |
| `read`   | View GitHub organization sync settings   |
| `create` | Set up GitHub organization sync          |
| `edit`   | Modify GitHub organization sync settings |
| `delete` | Remove GitHub organization sync          |

### Billing & Subscriptions

#### Subject: `billing`

| Action           | Description                                      |
| ---------------- | ------------------------------------------------ |
| `read`           | View billing information and subscription status |
| `manage-billing` | Manage billing details and subscription plans    |

### Templates & Automation

#### Subject: `project-templates`

| Action   | Description                       |
| -------- | --------------------------------- |
| `read`   | View project templates            |
| `create` | Create new project templates      |
| `edit`   | Modify existing project templates |
| `delete` | Remove project templates          |

### Integrations

#### Subject: `app-connections`

Supports conditions and permission inversion

| Action               | Description                        |
| -------------------- | ---------------------------------- |
| `read`               | View app connection configurations |
| `create`             | Create new app connections         |
| `edit`               | Modify existing app connections    |
| `delete`             | Remove app connections             |
| `connect`            | Use app connections                |
| `rotate-credentials` | Rotate app connection credentials  |

### Key Management

#### Subject: `kms`

| Action   | Description                          |
| -------- | ------------------------------------ |
| `read`   | View organization KMS configurations |
| `create` | Set up new KMS configurations        |
| `edit`   | Modify KMS settings                  |
| `delete` | Remove KMS configurations            |

#### Subject: `kmip-server`

| Action                      | Description                                             |
| --------------------------- | ------------------------------------------------------- |
| `list-kmip-servers`         | View organization KMIP servers                          |
| `create-kmip-servers`       | Create new KMIP servers                                 |
| `edit-kmip-servers`         | Modify KMIP server settings and authentication          |
| `delete-kmip-servers`       | Remove KMIP servers from the organization               |
| `revoke-kmip-server-access` | Revoke a KMIP server's access and invalidate its tokens |

### Honey Tokens

#### Subject: `honey-tokens`

| Action  | Description                       |
| ------- | --------------------------------- |
| `setup` | Set up and configure honey tokens |

### Admin Tools

#### Subject: `organization-admin-console`

| Action                | Description                                 |
| --------------------- | ------------------------------------------- |
| `access-all-projects` | Access all projects within the organization |

### Secure Share

#### Subject: `secret-share`

| Action            | Description                  |
| ----------------- | ---------------------------- |
| `manage-settings` | Manage secret share settings |

### Gateway Management

#### Subject: `gateway`

| Action                  | Description                                                   |
| ----------------------- | ------------------------------------------------------------- |
| `list-gateways`         | View all organization gateways                                |
| `create-gateways`       | Add new gateways to organization                              |
| `edit-gateways`         | Modify existing gateway settings                              |
| `delete-gateways`       | Remove gateways from organization                             |
| `attach-gateways`       | Attach gateways to resources                                  |
| `revoke-gateway-access` | Disconnect a running gateway and invalidate enrollment tokens |

#### Subject: `gateway-pool`

| Action                 | Description                                   |
| ---------------------- | --------------------------------------------- |
| `list-gateway-pools`   | View all organization gateway pools           |
| `create-gateway-pools` | Add new gateway pools to organization         |
| `edit-gateway-pools`   | Modify pool settings and manage pool gateways |
| `delete-gateway-pools` | Remove gateway pools from organization        |
| `attach-gateway-pools` | Attach gateway pools to consumer configs      |

#### Subject: `relay`

| Action                | Description                               |
| --------------------- | ----------------------------------------- |
| `list-relays`         | View all organization relays              |
| `create-relays`       | Add new relays to organization            |
| `edit-relays`         | Modify existing relay settings            |
| `delete-relays`       | Remove relays from organization           |
| `revoke-relay-access` | Revoke relay access and invalidate tokens |

#### Subject: `machine-identity-auth-template`

| Action             | Description                                    |
| ------------------ | ---------------------------------------------- |
| `list-templates`   | View identity auth templates                   |
| `create-templates` | Create new identity auth templates             |
| `edit-templates`   | Modify existing identity auth templates        |
| `delete-templates` | Remove identity auth templates                 |
| `unlink-templates` | Unlink identity auth templates from identities |
| `attach-templates` | Attach identity auth templates to identities   |
