🏗️🚧 The TofuTF docs are under construction.

Topics
RBAC

RBAC

The authorization model largely follows that of Terraform Cloud/Enterprise. An organization comprises a number of teams. A user is a member of one or more teams. Teams are assigned permissions permitting access to various functionality. Team permissions can be assigned at two levels: on organizations and on individual workspaces.

Users

A user is created via one of several methods:

  • A user successfully logs into the site for the first time via an identity provider.
  • A site admin creates a user via the CLI/API.
  • If a user is added to a team and no user with the specified username exists.

A user without team membership has no permissions other than the ability to create organizations (which can be disabled).

Teams

Only owners can create teams and manage team membership. To add a user to a team, a username is specified. If no user exists with that username then the user is automatically created.

A new team possesses no permissions until they are assigned.

Owners

Every organization has an owners team. The user that creates an organization becomes its owner. The owners team must have at least one member and it cannot be deleted.

Members of the owners team possess broad privileges across an organization. Owners are the only users permitted to alter organization-level permissions. They are also automatically assigned all the organization-level permissions; these permissions cannot be unassigned.

Permissions

Permissions are assigned to teams on two levels: organizations and workspaces. Organization permissions confer privileges across the organization:

  • Manage Workspaces: Allows members to create and administrate all workspaces within the organization.
  • Manage VCS Settings: Allows members to manage the set of VCS providers available within the organization.
  • Manage Registry: Allows members to publish and delete modules within the organization.

organization permissions

Workspace permissions confer privileges on the workspace alone, and are based on the fixed permission sets of TFC/TFE (opens in a new tab):

  • Read
  • Plan
  • Write
  • Admin
![workspace permissions](../images/workspace_permissions.png)
Workspace permissions on workspace settings page

See the TFC/TFE documentation (opens in a new tab) for more information on the privileges each permission set confers.

Site Admins

Site admins possesses supreme privileges across an tofutf cluster. There are two ways to assume the role: