Skip to main content

Overview

Infisical’s project permissions system follows a role-based access control (RBAC) model built on a subject-action-object framework. At the project level, these permissions determine what actions users/machines can perform on various resources within a specific project. Each permission consists of:
  • Subject: The resource the permission applies to (e.g., secrets, members, settings)
  • Action: The operation that can be performed (e.g., read, create, edit, delete)
Some project-level resources—specifically secrets, secret-folders, secret-imports, dynamic-secrets, and secret-syncs, support conditional permissions and permission inversion for more granular access control. Conditions allow you to specify criteria (like environment, secret path, or tags) that must be met for the permission to apply.

Available Project Permissions

Below is a comprehensive list of all available project-level subjects and their supported actions.

Core Platform & Access Control

Subject: role

ActionDescription
readView project roles and their assigned permissions
createCreate new project roles
editModify existing project roles
deleteRemove project roles

Subject: member

ActionDescription
readView project members
createAdd new members to the project
editModify member details
deleteRemove members from the project
grant-privilegesChange permission levels of project members

Subject: groups

ActionDescription
readView project groups
createCreate new groups within the project
editModify existing groups
deleteRemove groups from the project
grant-privilegesChange permission levels of project groups

Subject: identity

ActionDescription
readView project identities
createAdd new identities to project
editModify project identities
deleteRemove identities from project
grant-privilegesChange permission levels of project identities

Subject: settings

ActionDescription
readView project settings
createAdd new project configuration settings
editModify project settings
deleteRemove project settings

Subject: environments

ActionDescription
readView project environments
createAdd new environments to the project
editModify existing environments
deleteRemove environments from the project

Subject: tags

ActionDescription
readView project tags
createCreate new tags for organizing resources
editModify existing tags
deleteRemove tags from the project

Subject: project

ActionDescription
editModify workspace settings
deleteDelete the workspace

Subject: ip-allowlist

ActionDescription
readView IP allowlists
createAdd new IP addresses or ranges to allowlists
editModify existing IP allowlist entries
deleteRemove IP addresses from allowlists

Subject: audit-logs

ActionDescription
readView audit logs of actions performed within the project

Subject: integrations

ActionDescription
readView configured integrations
createAdd new third-party integrations
editModify integration settings
deleteRemove integrations

Subject: webhooks

ActionDescription
readView webhook configurations
createAdd new webhooks
editModify webhook endpoints or triggers
deleteRemove webhooks

Subject: service-tokens

ActionDescription
readView service tokens
createCreate new service tokens for API access
editModify token properties
deleteRevoke or remove service tokens

Subject: app-connections

Supports conditions and permission inversion
ActionDescription
read-app-connectionsView app connection configurations
create-app-connectionsCreate new app connections
edit-app-connectionsModify existing app connections
delete-app-connectionsRemove app connections
connect-app-connectionsUse app connections

Secrets Management

Subject: secrets

Supports conditions and permission inversion
ActionDescriptionNotes
readView secrets and their valuesThis action is the equivalent of granting both describeSecret and readValue. The read action is considered legacy. You should use the describeSecret and/or readValue actions instead.
describeSecretView secret details such as key, path, metadata, tags, and moreIf you are using the API, you can pass viewSecretValue: false to the API call to retrieve secrets without their values.
readValueView the value of a secret.In order to read secret values, the describeSecret action must also be granted.
createAdd new secrets to the project
editModify existing secret values
deleteRemove secrets from the project

Subject: secret-folders

Supports conditions and permission inversion
ActionDescription
readView secret folders
createCreate new folders
editModify folder properties
deleteRemove secret folders

Subject: secret-imports

Supports conditions and permission inversion
ActionDescription
readView secret imports
createCreate secret imports
editModify secret imports
deleteRemove secret imports

Subject: secret-events

ActionDescription
subscribe-on-createdSubscribe to events when secrets are created
subscribe-on-updatedSubscribe to events when secrets are updated
subscribe-on-deletedSubscribe to events when secrets are deleted
subscribe-on-import-mutationsSubscribe to events when secrets are modified through imports

Subject: secret-rollback

ActionDescription
readView secret versions and snapshots
createRoll back secrets to snapshots

Subject: commits

ActionDescription
readView commits and changes across folders
perform-rollbackRoll back commits changes and restore folders to previous state

Subject: secret-approval

ActionDescription
readView approval policies and requests
createCreate new approval policies
editModify approval policies
deleteRemove approval policies
allow-change-bypassAllow request creators to merge changes without approval in break-glass situations
allow-access-bypassAllow request creators to access secrets without approval in break-glass situations

Subject: secret-rotation

Supports conditions and permission inversion
ActionDescription
readView secret rotation configurations
read-generated-credentialsView the generated credentials of a rotation
createSet up secret rotation configurations
editModify secret rotation configurations
rotate-secretsRotate the generated credentials of a rotation
deleteRemove secret rotation configurations

Subject: secret-syncs

Supports conditions and permission inversion.
ActionDescription
readView secret synchronization configurations
createCreate new sync configurations
editModify existing sync settings
deleteRemove sync configurations
sync-secretsExecute synchronization of secrets between systems
import-secretsImport secrets from sync sources
remove-secretsRemove secrets from sync destinations

Subject: dynamic-secrets

Supports conditions and permission inversion
ActionDescription
read-root-credentialView dynamic secret configurations
create-root-credentialCreate dynamic secrets
edit-root-credentialEdit dynamic secrets
delete-root-credentialRemove dynamic secrets
leaseCreate dynamic secret leases

Key Management Service (KMS)

Subject: kms

ActionDescription
editModify project KMS settings

Subject: cmek

ActionDescription
readView Customer-Managed Encryption Keys
createAdd new encryption keys
editModify key properties
deleteRemove encryption keys
encryptUse keys for encryption operations
decryptUse keys for decryption operations

Public Key Infrastructure (PKI)

Subject: certificate-authorities

ActionDescription
readView certificate authorities
createCreate new certificate authorities
editModify CA configurations
deleteRemove certificate authorities

Subject: certificates

ActionDescription
readView certificates
read-private-keyRead certificate private key
createIssue new certificates
deleteRevoke or remove certificates

Subject: certificate-profiles

ActionDescription
readView certificate profiles
createCreate new certificate profiles
editModify profile configurations
deleteRemove certificate profiles
issue-certIssue new certificates

Subject: certificate-templates

ActionDescription
readView certificate templates
createCreate new certificate templates
editModify template configurations
deleteRemove certificate templates

Subject: pki-alerts

ActionDescription
readView PKI alert configurations
createCreate new alerts for certificate expiry or other PKI events
editModify alert settings
deleteRemove PKI alerts

Subject: pki-collections

ActionDescription
readView PKI resource collections
createCreate new collections for organizing PKI resources
editModify collection properties
deleteRemove PKI collections

SSH Certificate Management

Subject: ssh-certificate-authorities

ActionDescription
readView SSH certificate authorities
createCreate new SSH certificate authorities
editModify SSH CA configurations
deleteRemove SSH certificate authorities

Subject: ssh-certificates

ActionDescription
readView SSH certificates
createIssue new SSH certificates
editModify SSH certificate properties
deleteRevoke or remove SSH certificates

Subject: ssh-certificate-templates

ActionDescription
readView SSH certificate templates
createCreate new SSH certificate templates
editModify SSH template configurations
deleteRemove SSH certificate templates

Secret Scanning

Subject: secret-scanning-data-sources

ActionDescription
read-data-sourcesView Data Sources
create-data-sourcesCreate new Data Sources
edit-data-sourcesModify Data Sources
delete-data-sourcesRemove Data Sources
read-data-source-resourcesView Data Source Resources
read-data-source-scansView Data Source Scans
trigger-data-source-scansTrigger Data Source Secret Scans

Subject: secret-scanning-findings

ActionDescription
read-findingsView Secret Scanning Findings
update-findingsUpdate Secret Scanning Findings

Subject: secret-scanning-configs

ActionDescription
read-configsView Secret Scanning Project Configuration
update-configsUpdate Secret Scanning Project Configuration