The Pulumi Console offers role-based access control (RBAC) using teams. Teams allow organization admins to assign a set of stack permissions to a group of users.

Team Roles

Members of a team can be granted Team admin or Team member permissions. Team admins can add members to a team. Both team admins and team members can grant stack access to a team. By default, any new team members will be assigned the team member role. To change a team member’s role, use the ellipsis menu item at the end of the table row.

Creating a Team

Organization admins can add a new team by going to the organization’s Teams tab and selecting Create team. Organization members can also be granted permissions to create teams from the Access section of the organization Settings tab. Any member who creates a team will automatically be assigned the team admin role.

GitHub-based Teams

If your Pulumi organization is backed by GitHub, you can import your existing GitHub teams into Pulumi.

For these teams, membership is managed on GitHub, while the set of stack permissions granted to team members is managed on the Pulumi Console.

Importing a GitHub-based team

Team / Stack Permissions

Membership within a team will grant a Pulumi user a specific permission level for each stack in the team. For example, members of network-team may have Stack write access to the backend/production stack, but only Stack read access to datastore/production.

Editing team stacks and permissions