Workspaces and Teams
DeployClear is built from the ground up to support multi-tenant enterprise environments. Whether you are a solo developer or a 500-person platform engineering organization, understanding how Resources and Access relate is core to mastering DeployClear.
The Organization
The Organization is the absolute highest boundary in DeployClear. When you sign up, you automatically create an Organization. An Organization owns:
- Billing & Invoices
- Members (Users that have access to the org)
- Integrations (Global configurations such as your GitHub Application Installation or Vault provider settings).
Organizations do not contain Terraform.
The Team
A Team (often referred to interchangeably as a Workspace) is a strict boundary isolated within an Organization. A single Organization can have unlimited Teams.
Teams own:
- Blocks (Terraform configuration)
- Jobs & Requests (The execution history and approval queue)
- Secrets (Encrypted variables injected into runners at runtime)
- Audit Logs (The immutable record of actions taken in that Team)
- State Backend (Where the actual
.tfstatefiles are pushed and locked)
Example Structure
graph TD
Org[Acme Corp (Organization)] --> Team1[Platform (Team)]
Org --> Team2[Data Engineering (Team)]
Org --> Team3[Frontend Operations (Team)]Members in Data Engineering cannot see the Jobs, Secrets, or Blocks inside Platform unless they are explicitly invited to the Platform team.
Navigating Teams
You can freely switch between Teams at any time using the Team drop-down in the left-side navigation bar.
Role-Based Access Control (RBAC)
DeployClear enforces a strict, embedded 4-tier Role-Based Access Control model on every single route and API endpoint automatically.
When you invite a user to a Team, you assign them one of the following roles:
| Role | Capabilities | Ideal For |
|---|---|---|
| Owner | Full destructive access. Can change Billing, manage Org Access, delete the Team, and manage all Settings. | Technical Founders or IT Directors |
| Admin | Full operational access. Can invite members to the Team, configure the State Backend, and edit GitHub sources. Cannot manage Billing or delete the Org. | Lead Engineers & SREs |
| DevOps | Can create Blocks, Manage Variables, view the Audit Log, and Approve or Reject Deployment Requests. | Senior Developers & DevOps Engineers |
| Member | Read-only access to infrastructure. Can request a deployment, view Block code, and see limited read-only resources like the Overview page. | Junior Developers or Product Managers |
Approval Limits
A user with the Member role can request a deployment (spinning up a terraform plan), but they cannot approve it. Only a DevOps, Admin, or Owner can approve the execution of terraform apply.