HCP Vault Dedicated permissions

The following table lists HCP Vault Dedicated permissions based on Role-Based Access Control (RBAC).

Configure HCP user permissions

For additional information on managing users, groups, and permissions in the HashiCorp Cloud Platform, review the Identity and access management documentation.

Invite users

1. Log into HCP Portal and choose your organization.
2. Click Access Control (IAM) in the sidebar and click +Invite user.
3. Enter their email address and click Add. You can repeat this step to continue adding users.
4. Choose a role from the Assign role drop-down menu and click Invite. Refer to the User Permissions for information about the roles you can assign.

Resend a pending invite

To resend an invite to a specific user:

1. Click Access Control (IAM) in the sidebar.
2. Click Pending invites.
3. Click on the dropdown of the user you want to resend an invite to and click Resend invite.

Manage users

You can remove user access or change roles from the Users screen. You must have admin permissions to invite and manage users.

1. Log into HCP Portal and choose your organization.
2. Click Access Control (IAM) in the sidebar.
3. Click on a user name.
4. You can perform the following actions:
   • Click Remove to delete the user from your organization.
   • Choose a new role from the Role drop-down menu.
5. Click Save.

Manage permissions

HCP uses a role-based access controls (RBAC) system to enable members of your organizations and projects to perform actions in HCP and interact with resources. Some HCP applications allow you to assign roles for specific resources, such as an HCP Packer bucket. Refer to the specific HCP application documentation for more information.

Types of Roles

HCP has general grouping of roles on the platform: Basic (All services) roles and fine grained (service) roles.

Basic (All services) roles contain permissions from all/most services. Consider using basic roles initially when setting up and adopting HCP. However, they should be replaced with fine-grained roles when adding production workloads.

Fine grained (service) roles contain permissions from one or a minimal set of services. They are the preferred method for access management and should be leveraged over basic (All services) roles when applicable.

Inheritance

Each resource in a HCP organization has an IAM policy associated with it that informs about the level of access allowed on that resource. This IAM policy is a data structure that provides a mapping of roles to principals assigned to that resource.

Users inherit role permissions according to the following hierarchy:

1. Role assigned in the organization.
2. Role assigned in the project.
3. Role assigned for the resource.

Permissions are inherited through the resource hierarchy. And they are effective for the resource they are assigned to and all of that resource's descendants.

For example, a user assigned the viewer role in an organization also has viewer role permissions for projects within the organization. Moreover, a user assigned the contributor role in a project also has contributor role permissions for resources within the project.

If a user has an viewer role in an organization and admin role on a project in the same organization, the user receives a concatenation of viewer and admin role permissions within that specific project.

To narrow the scope of user permissions, you can set a role on the project level. To add a user to a project, you have to invite the user to the organization first.

1. Select the target project.
2. Click Access Control (IAM) in the sidebar.
3. Select the username.
4. From the Role drop-down menu, choose a project-level role to assign to the user. Refer to the project role tables for information about the roles you can assign.