TrademarkTrademark
Features
Documentation

Role-Based Access Control for Self-Service Infrastructure: A Platform Engineering Guide

How platform teams use role-based access control to onboard developers of any skill level into safe Terraform and OpenTofu self-service, and where RBAC is overkill.
Sebastian StadilJuly 15, 2022Updated July 3, 2026
Role-Based Access Control for Self-Service Infrastructure: A Platform Engineering Guide
Key takeaways
  • Platform-level RBAC (the access controls inside an IaC management platform) is a different layer from cloud IAM: cloud IAM governs what the infrastructure can touch in AWS, Azure, or GCP; platform RBAC governs which developers can plan, apply, read state, or edit variables inside the platform. You need both.
  • Scalr attaches a single role at the account, environment, or workspace scope, so one 'admin' or 'read-only' role covers many contexts instead of spawning per-team role sprawl (as of June 2026, per docs.scalr.io).
  • Granular, composable roles let a platform team onboard developers of any skill level safely: a junior who can plan but not apply, an app team scoped to its own environment, an auditor with read access, a contractor limited to one workspace.
  • The payoff from fine-grained RBAC starts when a platform team serves many developers; for a 2-3 person team, the procurement and contracting overhead of adopting a SaaS platform usually outweighs the benefit, and GitHub Actions or Atlantis is a better fit.
  • Scalr, Spacelift, and env0 all offer RBAC; Scalr runs only Terraform and OpenTofu while Spacelift and env0 are multi-IaC (Pulumi, CloudFormation, Kubernetes, and more), which is the better fit if you standardize on several IaC tools (verified June 2026 on each vendor's site).

How many developers do you need to enable self-service for? Hold that number in your head, because it decides almost everything about access control. If the answer is a handful, fine-grained role-based access control is overkill, and a CI pipeline like GitHub Actions (or Atlantis for a GitOps pull-request workflow) will serve you better. If a platform team is serving dozens to thousands of developers, granular RBAC is the mechanism that lets self-service reach all of them without handing every person the keys to production. That is the question this guide answers.

The framing matters because RBAC is usually discussed as a security checkbox. For a platform team it is something else: the control that decides how many people you can safely say yes to. A flat permission model forces you to choose between locking people out and trusting them with everything. Granular roles let you onboard a developer at exactly the level they are ready for, then widen access as they earn it.

Which platform offers Terraform state management and role-based access control?

This is a common starting query, so let's answer it plainly. Several managed Terraform and OpenTofu platforms bundle remote state with RBAC: Scalr, Spacelift, and env0 all do, and Terraform Cloud does too. If you only need a state backend plus basic role separation and you are early, most of them will do, so pick fast rather than optimizing the permission model up front.

The reason to read further is that state plus RBAC is where the platforms diverge. Two questions separate them. First, how do roles attach to your structure, one role per context or one role reused across many? Second, does the platform run only Terraform and OpenTofu, or many IaC tools? Those two answers shape how far self-service can spread and how much role bookkeeping you inherit as you grow. The rest of this guide works through both, names where each vendor fits, and uses Scalr as the worked example.

How does role-based access control enable developer self-service?

Self-service means a developer can provision infrastructure without filing a ticket and waiting on the platform team. The blocker is rarely tooling. It is trust. A platform owner cannot open a self-service workflow to a hundred engineers if the only options are full access or no access, because full access to production for a hundred people is not a plan, it is an incident waiting for a date.

Granular RBAC removes the binary. With composable, scoped roles you can let a junior run plans but not applies, give an application team write access to its own environment and read-only access to shared modules, hand an auditor read access to everything and write access to nothing, and limit a contractor to a single workspace for the length of their engagement. Each of those is a different answer to "what is this person ready for," and each one is a developer you can onboard today instead of next quarter. Scalr composes those roles from 147 granular permissions, as of June 2026.

That is the throughline of the modern positioning for Scalr: broader self-service. The more precisely you can scope a role, the more people a platform team can enable without raising its own risk. RBAC is the lever that turns "we'd love to self-serve but it's not safe" into "here's your environment."

For where self-service fits in a larger platform-engineering picture, see the guide on building an internal developer platform for Terraform and OpenTofu.

Platform RBAC vs cloud IAM: what's the difference?

These get conflated constantly, and conflating them produces real security gaps. They are different layers.

Cloud IAM (AWS IAM, Azure RBAC, GCP IAM) governs what the infrastructure and the execution identity are permitted to do in the cloud: which API calls a role can make, which resources a credential can touch, what the Terraform run's identity is allowed to create or destroy. Policy engines like HashiCorp Sentinel and Open Policy Agent sit alongside it, enforcing least-privilege guardrails on the resources being provisioned.

Platform RBAC governs what people and service accounts can do inside the IaC management platform: who can trigger a plan, who can approve an apply, who can read state, who can edit a variable, who can create or lock a workspace. It is the human-and-automation layer, not the cloud-resource layer.

You need both, and one does not substitute for the other. Cloud IAM can stop a Terraform run from deleting a production database, but it cannot stop the wrong engineer from queuing the apply that tries. Platform RBAC controls who gets to queue it. As of June 2026, no IaC management vendor's RBAC replaces your cloud provider's IAM; it complements it. Treat them as two distinct controls you configure separately.

What scopes should access control map to (account, environment, workspace)?

The shape of your RBAC follows the shape of your platform. Scalr models three scopes, and they map cleanly onto how most platform teams already think (verified June 2026 on docs.scalr.io):

  • Account is the whole organization.
  • Environment is a logical grouping of workspaces. A good default is to equate one environment with one cloud account or landing zone, which makes the isolation boundary easy to picture.
  • Workspace is a single state and its runs.

The design decision that pays off is that one role attaches at any of these scopes. A single "admin" role can be granted at the account scope (admin over everything), at an environment scope (admin over one collection of workspaces), or at a single workspace. You define the role once and reuse it everywhere.

Compare that to a flat model where a role is bound to a specific context. There you drift toward account-admin, dev-environment-admin, prod-environment-admin, team-x-admin, workspaceA-admin, workspaceB-admin, and on. Every new context spawns a near-duplicate role. The list grows, nobody remembers which one is canonical, and the path of least resistance is to create yet another rather than reuse an existing one. That is role sprawl, and it is the slow-motion failure mode of access control at scale. Scope-attached roles avoid it by separating the role (what someone can do) from the scope (where they can do it).

Scalr's access model connects three objects: a role (a set of permissions), a team or user, and an access policy that links the two at a chosen scope. System roles ship pre-built for common cases; you add custom roles as needed. Service accounts use the same access-policy mechanism with API tokens, so a CI pipeline or a cross-environment data pull gets exactly the permissions it needs and nothing more (verified June 2026 on docs.scalr.io).

For how to model accounts, environments, and workspaces in the first place, see Scalr organizational hierarchy best practices and the broader guide to structuring Terraform at scale.

How do you onboard developers of different skill levels safely?

This is where granular RBAC earns its keep, so here are concrete starting roles rather than abstractions.

Start with a platform admin. This is the person who administers the account, creates environments, invites teams, defines roles, and over time tightens them. You can use a pre-built admin role or define your own for tighter control. The job, applied steadily, is the principle of least privilege: restrict access to state, to workspace locking, to variable editing, down to what each role actually needs.

Then create two everyday roles that map to skill level:

  • A plan-only "developer" role for people writing Terraform. They can run plans and see the diff, but cannot apply. A junior can be productive on day one without being able to change live infrastructure.
  • A plan-and-apply "approver" role for experienced reviewers who own the apply step.

This split is the whole self-service safety model in miniature. The developer role is your default front door; the approver role is the gate. As someone gains experience, you widen their role instead of rebuilding your access model around them. Scalr supports composable minimal roles, so "plan only" and "apply only" can be defined separately and combined, which keeps each role readable at a glance (verified June 2026 on docs.scalr.io).

Two more patterns round it out. Service accounts let one environment pull data from another without giving end users access to the source environment; the token lives as an encrypted variable in the consuming workspace. And grouping teams into their own environments isolates work cleanly: an environment is a natural boundary for applying policies and granting access, which is why equating it to a cloud account or landing zone tends to keep the mental model simple.

When is fine-grained RBAC overkill, and what should small teams use instead?

It is overkill more often than vendor marketing admits, so here is the cutoff.

For a 2-3 person team, fine-grained RBAC is not worth the setup. Everyone is trusted, everyone can apply, and the ceremony of defining roles and scopes buys you little. There's a second cost that gets less airtime: adopting a SaaS platform means a vendor relationship, with the contracting and procurement work that comes with it. GitHub Actions, the CI you already run, or self-hosted Atlantis carry none of that, and at three people the transaction overhead usually outweighs the benefit even when the platform itself would be more capable. A CI pipeline like GitHub Actions handles plan-and-apply on merge perfectly well at that size. If you want a GitOps pull-request workflow with plan output on the PR and an apply gate, Atlantis is a strong lightweight choice; it offers repo and project permissions and command (apply) requirements, though not enterprise-grade fine-grained RBAC, which at three people you do not need anyway (verified June 2026 on runatlantis.io). For a fuller comparison, see OpenTofu and Atlantis vs a managed platform.

There is a second non-fit. If you are a net-new Terraform team that just needs to ship and is not yet at platform scale, almost any managed Terraform platform (a "TACO," a Terraform Automation and Collaboration Offering) will serve. Pick one quickly and move on rather than optimizing RBAC granularity before you have the developers to apply it to.

The payoff from granular RBAC starts when a dedicated platform team is serving many developers, a dozen and up, and climbs from there. Scalr's largest customer reference is a platform team serving more than 6000 developers from a single platform; at that scale, the precision of your roles is the difference between safe self-service and a queue of access tickets. If you are choosing between platforms at that size, the guide to selecting a Terraform Cloud alternative and the Scalr vs Terraform Cloud pricing breakdown go deeper on the trade-offs.

How do the major platforms compare on RBAC and IaC scope?

All three managed platforms in this category offer RBAC, so the access-control checkbox alone will not separate them. The differentiator is what each one runs (verified June 2026 on each vendor's site):

  • Scalr runs only Terraform and OpenTofu. It is a pure-play Terraform/OpenTofu platform with scope-attached roles across account, environment, and workspace, plus system and custom roles and service accounts.
  • Spacelift is multi-IaC. It supports OpenTofu, Terraform, Terragrunt, Pulumi, and Kubernetes (with an Ansible integration), and pairs RBAC with a policy-as-code engine.
  • env0 is multi-IaC. It supports Terraform, OpenTofu, Terragrunt, CloudFormation, Pulumi, Helm, and Kubernetes, and offers RBAC, with custom roles starting on its Cloud Navigator tier (as of June 2026).

That gives you a clean decision rule. If you standardize on more than one IaC technology, such as Pulumi or CloudFormation or Kubernetes manifests alongside Terraform, a multi-IaC platform like Spacelift or env0 is the better fit, and you should weigh them on their own merits. If your fleet is Terraform and OpenTofu and you want a platform built only for that, a pure-play platform fits.

The pure-play choice has a knock-on benefit worth naming. A platform that abstracts many dissimilar IaC tools has to paper over their differences, and abstractions over dissimilar things leak (Joel Spolsky's Law of Leaky Abstractions). A platform that handles only Terraform and OpenTofu has fewer seams to hide, which tends to make its platform-level reporting cleaner. Keep the claim modest: this is about clearer fleet-level visibility into counts, concurrency, and queues, not about measuring per-run latency.

This is also why Scalr describes itself as a drop-in replacement for Terraform Cloud. Same remote backend, same CLI, same API, so the migration is a three-step move: clone your Terraform Cloud setup into Scalr programmatically, copy your secrets, and run a plan in Scalr to validate, with no change to how developers work day to day. The RBAC model is the part that then lets you widen self-service past where Terraform Cloud's flatter role structure comfortably reaches.

How do you manage role-based access control as code at scale?

Defining roles by hand in a UI does not scale, and it is not auditable. Once you have more than a few teams, RBAC belongs in version control like the rest of your infrastructure.

The Scalr Terraform provider lets you define roles, teams, and access policies in HCL. That makes every permission change a reviewable pull request, gives you a history of who changed which role and when, and lets you "vend" environments: a module that creates a team, attaches a role, provisions an environment, and links credentials and policies, so an onboarding team logs into a ready-made workspace and starts shipping.

This guide is the concept; the code is its companion. For the end-to-end walkthrough of defining roles, teams, and access policies with the Scalr provider, including the full HCL, see how to manage Scalr RBAC at scale using the Scalr provider. And to verify any of the access-control specifics here, the Scalr IAM documentation is the primary source.

Frequently asked questions

What is the difference between platform RBAC and cloud IAM?

Cloud IAM (AWS IAM, Azure RBAC, GCP IAM) and policy engines like Sentinel or OPA control what the infrastructure and the execution identity are allowed to do in the cloud. Platform RBAC controls which humans and service accounts can perform which actions inside the IaC management platform itself: plan, apply, read state, edit variables, manage workspaces. The two layers are complementary. Platform RBAC does not replace cloud IAM; you run both. As of June 2026.

How many developers should you enable self-service for before RBAC matters?

For a 2-3 person team, a CI pipeline like GitHub Actions, or Atlantis for a GitOps pull-request workflow, is usually the better fit: adopting a SaaS platform brings procurement and contracting overhead that tooling you already run does not, and at that size the overhead tends to outweigh what fine-grained RBAC buys you. The payoff begins when a dedicated platform team is serving many developers, a dozen and up, where granular roles are what make broad self-service safe. Scalr's largest customer reference is a platform team serving more than 6000 developers off one platform.

Can you give a junior developer plan access without apply access?

Yes. Scalr supports composable minimal roles such as plan-only and apply-only that attach at a chosen scope, so a junior can run plans without being able to apply. A common starting pattern is a plan-only 'developer' role for people writing Terraform and a plan-and-apply 'approver' role for experienced reviewers. Verified June 2026 on docs.scalr.io.

Do Scalr, Spacelift, and env0 all support role-based access control?

Yes, all three offer RBAC with custom roles (on env0, custom RBAC roles sit on its Cloud Navigator tier and up, not the entry tier, as of June 2026). The differentiator is IaC scope: Scalr runs only Terraform and OpenTofu, while Spacelift and env0 are multi-IaC, covering Pulumi, CloudFormation, Kubernetes, and more. If you standardize on several IaC tools, a multi-IaC platform fits better. Verified June 2026 on each vendor's site.

Can you manage Scalr RBAC as code?

Yes. The Scalr Terraform provider defines roles, teams, and access policies in HCL, so RBAC is version-controlled and can be vended along with pre-configured environments. The companion walkthrough at /learning-center/rbac-at-scale shows the provider code end to end.
About the author
Sebastian StadilCEO at Scalr
Sebastian Stadil is the CEO at Scalr. He has over 15 years of devops experience, and started his career with AWS in 2004.