Permissions reference

Temporal Cloud access controls are organized across two scopes:

• Account-level role permissions
• Namespace-level permissions

Within each scope, permissions apply to publicly documented Temporal Cloud Ops API endpoints and to additional non-Cloud Ops capabilities, such as Temporal Cloud UI and internal automation behaviors.

Account-level access

Account-level access is granted to users and service accounts by assigning them an account-level role. Temporal Cloud supports the following account-level roles:

• Account Owner
• Global Admin
• Developer
• Finance Admin
• Read-Only

Cloud Ops API permissions

This table provides API-level details for permissions granted through account-level roles. These permissions are configured per user.

Permission	Read-only	Developer	Finance Admin	Global Admin	Account Owner
AddUserGroupMember				✔	✔
CreateAccountAuditLogSink				✔	✔
CreateApiKey	✔*	✔*	✔*	✔*	✔*
CreateConnectivityRule				✔	✔
CreateNamespace		✔		✔	✔
CreateNexusEndpoint		✔		✔	✔
CreateServiceAccount	✔†	✔†	✔†	✔†	✔†
CreateUser				✔	✔
CreateUserGroup				✔	✔
DeleteAccountAuditLogSink				✔	✔
DeleteApiKey	✔*	✔*	✔*	✔*	✔*
DeleteConnectivityRule				✔	✔
DeleteNexusEndpoint		✔		✔	✔
DeleteServiceAccount	✔†	✔†	✔†	✔†	✔†
DeleteUser				✔	✔
DeleteUserGroup				✔	✔
GetAccount	✔	✔	✔	✔	✔
GetAccountAuditLogSink				✔	✔
GetAccountAuditLogSinks				✔	✔
GetApiKey	✔*	✔*	✔*	✔*	✔*
GetApiKeys	✔*	✔*	✔*	✔*	✔*
GetAsyncOperation	✔	✔	✔	✔	✔
GetAuditLogs				✔	✔
GetConnectivityRule		✔		✔	✔
GetConnectivityRules		✔		✔	✔
GetCurrentIdentity	✔	✔	✔	✔	✔
GetNamespaces	✔	✔	✔	✔	✔
GetNexusEndpoint	✔	✔	✔	✔	✔
GetNexusEndpoints	✔	✔	✔	✔	✔
GetRegion	✔	✔	✔	✔	✔
GetRegions	✔	✔	✔	✔	✔
GetServiceAccount	✔†	✔†	✔†	✔†	✔†
GetServiceAccounts	✔†	✔†	✔†	✔†	✔†
GetUsage			✔	✔	✔
GetUser	✔	✔	✔	✔	✔
GetUserGroup	✔	✔	✔	✔	✔
GetUserGroupMembers	✔	✔	✔	✔	✔
GetUserGroups	✔	✔	✔	✔	✔
GetUsers	✔	✔	✔	✔	✔
RemoveUserGroupMember				✔	✔
UpdateAccount				✔	✔
UpdateAccountAuditLogSink				✔	✔
UpdateApiKey	✔*	✔*	✔*	✔*	✔*
UpdateNamespaceTags				✔	✔
UpdateNexusEndpoint		✔		✔	✔
UpdateServiceAccount	✔†	✔†	✔†	✔†	✔†
UpdateUser				✔	✔
UpdateUserGroup				✔	✔
ValidateAccountAuditLogSink				✔	✔

• * See API Key Authorization Behavior
• † See Service Account Authorization Behavior

Namespace-level permissions

Namespace-level permissions are granted to users and service accounts by assigning them a Namespace-level permission. Temporal Cloud supports the following Namespace-level permissions:

• Namespace Admin
• Write
• Read

Users with the Global Admin and Account Owner roles automatically have Namespace Admin permissions on all Namespaces in the account.

Cloud Ops API permissions

This table provides API-level details for permissions granted through Namespace-level permissions. These permissions are configured per Namespace per user.

Permission	Read	Write	Namespace Admin
AddNamespaceRegion			✔
CreateNamespaceExportSink			✔
DeleteNamespace			✔
DeleteNamespaceExportSink			✔
DeleteNamespaceRegion			✔
FailoverNamespaceRegion			✔
GetNamespace	✔	✔	✔
GetNamespaceCapacityInfo	✔	✔	✔
GetNamespaceExportSink	✔	✔	✔
GetNamespaceExportSinks	✔	✔	✔
RenameCustomSearchAttribute			✔
SetServiceAccountNamespaceAccess			✔
SetUserGroupNamespaceAccess			✔
SetUserNamespaceAccess			✔
UpdateNamespace			✔
UpdateNamespaceExportSink			✔
ValidateNamespaceExportSink			✔

Workflow-level permissions

This table provides API-level details for Workflow-level Data Plane permissions granted through Namespace-level permissions. These permissions are configured per Namespace per user.

Permission	Read	Write	Namespace Admin
CountActivityExecutions	✔	✔	✔
CountSchedules	✔	✔	✔
CountWorkflowExecutions	✔	✔	✔
CreateSchedule		✔	✔
CreateWorkflowRule		✔	✔
DeleteActivityExecution		✔	✔
DeleteSchedule		✔	✔
DeleteWorkerDeployment		✔	✔
DeleteWorkerDeploymentVersion		✔	✔
DeleteWorkflowExecution		✔	✔
DeleteWorkflowRule		✔	✔
DescribeActivityExecution	✔	✔	✔
DescribeBatchOperation	✔	✔	✔
DescribeNamespace	✔	✔	✔
DescribeSchedule	✔	✔	✔
DescribeTaskQueue	✔	✔	✔
DescribeWorker	✔	✔	✔
DescribeWorkerDeployment	✔	✔	✔
DescribeWorkerDeploymentVersion	✔	✔	✔
DescribeWorkflowExecution	✔	✔	✔
DescribeWorkflowRule	✔	✔	✔
ExecuteMultiOperation		✔	✔
FetchWorkerConfig	✔	✔	✔
GetSearchAttributes	✔	✔	✔
GetWorkerBuildIdCompatibility	✔	✔	✔
GetWorkerTaskReachability	✔	✔	✔
GetWorkerVersioningRules	✔	✔	✔
GetWorkflowExecutionHistory	✔	✔	✔
GetWorkflowExecutionHistoryReverse	✔	✔	✔
ListActivityExecutions	✔	✔	✔
ListBatchOperations	✔	✔	✔
ListClosedWorkflowExecutions	✔	✔	✔
ListOpenWorkflowExecutions	✔	✔	✔
ListScheduleMatchingTimes	✔	✔	✔
ListSchedules	✔	✔	✔
ListTaskQueuePartitions	✔	✔	✔
ListWorkerDeployments	✔	✔	✔
ListWorkers	✔	✔	✔
ListWorkflowExecutions	✔	✔	✔
ListWorkflowRules	✔	✔	✔
PatchSchedule		✔	✔
PauseActivity		✔	✔
PauseWorkflowExecution		✔	✔
PollActivityExecution		✔	✔
PollActivityTaskQueue		✔	✔
PollNexusTaskQueue		✔	✔
PollWorkflowExecutionUpdate		✔	✔
PollWorkflowTaskQueue		✔	✔
QueryWorkflow	✔	✔	✔
RecordActivityTaskHeartbeat		✔	✔
RecordActivityTaskHeartbeatById		✔	✔
RecordWorkerHeartbeat		✔	✔
RequestCancelActivityExecution		✔	✔
RequestCancelWorkflowExecution		✔	✔
ResetActivity		✔	✔
ResetStickyTaskQueue		✔	✔
ResetWorkflowExecution		✔	✔
RespondActivityTaskCanceled		✔	✔
RespondActivityTaskCanceledById		✔	✔
RespondActivityTaskCompleted		✔	✔
RespondActivityTaskCompletedById		✔	✔
RespondActivityTaskFailed		✔	✔
RespondActivityTaskFailedById		✔	✔
RespondNexusTaskCompleted		✔	✔
RespondNexusTaskFailed		✔	✔
RespondQueryTaskCompleted		✔	✔
RespondWorkflowTaskCompleted		✔	✔
RespondWorkflowTaskFailed		✔	✔
SetWorkerDeploymentCurrentVersion		✔	✔
SetWorkerDeploymentManager		✔	✔
SetWorkerDeploymentRampingVersion		✔	✔
ShutdownWorker		✔	✔
SignalWithStartWorkflowExecution		✔	✔
SignalWorkflowExecution		✔	✔
StartActivityExecution		✔	✔
StartBatchOperation		✔	✔
StartWorkflowExecution		✔	✔
StopBatchOperation		✔	✔
TerminateActivityExecution		✔	✔
TerminateWorkflowExecution		✔	✔
TriggerWorkflowRule		✔	✔
UnpauseActivity		✔	✔
UnpauseWorkflowExecution		✔	✔
UpdateActivityOptions		✔	✔
UpdateSchedule		✔	✔
UpdateTaskQueueConfig		✔	✔
UpdateWorkerBuildIdCompatibility		✔	✔
UpdateWorkerConfig		✔	✔
UpdateWorkerDeploymentVersionMetadata		✔	✔
UpdateWorkerVersioningRules		✔	✔
UpdateWorkflowExecution		✔	✔
UpdateWorkflowExecutionOptions		✔	✔

Additional authorization behaviors

Some APIs are granted to all account-level roles but enforce additional authorization rules at runtime. The action group grants access to call the API, but the scope of what the caller can interact with depends on their role.

API key authorization behavior

All roles can create and manage their own API keys. An API key inherits the permissions of its owner — it cannot grant access beyond what the owning user or service account already has.

Behavior	Read-only	Developer	Finance Admin	Global Admin	Account Owner
Create, view, update, and delete own API keys	✔	✔	✔	✔	✔
View, update, and delete any API key in the account				✔	✔

Affected APIs: CreateApiKey, GetApiKey, GetApiKeys, UpdateApiKey, DeleteApiKey

Service account authorization behavior

All roles can list service accounts within their account. However, the ability to create, update, and delete service accounts depends on the scope of the service account and the caller's role.

Behavior	Read-only	Developer	Finance Admin	Global Admin	Account Owner
List all service accounts in the account	✔	✔	✔	✔	✔
Manage unscoped (account-level) service accounts				✔	✔
Manage Namespace-scoped service accounts	§	§	§	✔	✔

§ Requires Namespace Admin permission on the target Namespace. Any role can manage Namespace-scoped service accounts if they hold Namespace Admin on that Namespace.

Affected APIs: CreateServiceAccount, GetServiceAccount, GetServiceAccounts, UpdateServiceAccount, DeleteServiceAccount