Permissions reference

Temporal Cloud access controls are organized across two scopes:

Account-level role permissions
Namespace-level permissions

Within each scope, permissions apply to publicly documented Temporal Cloud Ops API endpoints and to additional non-Cloud Ops capabilities, such as Temporal Cloud UI and internal automation behaviors.

Account-level access

Account-level access is granted to users and service accounts by assigning them an account-level role. Temporal Cloud supports the following account-level roles:

Account Owner
Global Admin
Developer
Finance Admin
Read-Only

Cloud Ops API permissions

This table provides API-level details for permissions granted through account-level roles. These permissions are configured per user.

Permission	Read-only	Developer	Finance Admin	Global Admin	Account Owner
AddUserGroupMember				✔	✔
CreateAccountAuditLogSink				✔	✔
CreateApiKey	✔*	✔*	✔*	✔*	✔*
CreateConnectivityRule				✔	✔
CreateNamespace		✔		✔	✔
CreateNexusEndpoint		✔		✔	✔
CreateServiceAccount	✔†	✔†	✔†	✔†	✔†
CreateUser				✔	✔
CreateUserGroup				✔	✔
DeleteAccountAuditLogSink				✔	✔
DeleteApiKey	✔*	✔*	✔*	✔*	✔*
DeleteConnectivityRule				✔	✔
DeleteNexusEndpoint		✔		✔	✔
DeleteServiceAccount	✔†	✔†	✔†	✔†	✔†
DeleteUser				✔	✔
DeleteUserGroup				✔	✔
GetAccount	✔	✔	✔	✔	✔
GetAccountAuditLogSink				✔	✔
GetAccountAuditLogSinks				✔	✔
GetApiKey	✔*	✔*	✔*	✔*	✔*
GetApiKeys	✔*	✔*	✔*	✔*	✔*
GetAsyncOperation	✔	✔	✔	✔	✔
GetAuditLogs				✔	✔
GetConnectivityRule		✔		✔	✔
GetConnectivityRules		✔		✔	✔
GetCurrentIdentity	✔	✔	✔	✔	✔
GetNamespaces	✔	✔	✔	✔	✔
GetNexusEndpoint	✔	✔	✔	✔	✔
GetNexusEndpoints	✔	✔	✔	✔	✔
GetRegion	✔	✔	✔	✔	✔
GetRegions	✔	✔	✔	✔	✔
GetServiceAccount	✔†	✔†	✔†	✔†	✔†
GetServiceAccounts	✔†	✔†	✔†	✔†	✔†
GetUsage			✔	✔	✔
GetUser	✔	✔	✔	✔	✔
GetUserGroup	✔	✔	✔	✔	✔
GetUserGroupMembers	✔	✔	✔	✔	✔
GetUserGroups	✔	✔	✔	✔	✔
GetUsers	✔	✔	✔	✔	✔
RemoveUserGroupMember				✔	✔
UpdateAccount				✔	✔
UpdateAccountAuditLogSink				✔	✔
UpdateApiKey	✔*	✔*	✔*	✔*	✔*
UpdateNamespaceTags				✔	✔
UpdateNexusEndpoint		✔		✔	✔
UpdateServiceAccount	✔†	✔†	✔†	✔†	✔†
UpdateUser				✔	✔
UpdateUserGroup				✔	✔
ValidateAccountAuditLogSink				✔	✔

* See API Key Authorization Behavior
† See Service Account Authorization Behavior

Namespace-level permissions

Namespace-level permissions are granted to users and service accounts by assigning them a Namespace-level permission. Temporal Cloud supports the following Namespace-level permissions:

Namespace Admin
Write
Read

Users with the Global Admin and Account Owner roles automatically have Namespace Admin permissions on all Namespaces in the account.

Cloud Ops API permissions

This table provides API-level details for permissions granted through Namespace-level permissions. These permissions are configured per Namespace per user.

Permission	Read	Write	Namespace Admin
AddNamespaceRegion			✔
CreateNamespaceExportSink			✔
DeleteNamespace			✔
DeleteNamespaceExportSink			✔
DeleteNamespaceRegion			✔
FailoverNamespaceRegion			✔
GetNamespace	✔	✔	✔
GetNamespaceCapacityInfo	✔	✔	✔
GetNamespaceExportSink	✔	✔	✔
GetNamespaceExportSinks	✔	✔	✔
RenameCustomSearchAttribute			✔
SetServiceAccountNamespaceAccess			✔
SetUserGroupNamespaceAccess			✔
SetUserNamespaceAccess			✔
UpdateNamespace			✔
UpdateNamespaceExportSink			✔
ValidateNamespaceExportSink			✔

Workflow-level permissions

This table provides API-level details for Workflow-level Data Plane permissions granted through Namespace-level permissions. These permissions are configured per Namespace per user.

Permission	Read	Write	Namespace Admin
CountActivityExecutions	✔	✔	✔
CountSchedules	✔	✔	✔
CountWorkflowExecutions	✔	✔	✔
CreateSchedule		✔	✔
CreateWorkflowRule		✔	✔
DeleteActivityExecution		✔	✔
DeleteSchedule		✔	✔
DeleteWorkerDeployment		✔	✔
DeleteWorkerDeploymentVersion		✔	✔
DeleteWorkflowExecution		✔	✔
DeleteWorkflowRule		✔	✔
DescribeActivityExecution	✔	✔	✔
DescribeBatchOperation	✔	✔	✔
DescribeNamespace	✔	✔	✔
DescribeSchedule	✔	✔	✔
DescribeTaskQueue	✔	✔	✔
DescribeWorker	✔	✔	✔
DescribeWorkerDeployment	✔	✔	✔
DescribeWorkerDeploymentVersion	✔	✔	✔
DescribeWorkflowExecution	✔	✔	✔
DescribeWorkflowRule	✔	✔	✔
ExecuteMultiOperation		✔	✔
FetchWorkerConfig	✔	✔	✔
GetSearchAttributes	✔	✔	✔
GetWorkerBuildIdCompatibility	✔	✔	✔
GetWorkerTaskReachability	✔	✔	✔
GetWorkerVersioningRules	✔	✔	✔
GetWorkflowExecutionHistory	✔	✔	✔
GetWorkflowExecutionHistoryReverse	✔	✔	✔
ListActivityExecutions	✔	✔	✔
ListBatchOperations	✔	✔	✔
ListClosedWorkflowExecutions	✔	✔	✔
ListOpenWorkflowExecutions	✔	✔	✔
ListScheduleMatchingTimes	✔	✔	✔
ListSchedules	✔	✔	✔
ListTaskQueuePartitions	✔	✔	✔
ListWorkerDeployments	✔	✔	✔
ListWorkers	✔	✔	✔
ListWorkflowExecutions	✔	✔	✔
ListWorkflowRules	✔	✔	✔
PatchSchedule		✔	✔
PauseActivity		✔	✔
PauseWorkflowExecution		✔	✔
PollActivityExecution		✔	✔
PollActivityTaskQueue		✔	✔
PollNexusTaskQueue		✔	✔
PollWorkflowExecutionUpdate		✔	✔
PollWorkflowTaskQueue		✔	✔
QueryWorkflow	✔	✔	✔
RecordActivityTaskHeartbeat		✔	✔
RecordActivityTaskHeartbeatById		✔	✔
RecordWorkerHeartbeat		✔	✔
RequestCancelActivityExecution		✔	✔
RequestCancelWorkflowExecution		✔	✔
ResetActivity		✔	✔
ResetStickyTaskQueue		✔	✔
ResetWorkflowExecution		✔	✔
RespondActivityTaskCanceled		✔	✔
RespondActivityTaskCanceledById		✔	✔
RespondActivityTaskCompleted		✔	✔
RespondActivityTaskCompletedById		✔	✔
RespondActivityTaskFailed		✔	✔
RespondActivityTaskFailedById		✔	✔
RespondNexusTaskCompleted		✔	✔
RespondNexusTaskFailed		✔	✔
RespondQueryTaskCompleted		✔	✔
RespondWorkflowTaskCompleted		✔	✔
RespondWorkflowTaskFailed		✔	✔
SetWorkerDeploymentCurrentVersion		✔	✔
SetWorkerDeploymentManager		✔	✔
SetWorkerDeploymentRampingVersion		✔	✔
ShutdownWorker		✔	✔
SignalWithStartWorkflowExecution		✔	✔
SignalWorkflowExecution		✔	✔
StartActivityExecution		✔	✔
StartBatchOperation		✔	✔
StartWorkflowExecution		✔	✔
StopBatchOperation		✔	✔
TerminateActivityExecution		✔	✔
TerminateWorkflowExecution		✔	✔
TriggerWorkflowRule		✔	✔
UnpauseActivity		✔	✔
UnpauseWorkflowExecution		✔	✔
UpdateActivityOptions		✔	✔
UpdateSchedule		✔	✔
UpdateTaskQueueConfig		✔	✔
UpdateWorkerBuildIdCompatibility		✔	✔
UpdateWorkerConfig		✔	✔
UpdateWorkerDeploymentVersionMetadata		✔	✔
UpdateWorkerVersioningRules		✔	✔
UpdateWorkflowExecution		✔	✔
UpdateWorkflowExecutionOptions		✔	✔

Custom Role permissions reference

The following tables list the permission action strings available when defining Custom Roles. Use these strings in the actions field of a Custom Role permission grant. Only non-internal permissions are listed. Permissions marked as internal (such as API key, service account, and custom role management) are reserved for predefined roles.

Account permissions

Permission	Cloud Ops API	Resource type
`cloud.account.get`	GetAccount	Account
`cloud.account.update`	UpdateAccount	Account
`cloud.asyncoperation.get`	GetAsyncOperation	Account
`cloud.auditlog.createSink`	CreateAccountAuditLogSink	Account
`cloud.auditlog.deleteSink`	DeleteAccountAuditLogSink	Account
`cloud.auditlog.getSink`	GetAccountAuditLogSink	Account
`cloud.auditlog.list`	GetAuditLogs	Account
`cloud.auditlog.listSinks`	GetAccountAuditLogSinks	Account
`cloud.auditlog.updateSink`	UpdateAccountAuditLogSink	Account
`cloud.auditlog.validateSink`	ValidateAccountAuditLogSink	Account
`cloud.billingreport.create`	CreateBillingReport	Account
`cloud.billingreport.get`	GetBillingReport	Account
`cloud.connectivityrule.list`	GetConnectivityRules	Account, Project
`cloud.migration.abort`	AbortMigration	Account
`cloud.migration.confirm`	ConfirmMigration	Account
`cloud.migration.get`	GetMigration	Account
`cloud.migration.handover`	HandoverNamespace	Account
`cloud.migration.list`	GetMigrations	Account
`cloud.migration.start`	StartMigration	Account
`cloud.namespace.list`	GetNamespaces	Account, Project
`cloud.nexusendpoint.list`	GetNexusEndpoints	Account, Project
`cloud.project.create`	CreateProject	Account
`cloud.project.list`	GetProjects	Account
`cloud.region.get`	GetRegion	Account
`cloud.region.list`	GetRegions	Account
`cloud.usage.get`	GetUsage	Account
`cloud.user.create`	CreateUser	Account
`cloud.user.delete`	DeleteUser	Account
`cloud.user.get`	GetUser	Account
`cloud.user.list`	GetUsers	Account
`cloud.user.update`	UpdateUser	Account
`cloud.usergroup.addMember`	AddUserGroupMember	Account
`cloud.usergroup.create`	CreateUserGroup	Account
`cloud.usergroup.delete`	DeleteUserGroup	Account
`cloud.usergroup.get`	GetUserGroup	Account
`cloud.usergroup.getMembers`	GetUserGroupMembers	Account
`cloud.usergroup.list`	GetUserGroups	Account
`cloud.usergroup.removeMember`	RemoveUserGroupMember	Account
`cloud.usergroup.update`	UpdateUserGroup	Account

Namespace permissions

Permission	Cloud Ops API	Resource type
`cloud.namespace.addRegion`	AddNamespaceRegion	Namespace
`cloud.namespace.capacityinfo.get`	GetNamespaceCapacityInfo	Namespace
`cloud.namespace.delete`	DeleteNamespace	Namespace
`cloud.namespace.deleteRegion`	DeleteNamespaceRegion	Namespace
`cloud.namespace.exportsink.create`	CreateNamespaceExportSink	Namespace
`cloud.namespace.exportsink.delete`	DeleteNamespaceExportSink	Namespace
`cloud.namespace.exportsink.get`	GetNamespaceExportSink	Namespace
`cloud.namespace.exportsink.list`	GetNamespaceExportSinks	Namespace
`cloud.namespace.exportsink.update`	UpdateNamespaceExportSink	Namespace
`cloud.namespace.exportsink.validate`	ValidateNamespaceExportSink	Namespace
`cloud.namespace.failoverRegion`	FailoverNamespaceRegion	Namespace
`cloud.namespace.get`	GetNamespace	Namespace
`cloud.namespace.getServiceAccountNamespaceAssignments`	GetServiceAccountNamespaceAssignments	Namespace
`cloud.namespace.getUserGroupNamespaceAssignments`	GetUserGroupNamespaceAssignments	Namespace
`cloud.namespace.getUserNamespaceAssignments`	GetUserNamespaceAssignments	Namespace
`cloud.namespace.renameCustomSearchAttribute`	RenameCustomSearchAttribute	Namespace
`cloud.namespace.setUserAccess`	SetUserNamespaceAccess	Namespace
`cloud.namespace.setUserGroupAccess`	SetUserGroupNamespaceAccess	Namespace
`cloud.namespace.update`	UpdateNamespace	Namespace
`cloud.namespace.updateTags`	UpdateNamespaceTags	Namespace

Project permissions

Permission	Cloud Ops API	Resource type
`cloud.connectivityrule.create`	CreateConnectivityRule	Project
`cloud.connectivityrule.list`	GetConnectivityRules	Account, Project
`cloud.namespace.create`	CreateNamespace	Project
`cloud.namespace.list`	GetNamespaces	Account, Project
`cloud.nexusendpoint.create`	CreateNexusEndpoint	Project
`cloud.nexusendpoint.list`	GetNexusEndpoints	Account, Project
`cloud.project.delete`	DeleteProject	Project
`cloud.project.get`	GetProject	Project
`cloud.project.getServiceAccountProjectAssignments`	GetServiceAccountProjectAssignments	Project
`cloud.project.getUserGroupProjectAssignments`	GetUserGroupProjectAssignments	Project
`cloud.project.getUserProjectAssignments`	GetUserProjectAssignments	Project
`cloud.project.setServiceAccountAccess`	SetServiceAccountProjectAccess	Project
`cloud.project.setUserAccess`	SetUserProjectAccess	Project
`cloud.project.setUserGroupAccess`	SetUserGroupProjectAccess	Project
`cloud.project.update`	UpdateProject	Project

Nexus Endpoint permissions

Permission	Cloud Ops API	Resource type
`cloud.nexusendpoint.delete`	DeleteNexusEndpoint	Nexus Endpoint
`cloud.nexusendpoint.get`	GetNexusEndpoint	Nexus Endpoint
`cloud.nexusendpoint.update`	UpdateNexusEndpoint	Nexus Endpoint

Connectivity Rule permissions

Permission	Cloud Ops API	Resource type
`cloud.connectivityrule.delete`	DeleteConnectivityRule	Connectivity Rule
`cloud.connectivityrule.get`	GetConnectivityRule	Connectivity Rule

Additional authorization behaviors

Some APIs are granted to all account-level roles but enforce additional authorization rules at runtime. The action group grants access to call the API, but the scope of what the caller can interact with depends on their role.

API key authorization behavior

All roles can create and manage their own API keys. An API key inherits the permissions of its owner — it cannot grant access beyond what the owning user or service account already has.

Behavior	Read-only	Developer	Finance Admin	Global Admin	Account Owner
Create, view, update, and delete own API keys	✔	✔	✔	✔	✔
View, update, and delete any API key in the account				✔	✔

Affected APIs: CreateApiKey, GetApiKey, GetApiKeys, UpdateApiKey, DeleteApiKey

Service account authorization behavior

All roles can list service accounts within their account. However, the ability to create, update, and delete service accounts depends on the scope of the service account and the caller's role.

Behavior	Read-only	Developer	Finance Admin	Global Admin	Account Owner
List all service accounts in the account	✔	✔	✔	✔	✔
Manage unscoped (account-level) service accounts				✔	✔
Manage Namespace-scoped service accounts	§	§	§	✔	✔

§ Requires Namespace Admin permission on the target Namespace. Any role can manage Namespace-scoped service accounts if they hold Namespace Admin on that Namespace.

Affected APIs: CreateServiceAccount, GetServiceAccount, GetServiceAccounts, UpdateServiceAccount, DeleteServiceAccount

Account-level access​

Cloud Ops API permissions​

Namespace-level permissions​

Cloud Ops API permissions​

Workflow-level permissions​

Custom Role permissions reference​

Account permissions​

Namespace permissions​

Project permissions​

Nexus Endpoint permissions​

Connectivity Rule permissions​

Additional authorization behaviors​

API key authorization behavior​

Service account authorization behavior​

Account-level access

Cloud Ops API permissions

Namespace-level permissions

Cloud Ops API permissions

Workflow-level permissions

Custom Role permissions reference

Account permissions

Namespace permissions

Project permissions

Nexus Endpoint permissions

Connectivity Rule permissions

Additional authorization behaviors

API key authorization behavior

Service account authorization behavior