> ## Documentation Index
> Fetch the complete documentation index at: https://docs.enkryptify.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Scoped access

> Restrict member access to specific teams, projects or environments.

Scoping lets you restrict a member's access to specific parts of your workspace, regardless of their role. A Developer with full secret permissions scoped to a single project can only manage secrets in that project.

## How scoping works

Every member has a scope configuration with two modes:

* **All access**: the member can access everything in the workspace
* **Scoped access**: the member can only access the specific teams, projects and environments in their scope

## Scope levels

Scopes can be set at three levels, from broadest to most restrictive:

### Team scope

Granting access to a team gives the member access to **all projects and environments** within that team.

### Project scope

Granting access to a project gives the member access to **all environments** within that project, without granting access to other projects in the same team.

### Environment scope

Granting access to specific environments restricts the member to only those environments. They cannot see secrets in other environments of the same project.

## Cascading behavior

Scopes cascade downward:

* Selecting a **team** automatically includes all its projects and their environments
* Selecting a **project** automatically includes all its environments
* Selecting an **environment** grants access only to that environment

If you select all environments within a project, the scope automatically simplifies to the project level. Similarly, selecting all projects within a team simplifies to the team level.

## Examples

<AccordionGroup>
  <Accordion title="Developer with access to one team">
    A backend developer who should only access Backend team projects:

    * **Role**: Developer
    * **Scope**: the "Backend" team

    This gives them full secret management for all projects under the Backend team, but no visibility into Frontend or Infrastructure team projects.
  </Accordion>

  <Accordion title="Developer with access to one project">
    A contractor working only on the API service:

    * **Role**: Developer
    * **Scope**: the "api-service" project

    They can manage secrets for the api-service project across all its environments, but cannot see any other projects.
  </Accordion>

  <Accordion title="Member with access to staging only">
    A QA tester who should only see staging secrets:

    * **Role**: Member
    * **Scope**: the "staging" environment (for specific projects)

    They can view secrets in the staging environment only. Production and development secrets are hidden.
  </Accordion>
</AccordionGroup>

## Managing scopes

Scopes are configured when [inviting a member](/access-control/members) or by editing an existing member's access from the workspace members page. Only Admins can change member scopes.
