@@ -112,21 +112,166 @@ For more information, see [Assigning Roles to Stacks](./assigning-roles-stacks.m
112112
113113### Actions: the building blocks of permissions
114114
115- Actions are the smallest unit of permission granularity in Spacelift's RBAC system. Each action defines a specific
116- operation that can be performed:
117-
118- | Action | Description | Legacy Equivalent |
119- | ---------------- | -------------------------- | ----------------- |
120- | ` run:trigger ` | Trigger stack runs | Writer |
121- | ` stack:manage ` | Create and modify stacks | Admin |
122- | ` stack:delete ` | Delete stacks | Admin |
123- | ` context:read ` | View contexts | Reader |
124- | ` context:manage ` | Create and modify contexts | Admin |
125- | ` space:read ` | View space contents | Reader |
126- | ` space:manage ` | Manage space settings | Admin |
127-
128- !!! note "Expanding action catalog"
129- The RBAC system supports a limited, but expanding set of actions. Spacelift continuously adds new actions based on user feedback and use cases.
115+ Actions are the smallest unit of permission granularity in Spacelift's RBAC system. Each action defines a specific operation that can be performed. Actions are organized by subject type (the resource they operate on).
116+
117+ !!! info "Legacy role fallbacks"
118+ When a user doesn't have an explicit action permission through a custom role, the system falls back to checking their legacy space access level (Reader/Writer/Admin). The "Legacy Fallback" column indicates which legacy role is required when custom action permissions are not granted.
119+
120+ #### Space actions
121+
122+ | Action | Description | Legacy Fallback |
123+ | ------------------- | ---------------------------------------------------------- | --------------- |
124+ | ` space:admin ` | Full administrative access to a space | Admin |
125+ | ` space:read ` | Grants visibility into stacks, runs, and other resources within an assigned space. Required to view any subjects within a space | Reader |
126+ | ` space:write ` | Write access to space resources | Writer |
127+ | ` space:share-module ` | Allow modules to be shared with an assigned space from other spaces | Writer |
128+
129+ #### Run actions
130+
131+ | Action | Description | Legacy Fallback |
132+ | ----------------------------------------- | ------------------------------------------------------------- | --------------- |
133+ | ` run:cancel ` | Cancel runs in a given space | Reader |
134+ | ` run:cancel-blocking ` | Cancel blocking runs in a given space | Writer |
135+ | ` run:comment ` | Comment on runs in a given space | Reader |
136+ | ` run:confirm ` | Confirm a plan and apply changes | Writer |
137+ | ` run:discard ` | Discard planned changes | Writer |
138+ | ` run:prioritize-set ` | Prioritize a run in a given space | Writer |
139+ | ` run:promote ` | Trigger a tracked run for the same Git commit as a proposed run | Writer |
140+ | ` run:propose-local-workspace ` | Trigger a proposed run based on local workspace | Writer |
141+ | ` run:propose-with-overrides ` | Trigger a proposed run with environment variable overrides | Writer |
142+ | ` run:retry ` | Retry runs in a given space | Reader |
143+ | ` run:retry-blocking ` | Retry blocking runs in a given space | Writer |
144+ | ` run:review ` | Review planned changes and submit review (approval/rejection) | Writer |
145+ | ` run:stop ` | Stop runs in a given space | Reader |
146+ | ` run:stop-blocking ` | Stop blocking runs in a given space | Writer |
147+ | ` run:targeted-replan ` | Replan a targeted run in a given space | Writer |
148+ | ` run:trigger ` | Trigger stack runs in a given space | Writer |
149+ | ` run:trigger-with-custom-runtime-config ` | Trigger stack runs with custom runtime config | Admin |
150+
151+ #### Task actions
152+
153+ | Action | Description | Legacy Fallback |
154+ | -------------- | ----------------------------------- | --------------- |
155+ | ` task:create ` | Trigger tasks for stacks in a given space | Writer |
156+
157+ #### Stack actions
158+
159+ | Action | Description | Legacy Fallback |
160+ | ----------------------------- | ---------------------------------------------------------- | --------------- |
161+ | ` stack:add-config ` | Add or update stack environment variables and mounted files| Writer |
162+ | ` stack:create ` | Create stacks in a given space | Admin |
163+ | ` stack:delete ` | Delete stacks in a given space | Admin |
164+ | ` stack:delete-config ` | Delete stack environment variables and mounted files | Writer |
165+ | ` stack:disable ` | Disable a stack | Admin |
166+ | ` stack:enable ` | Enable a disabled stack | Admin |
167+ | ` stack:lock ` | Lock a stack for exclusive use | Writer |
168+ | ` stack:manage ` | Manage stacks in a given space | Admin |
169+ | ` stack:managed-state-import ` | Import managed state for a stack | Admin |
170+ | ` stack:managed-state-rollback ` | Rollback managed state for a stack | Admin |
171+ | ` stack:reslug ` | Re-slug stacks in a given space | Admin |
172+ | ` stack:set-current-commit ` | Set stack current commit in a given space | Writer |
173+ | ` stack:set-star ` | Star or unstar a stack | Reader |
174+ | ` stack:state-download ` | Download the state file for a stack | Writer |
175+ | ` stack:state-read ` | Read the state file for a stack | Writer |
176+ | ` stack:sync-commit ` | Sync the tracked branch head commit with stack head commit | Writer |
177+ | ` stack:unlock ` | Unlock a previously locked stack (same user only) | Writer |
178+ | ` stack:unlock-force ` | Unlock any locked stack, including those locked by others | Admin |
179+ | ` stack:update ` | Update stacks (details, source, behavior, vendor) | Admin |
180+ | ` stack:upload-local-workspace ` | Generate upload URLs for local previews | Writer |
181+ | ` stack:workspace-lock ` | Lock the workspace for a stack | Admin |
182+ | ` stack:workspace-unlock ` | Unlock the workspace for a stack | Admin |
183+
184+ #### Context actions
185+
186+ | Action | Description | Legacy Fallback |
187+ | ----------------- | ---------------------------------- | --------------- |
188+ | ` context:create ` | Create contexts in a given space | Admin |
189+ | ` context:delete ` | Delete contexts in a given space | Admin |
190+ | ` context:update ` | Update contexts in a given space | Admin |
191+
192+ #### Worker Pool actions
193+
194+ | Action | Description | Legacy Fallback |
195+ | ------------------------ | ------------------------------------- | --------------- |
196+ | ` worker:drain-set ` | Drain or undrain workers in a given space | Admin |
197+ | ` worker-pool:create ` | Create worker pools in a given space | Admin |
198+ | ` worker-pool:cycle ` | Cycle worker pools in a given space | Admin |
199+ | ` worker-pool:delete ` | Delete worker pools in a given space | Admin |
200+ | ` worker-pool:reset ` | Reset worker pools in a given space | Admin |
201+ | ` worker-pool:update ` | Update worker pools in a given space | Admin |
202+
203+ #### Module actions
204+
205+ | Action | Description | Legacy Fallback |
206+ | ------------------------- | ------------------------------ | --------------- |
207+ | ` module:create ` | Create a module | Admin |
208+ | ` module:disable ` | Disable a module | Admin |
209+ | ` module:enable ` | Enable a module | Admin |
210+ | ` module:mark-as-bad ` | Mark a module as bad | Writer |
211+ | ` module:publish ` | Publish a module | Admin |
212+ | ` module:trigger-version ` | Trigger a module version | Writer |
213+
214+ #### Terraform Provider actions
215+
216+ | Action | Description | Legacy Fallback |
217+ | --------------------------------------------- | ------------------------------------------------ | --------------- |
218+ | ` terraform-provider:create ` | Create Terraform provider in a given space | Admin |
219+ | ` terraform-provider:delete ` | Delete Terraform provider in a given space | Admin |
220+ | ` terraform-provider:set-visibility ` | Set visibility for Terraform providers | Admin |
221+ | ` terraform-provider:update ` | Update Terraform provider in a given space | Admin |
222+ | ` terraform-provider-version:create ` | Create Terraform provider version | Writer |
223+ | ` terraform-provider-version:delete ` | Delete Terraform provider version | Writer |
224+ | ` terraform-provider-version:publish ` | Publish Terraform provider version | Writer |
225+ | ` terraform-provider-version:register-platform ` | Register platform for Terraform provider versions| Writer |
226+ | ` terraform-provider-version:revoke ` | Revoke Terraform provider version | Writer |
227+ | ` terraform-provider-version:update ` | Update Terraform provider version | Writer |
228+
229+ #### Intent actions
230+
231+ Intent actions are used for managing [ Intent-based infrastructure] ( ../intent/README.md ) .
232+
233+ | Action | Description | Legacy Fallback |
234+ | ----------------------------------------------- | ---------------------------------------------- | --------------- |
235+ | ` intent-dependencies:add ` | Add dependencies to intent project | Admin |
236+ | ` intent-dependencies:remove ` | Remove dependencies from intent project | Admin |
237+ | ` intent-policy:create ` | Create new intent policies | Admin |
238+ | ` intent-policy:delete ` | Delete intent policies | Admin |
239+ | ` intent-policy:update ` | Update existing intent policies | Admin |
240+ | ` intent-project:cloud-integration-attach ` | Attach AWS integration to intent project | Admin |
241+ | ` intent-project:cloud-integration-detach ` | Detach AWS integration from intent project | Admin |
242+ | ` intent-project:config-add ` | Add configuration to intent project | Admin |
243+ | ` intent-project:config-delete ` | Delete configuration from intent project | Admin |
244+ | ` intent-project:config-update ` | Update configuration in intent project | Admin |
245+ | ` intent-project:create ` | Create a new intent project | Admin |
246+ | ` intent-project:delete ` | Delete an intent project | Admin |
247+ | ` intent-project:disable ` | Disable an intent project | Admin |
248+ | ` intent-project:enable ` | Enable an intent project | Admin |
249+ | ` intent-project:lock ` | Lock an intent project | Admin |
250+ | ` intent-project:policy-attach ` | Attach a policy to intent project | Admin |
251+ | ` intent-project:policy-detach ` | Detach a policy from intent project | Admin |
252+ | ` intent-project:unlock ` | Unlock an intent project | Admin |
253+ | ` intent-project:update ` | Update an intent project | Admin |
254+ | ` intent-resource:create ` | Create new cloud resources | Admin |
255+ | ` intent-resource:delete ` | Delete cloud resources | Admin |
256+ | ` intent-resource:import ` | Import existing cloud resources into state | Admin |
257+ | ` intent-resource:refresh ` | Refresh cloud resource state | Admin |
258+ | ` intent-resource:resume ` | Resume intent resource operations | Admin |
259+ | ` intent-resource:update ` | Update existing cloud resources | Admin |
260+ | ` intent-resource-operation:review ` | Review an intent resource operation | Admin |
261+ | ` intent-state:eject ` | Eject resources from state | Admin |
262+ | ` intent-state:read ` | Read intent state details | Admin |
263+
264+ #### Spacelift VCS actions
265+
266+ | Action | Description | Legacy Fallback |
267+ | -------------------------------- | ------------------------------------- | --------------- |
268+ | ` spacelift-vcs:commit-files ` | Commit files to Spacelift VCS integration | Writer |
269+ | ` spacelift-vcs:create ` | Create Spacelift VCS integration | Admin |
270+ | ` spacelift-vcs:delete ` | Delete Spacelift VCS integration | Admin |
271+ | ` spacelift-vcs:update ` | Update Spacelift VCS integration | Writer |
272+
273+ !!! note "Action catalog expansion"
274+ Spacelift continuously adds new actions based on user feedback and use cases. If you need an action that isn't currently available, please contact Spacelift support.
130275
131276### Subjects: what actions are performed on
132277
0 commit comments