HCP Terraform & Terraform Enterprise Users Receiving Unintended Permissions

Avatar
Jen Johnston
  • Updated

Problem

Users or teams in HCP Terraform or Terraform Enterprise may have access to workspaces or other resources that were not explicitly granted to them. This can lead to confusion and potential security concerns if users can perform actions beyond their intended role.

Cause

This issue typically occurs due to implicit permissions. In HCP Terraform and Terraform Enterprise, certain permissions automatically grant other, related permissions required to perform the primary task. While this simplifies access control management, it can result in users receiving more access than expected if the relationships between permissions are not fully understood.

For example, the official documentation provides the following explanation for the Queue plans permission:

Queue plans: — Implies permission to read runs. Allows users to queue Terraform plans in a workspace, including both speculative plans and normal plans. Normal plans must be approved by a user with permission to apply runs. This also allows users to comment on runs.

If a team is assigned the Queue plans permission, its members automatically receive the ability to read runs, as this is a prerequisite for queuing a plan.

Solution

To resolve unintended access, you must identify and adjust the explicit permission that is granting the unwanted implicit permission.

  1. Identify the Source: Determine which user or team has the unexpected permission and what specific action they can perform.
  2. Review Explicit Permissions: Examine all explicit permissions assigned to the user's team(s) within the organization or workspace settings.
  3. Consult Documentation: Carefully review the official permissions documentation to find which of the team's explicit permissions grants the unintended implicit permission. The documentation lists all permissions and their implicit relationships.
  4. Adjust Permissions: Modify the team's explicit permissions. You may need to assign a more granular permission that meets the team's requirements without granting the extra implicit permissions, or you may need to restructure your teams to separate responsibilities.

Additional Information

For a complete list of all explicit and implicit permissions, refer to the official product documentation:

Articles in this section

Related articles