Managing Access to Workspaces
HCP Terraform workspaces can only be accessed by users with the correct permissions. You can manage permissions for a workspace on a per-team basis.
Teams with admin access on a workspace can manage permissions for other teams on that workspace. Since newly created workspaces don't have any team permissions configured, the initial setup of a workspace's permissions requires the owners team or a team with permission to manage workspaces. (More about permissions.)
API: See the Team Access APIs.
Terraform: See the tfe
provider's tfe_team_access
resource.
Background
HCP Terraform manages users' permissions to workspaces with teams.
- Workspace-level permissions can be granted to an individual team on a particular workspace. These permissions can be managed on the workspace by anyone with admin access to the workspace.
- In addition, some organization-level permissions can be granted to a team which apply to every workspace in the organization. For example, the manage all workspaces and manage all projects permissions grant the workspace-level admin permission to every workspace in the organization. Organization-level permissions can only be managed by organization owners.
Managing Workspace Access Permissions
When a user creates a workspace, the following teams can access that workspace with full admin permissions:
- the owners team
- teams with "Manage all workspaces" and/or “Manage all projects” organization permissions
- teams with “Project Admin” project permissions
You cannot override these teams' permissions through the workspace's specific permissions.
To manage a team's access to a workspace, select "Team Access" from the workspace's "Settings" menu.
This screen displays all teams granted workspace-level permissions to the workspace. To add a team, select "Add team and permissions".
HCP Terraform displays the teams you can grant workspace access to. Select a team to continue and configure that team's permissions.
There are four fixed permissions sets available for basic usage: Read, Plan, Write, and Admin.
To enable finer-grained selection of non-admin permissions, select "Customize permissions for this team". On this screen, you can select specific permissions to grant the team for the workspace.
For more information on permissions, see the documentation on Workspace Permissions.