Restricting State Access Not Working Due to Additive Effective Permissions

Introduction

This article explains why users may still be able to view state versions and state content despite configuring custom Team–Project access settings intended to restrict state access in Terraform Cloud / HCP Terraform.

Problem

Users are able to:

• View state versions

• Access state content

• Download state files

Even though state access has been set to restricted (e.g., No access) under custom Team–Project permissions.

Cause

This behaviour occurs due to how Effective Permissions are evaluated in HCP Terraform.

Permissions are additive, meaning:

• A team’s effective permissions are the cumulative result of permissions assigned at all scopes (Organization, Project, Workspace).

• The most permissive level of access granted anywhere will apply.

• The scope where a permission is granted does not override the permission level itself.

For example, if a team has:

• Manage all workspaces at the Organization level

• Read access at the Project level

The effective permission will be Manage all workspaces, because it is the highest level granted.

A common cause is the Organization-level “View all workspaces” permission, which allows members to view:

• Runs

• State versions

• Variables

• Workspace information

  Even if Project-level state access is set to No access, Organization-level permissions may still allow state visibility.

   

Solutions:

Remove Organization-Level Workspace Access

1. Navigate to Organization Settings → Access

2. Set Workspace permissions under Organization Access to:
   None

This prevents Organization-level permissions from overriding Project-level restrictions.

Configure Project-Level Permissions

Within the relevant Project:

1. Assign the Team: Read

2. Set State access to: No access

This configuration allows users to:

• View workspace details

• See runs and metadata

While preventing them from:

• Viewing state versions

• Accessing state content

• Downloading state files

Review Effective Permissions and Team Memberships

If the issue persists:

• Verify whether the user belongs to multiple teams.

• Check for other teams granting higher permissions.

• Review effective permissions across:

  • Organization

  • Project

  • Workspace levels

Remember: The most permissive access always applies.

Additional Information

• Effective Permissions

• Project Permissions

• Organization Permissions

• If you're still experiencing issues, please contact HCP Terraform Support by submitting a ticket through our support portal