ScopeHold
Access rulesBrowse

Start

Quick startCore concepts

Setup

Billing accounts, workspaces, and projectsProviders and secrets

Access

Members and agentsAccess rules

Security

Security settingsAudit log

Account

Billing and plans

Reference

TroubleshootingGlossary

Access

Access rules

Roles control management ability and visibility. Direct grants control reveal and resolution of specific secret values.

Updated May 22, 2026

ScopeHold separates role access from secret-value access. This keeps project navigation and resource management usable while preserving least privilege for individual secrets.

Admin
Can manage scope metadata, role grants, invitations, access, providers, secrets, and audit visibility for the scope.
Editor
Can create and edit resources in the scope but cannot manage roles, invitations, or direct secret grants.
Viewer
Can view scoped resources and use explicitly granted secret access.
No access
Removes that role grant. Direct secret grants are managed separately.

Inherited workspace access

  • Workspace Admins automatically have admin access to all projects.
  • Workspace Editors automatically have editor access to all projects and can be upgraded to project Admin.
  • Workspace Viewers can receive viewer, editor, or admin access to specific projects as granted.
  • The last workspace Admin cannot be downgraded until another workspace Admin exists.
PreviousMembers and agentsNextSecurity settings