Problem
Terraform Cloud manages user access through permissions. Explicit permissions are defined and granted explicitly to users through their teams. Implicit permissions refer to the permissions that are automatically granted to users and teams, due to their requirement in performing tasks granted by explicit permissions.
For example, a user with the "Owner" role in a TFC organization will have implicit permissions to perform all actions within that organization, including creating workspaces, managing users and teams, and accessing sensitive data such as API tokens and environment variables.
Implicit permissions in TFC can simplify the management of access control by automatically granting the appropriate level of access to users and teams based on their role. However, it is important to understand these implicit permissions and to carefully manage access control to ensure that sensitive data is protected and organizational policies are followed.
Cause
Users receiving unexpected access to workspaces or other resources is typically the result of implicit permissions being granted to these users. There are a number of implicit permissions that are outlined on the permissions documentation of Terraform Cloud.
The Terraform documentation outlines all implicit permissions through text blocks such as below:
Queue plans: — Implies permission to read runs. Allows users to queue Terraform plans
in a workspace, including both speculative plans and normal plans. Normal plans must be
approved by a user with permission to apply runs. This also allows users to comment
on runs.
If a team is assigned the queue plans permission, they will automatically also receive the ability to read runs, as it is necessary for queuing plans.
Solutions
When users have unexpected permissions, carefully review the permissions documentation for Terraform checking for implicit permissions attached to the user's explicit permissions. This document provides guidance on managing permissions for users, teams, and organizations in Terraform Cloud, and can help identify unexpected implicit permissions that may be causing the issue.