Skip to main content
Scoping lets you restrict a member’s access to specific parts of your workspace, regardless of their role. A Developer with full secret permissions scoped to a single project can only manage secrets in that project.

How scoping works

Every member has a scope configuration with two modes:
  • All access — the member can access everything in the workspace
  • Scoped access — the member can only access the specific teams, projects and environments in their scope

Scope levels

Scopes can be set at three levels, from broadest to most restrictive:

Team scope

Granting access to a team gives the member access to all projects and environments within that team.

Project scope

Granting access to a project gives the member access to all environments within that project, without granting access to other projects in the same team.

Environment scope

Granting access to specific environments restricts the member to only those environments. They cannot see secrets in other environments of the same project.

Cascading behavior

Scopes cascade downward:
  • Selecting a team automatically includes all its projects and their environments
  • Selecting a project automatically includes all its environments
  • Selecting an environment grants access only to that environment
If you select all environments within a project, the scope automatically simplifies to the project level. Similarly, selecting all projects within a team simplifies to the team level.

Examples

A backend developer who should only access Backend team projects:
  • Role: Developer
  • Scope: Team — “Backend”
This gives them full secret management for all projects under the Backend team, but no visibility into Frontend or Infrastructure team projects.
A contractor working only on the API service:
  • Role: Developer
  • Scope: Project — “api-service”
They can manage secrets for the api-service project across all its environments, but cannot see any other projects.
A QA tester who should only see staging secrets:
  • Role: Member
  • Scope: Environment — “staging” (for specific projects)
They can view secrets in the staging environment only. Production and development secrets are hidden.

Managing scopes

Scopes are configured when inviting a member or by editing an existing member’s access from the workspace members page. Only Admins can change member scopes.