Permissions reference
Temporal Cloud access controls are organized across two scopes:
- Account-level role permissions
- Namespace-level permissions
Within each scope, permissions apply to publicly documented Temporal Cloud Ops API endpoints and to additional non-Cloud Ops capabilities, such as Temporal Cloud UI and internal automation behaviors.
Account-level access
Account-level access is granted to users and service accounts by assigning them an account-level role. Temporal Cloud supports the following account-level roles:
- Account Owner
- Global Admin
- Developer
- Finance Admin
- Read-Only
Cloud Ops API permissions
This table provides API-level details for permissions granted through account-level roles. These permissions are configured per user.
| Permission | Read-only | Developer | Finance Admin | Global Admin | Account Owner |
|---|---|---|---|---|---|
| AddUserGroupMember | ✔ | ✔ | |||
| CreateAccountAuditLogSink | ✔ | ✔ | |||
| CreateApiKey | ✔* | ✔* | ✔* | ✔* | ✔* |
| CreateConnectivityRule | ✔ | ✔ | |||
| CreateNamespace | ✔ | ✔ | ✔ | ||
| CreateNexusEndpoint | ✔ | ✔ | ✔ | ||
| CreateServiceAccount | ✔† | ✔† | ✔† | ✔† | ✔† |
| CreateUser | ✔ | ✔ | |||
| CreateUserGroup | ✔ | ✔ | |||
| DeleteAccountAuditLogSink | ✔ | ✔ | |||
| DeleteApiKey | ✔* | ✔* | ✔* | ✔* | ✔* |
| DeleteConnectivityRule | ✔ | ✔ | |||
| DeleteNexusEndpoint | ✔ | ✔ | ✔ | ||
| DeleteServiceAccount | ✔† | ✔† | ✔† | ✔† | ✔† |
| DeleteUser | ✔ | ✔ | |||
| DeleteUserGroup | ✔ | ✔ | |||
| GetAccount | ✔ | ✔ | ✔ | ✔ | ✔ |
| GetAccountAuditLogSink | ✔ | ✔ | |||
| GetAccountAuditLogSinks | ✔ | ✔ | |||
| GetApiKey | ✔* | ✔* | ✔* | ✔* | ✔* |
| GetApiKeys | ✔* | ✔* | ✔* | ✔* | ✔* |
| GetAsyncOperation | ✔ | ✔ | ✔ | ✔ | ✔ |
| GetAuditLogs | ✔ | ✔ | |||
| GetConnectivityRule | ✔ | ✔ | ✔ | ||
| GetConnectivityRules | ✔ | ✔ | ✔ | ||
| GetCurrentIdentity | ✔ | ✔ | ✔ | ✔ | ✔ |
| GetNamespaces | ✔ | ✔ | ✔ | ✔ | ✔ |
| GetNexusEndpoint | ✔ | ✔ | ✔ | ✔ | ✔ |
| GetNexusEndpoints | ✔ | ✔ | ✔ | ✔ | ✔ |
| GetRegion | ✔ | ✔ | ✔ | ✔ | ✔ |
| GetRegions | ✔ | ✔ | ✔ | ✔ | ✔ |
| GetServiceAccount | ✔† | ✔† | ✔† | ✔† | ✔† |
| GetServiceAccounts | ✔† | ✔† | ✔† | ✔† | ✔† |
| GetUsage | ✔ | ✔ | ✔ | ||
| GetUser | ✔ | ✔ | ✔ | ✔ | ✔ |
| GetUserGroup | ✔ | ✔ | ✔ | ✔ | ✔ |
| GetUserGroupMembers | ✔ | ✔ | ✔ | ✔ | ✔ |
| GetUserGroups | ✔ | ✔ | ✔ | ✔ | ✔ |
| GetUsers | ✔ | ✔ | ✔ | ✔ | ✔ |
| RemoveUserGroupMember | ✔ | ✔ | |||
| UpdateAccount | ✔ | ✔ | |||
| UpdateAccountAuditLogSink | ✔ | ✔ | |||
| UpdateApiKey | ✔* | ✔* | ✔* | ✔* | ✔* |
| UpdateNamespaceTags | ✔ | ✔ | |||
| UpdateNexusEndpoint | ✔ | ✔ | ✔ | ||
| UpdateServiceAccount | ✔† | ✔† | ✔† | ✔† | ✔† |
| UpdateUser | ✔ | ✔ | |||
| UpdateUserGroup | ✔ | ✔ | |||
| ValidateAccountAuditLogSink | ✔ | ✔ |
Namespace-level permissions
Namespace-level permissions are granted to users and service accounts by assigning them a Namespace-level permission. Temporal Cloud supports the following Namespace-level permissions:
- Namespace Admin
- Write
- Read
Users with the Global Admin and Account Owner roles automatically have Namespace Admin permissions on all Namespaces in the account.
Cloud Ops API permissions
This table provides API-level details for permissions granted through Namespace-level permissions. These permissions are configured per Namespace per user.
| Permission | Read | Write | Namespace Admin |
|---|---|---|---|
| AddNamespaceRegion | ✔ | ||
| CreateNamespaceExportSink | ✔ | ||
| DeleteNamespace | ✔ | ||
| DeleteNamespaceExportSink | ✔ | ||
| DeleteNamespaceRegion | ✔ | ||
| FailoverNamespaceRegion | ✔ | ||
| GetNamespace | ✔ | ✔ | ✔ |
| GetNamespaceCapacityInfo | ✔ | ✔ | ✔ |
| GetNamespaceExportSink | ✔ | ✔ | ✔ |
| GetNamespaceExportSinks | ✔ | ✔ | ✔ |
| RenameCustomSearchAttribute | ✔ | ||
| SetServiceAccountNamespaceAccess | ✔ | ||
| SetUserGroupNamespaceAccess | ✔ | ||
| SetUserNamespaceAccess | ✔ | ||
| UpdateNamespace | ✔ | ||
| UpdateNamespaceExportSink | ✔ | ||
| ValidateNamespaceExportSink | ✔ |
Workflow-level permissions
This table provides API-level details for Workflow-level Data Plane permissions granted through Namespace-level permissions. These permissions are configured per Namespace per user.
| Permission | Read | Write | Namespace Admin |
|---|---|---|---|
| CountActivityExecutions | ✔ | ✔ | ✔ |
| CountSchedules | ✔ | ✔ | ✔ |
| CountWorkflowExecutions | ✔ | ✔ | ✔ |
| CreateSchedule | ✔ | ✔ | |
| CreateWorkflowRule | ✔ | ✔ | |
| DeleteActivityExecution | ✔ | ✔ | |
| DeleteSchedule | ✔ | ✔ | |
| DeleteWorkerDeployment | ✔ | ✔ | |
| DeleteWorkerDeploymentVersion | ✔ | ✔ | |
| DeleteWorkflowExecution | ✔ | ✔ | |
| DeleteWorkflowRule | ✔ | ✔ | |
| DescribeActivityExecution | ✔ | ✔ | ✔ |
| DescribeBatchOperation | ✔ | ✔ | ✔ |
| DescribeNamespace | ✔ | ✔ | ✔ |
| DescribeSchedule | ✔ | ✔ | ✔ |
| DescribeTaskQueue | ✔ | ✔ | ✔ |
| DescribeWorker | ✔ | ✔ | ✔ |
| DescribeWorkerDeployment | ✔ | ✔ | ✔ |
| DescribeWorkerDeploymentVersion | ✔ | ✔ | ✔ |
| DescribeWorkflowExecution | ✔ | ✔ | ✔ |
| DescribeWorkflowRule | ✔ | ✔ | ✔ |
| ExecuteMultiOperation | ✔ | ✔ | |
| FetchWorkerConfig | ✔ | ✔ | ✔ |
| GetSearchAttributes | ✔ | ✔ | ✔ |
| GetWorkerBuildIdCompatibility | ✔ | ✔ | ✔ |
| GetWorkerTaskReachability | ✔ | ✔ | ✔ |
| GetWorkerVersioningRules | ✔ | ✔ | ✔ |
| GetWorkflowExecutionHistory | ✔ | ✔ | ✔ |
| GetWorkflowExecutionHistoryReverse | ✔ | ✔ | ✔ |
| ListActivityExecutions | ✔ | ✔ | ✔ |
| ListBatchOperations | ✔ | ✔ | ✔ |
| ListClosedWorkflowExecutions | ✔ | ✔ | ✔ |
| ListOpenWorkflowExecutions | ✔ | ✔ | ✔ |
| ListScheduleMatchingTimes | ✔ | ✔ | ✔ |
| ListSchedules | ✔ | ✔ | ✔ |
| ListTaskQueuePartitions | ✔ | ✔ | ✔ |
| ListWorkerDeployments | ✔ | ✔ | ✔ |
| ListWorkers | ✔ | ✔ | ✔ |
| ListWorkflowExecutions | ✔ | ✔ | ✔ |
| ListWorkflowRules | ✔ | ✔ | ✔ |
| PatchSchedule | ✔ | ✔ | |
| PauseActivity | ✔ | ✔ | |
| PauseWorkflowExecution | ✔ | ✔ | |
| PollActivityExecution | ✔ | ✔ | |
| PollActivityTaskQueue | ✔ | ✔ | |
| PollNexusTaskQueue | ✔ | ✔ | |
| PollWorkflowExecutionUpdate | ✔ | ✔ | |
| PollWorkflowTaskQueue | ✔ | ✔ | |
| QueryWorkflow | ✔ | ✔ | ✔ |
| RecordActivityTaskHeartbeat | ✔ | ✔ | |
| RecordActivityTaskHeartbeatById | ✔ | ✔ | |
| RecordWorkerHeartbeat | ✔ | ✔ | |
| RequestCancelActivityExecution | ✔ | ✔ | |
| RequestCancelWorkflowExecution | ✔ | ✔ | |
| ResetActivity | ✔ | ✔ | |
| ResetStickyTaskQueue | ✔ | ✔ | |
| ResetWorkflowExecution | ✔ | ✔ | |
| RespondActivityTaskCanceled | ✔ | ✔ | |
| RespondActivityTaskCanceledById | ✔ | ✔ | |
| RespondActivityTaskCompleted | ✔ | ✔ | |
| RespondActivityTaskCompletedById | ✔ | ✔ | |
| RespondActivityTaskFailed | ✔ | ✔ | |
| RespondActivityTaskFailedById | ✔ | ✔ | |
| RespondNexusTaskCompleted | ✔ | ✔ | |
| RespondNexusTaskFailed | ✔ | ✔ | |
| RespondQueryTaskCompleted | ✔ | ✔ | |
| RespondWorkflowTaskCompleted | ✔ | ✔ | |
| RespondWorkflowTaskFailed | ✔ | ✔ | |
| SetWorkerDeploymentCurrentVersion | ✔ | ✔ | |
| SetWorkerDeploymentManager | ✔ | ✔ | |
| SetWorkerDeploymentRampingVersion | ✔ | ✔ | |
| ShutdownWorker | ✔ | ✔ | |
| SignalWithStartWorkflowExecution | ✔ | ✔ | |
| SignalWorkflowExecution | ✔ | ✔ | |
| StartActivityExecution | ✔ | ✔ | |
| StartBatchOperation | ✔ | ✔ | |
| StartWorkflowExecution | ✔ | ✔ | |
| StopBatchOperation | ✔ | ✔ | |
| TerminateActivityExecution | ✔ | ✔ | |
| TerminateWorkflowExecution | ✔ | ✔ | |
| TriggerWorkflowRule | ✔ | ✔ | |
| UnpauseActivity | ✔ | ✔ | |
| UnpauseWorkflowExecution | ✔ | ✔ | |
| UpdateActivityOptions | ✔ | ✔ | |
| UpdateSchedule | ✔ | ✔ | |
| UpdateTaskQueueConfig | ✔ | ✔ | |
| UpdateWorkerBuildIdCompatibility | ✔ | ✔ | |
| UpdateWorkerConfig | ✔ | ✔ | |
| UpdateWorkerDeploymentVersionMetadata | ✔ | ✔ | |
| UpdateWorkerVersioningRules | ✔ | ✔ | |
| UpdateWorkflowExecution | ✔ | ✔ | |
| UpdateWorkflowExecutionOptions | ✔ | ✔ |
Additional authorization behaviors
Some APIs are granted to all account-level roles but enforce additional authorization rules at runtime. The action group grants access to call the API, but the scope of what the caller can interact with depends on their role.
API key authorization behavior
All roles can create and manage their own API keys. An API key inherits the permissions of its owner — it cannot grant access beyond what the owning user or service account already has.
| Behavior | Read-only | Developer | Finance Admin | Global Admin | Account Owner |
|---|---|---|---|---|---|
| Create, view, update, and delete own API keys | ✔ | ✔ | ✔ | ✔ | ✔ |
| View, update, and delete any API key in the account | ✔ | ✔ |
Affected APIs: CreateApiKey, GetApiKey, GetApiKeys, UpdateApiKey, DeleteApiKey
Service account authorization behavior
All roles can list service accounts within their account. However, the ability to create, update, and delete service accounts depends on the scope of the service account and the caller's role.
| Behavior | Read-only | Developer | Finance Admin | Global Admin | Account Owner |
|---|---|---|---|---|---|
| List all service accounts in the account | ✔ | ✔ | ✔ | ✔ | ✔ |
| Manage unscoped (account-level) service accounts | ✔ | ✔ | |||
| Manage Namespace-scoped service accounts | § | § | § | ✔ | ✔ |
§ Requires Namespace Admin permission on the target Namespace. Any role can manage Namespace-scoped service accounts if they hold Namespace Admin on that Namespace.
Affected APIs: CreateServiceAccount, GetServiceAccount, GetServiceAccounts, UpdateServiceAccount, DeleteServiceAccount