Viewing docs for dbt Cloud v1.6.1
published on Thursday, Feb 26, 2026 by Pulumi
published on Thursday, Feb 26, 2026 by Pulumi
Viewing docs for dbt Cloud v1.6.1
published on Thursday, Feb 26, 2026 by Pulumi
published on Thursday, Feb 26, 2026 by Pulumi
Provide a partial set of permissions for an externally managed group (e.g., SCIM, manually created). This resource ONLY manages a subset of permissions and never creates or deletes groups.
This is designed for federated permission management where a platform team sets global permissions and individual teams manage their own project-specific permissions for the same group.
⚠️ Important Differences:
dbt_cloud_group: Creates group and fully manages ALL permissions (single Pulumi Stack)dbt_cloud_group_partial_permissions: Creates group and manages PARTIAL permissions (multiple Pulumi Stacks)dbt_cloud_scim_group_permissions: Externally-managed group, fully manages ALL permissions (replaces all permissions)dbt_cloud_scim_group_partial_permissions: Externally-managed group, manages PARTIAL permissions (adds/removes only specified permissions)
Use Case:
- Group exists in external identity provider (e.g., Okta, Azure AD) and syncs via SCIM
- Platform team manages base permissions (e.g., account-level access)
- Individual teams manage their own project-specific permissions
- Multiple Pulumi Stacks can safely manage different permissions for the same group
⚠️ Do not mix different resource types for the same group:
- Don’t use
dbt_cloud_scim_group_permissions(full permissions) withdbt_cloud_scim_group_partial_permissions(partial permissions) - Don’t use
dbt_cloud_groupordbt_cloud_group_partial_permissionsfor externally managed groups
The resource currently requires a Service Token with Account Admin access.
Behavior:
- When creating: Adds specified permissions to the existing group (if not already present)
- When updating: Adds new permissions and removes old permissions from this resource
- When deleting: Removes only the permissions managed by this resource (group and other permissions remain)
This resource is designed for federated permission management where multiple teams manage different permissions for the same externally-managed group (e.g., SCIM groups).
Warning: Duplicate Permissions Across States - If multiple Terraform states define the exact same permission (identical
permission_set,project_id,all_projects, andwritable_environment_categories), they will reference the same underlying permission object in dbt Cloud. This creates a conflict: when one state deletes its resource, it removes the permission from dbt Cloud, causing drift in other states that reference the same permission. Best Practice: Ensure each Terraform state manages distinct permissions. Coordinate with other teams to avoid defining identical permissions, or differentiate them usingwritable_environment_categories.
Use Case Guidelines
Choose the right resource for your use case:
| Resource | Group Creation | Permission Management | Use When |
|---|---|---|---|
dbtcloud.Group | ✅ Terraform creates | Full (replaces all) | Single Pulumi Stack manages everything |
dbtcloud.GroupPartialPermissions | ✅ Terraform creates | Partial (adds/removes) | Multiple workspaces manage same Terraform-created group |
dbtcloud.ScimGroupPermissions | ❌ External (SCIM) | Full (replaces all) | External group, single workspace manages all permissions |
dbtcloud.ScimGroupPartialPermissions | ❌ External (SCIM) | Partial (adds/removes) | External group, multiple workspaces manage different permissions |
Duplicate Permissions Across States
The Problem: If multiple Terraform states define identical permissions, they will reference the same permission object in dbt Cloud’s API. There is no reference counting or ownership tracking.
What Happens:
- State A creates a permission (e.g., developer on project 100)
- State B defines the same permission and references the existing one
- State A destroys its resource → permission is deleted from dbt Cloud
- State B still expects the permission to exist → drift and conflicts
Example of Conflict (❌ Avoid):
import * as pulumi from "@pulumi/pulumi";
import * as dbtcloud from "@pulumi/dbtcloud";
// Terraform State 1 (Platform Team)
const platform = new dbtcloud.ScimGroupPartialPermissions("platform", {
groupId: 12345,
permissions: [{
permissionSet: "developer",
projectId: 100,
allProjects: false,
writableEnvironmentCategories: ["development"],
}],
});
// Terraform State 2 (Another Team) - IDENTICAL permission!
const otherTeam = new dbtcloud.ScimGroupPartialPermissions("other_team", {
groupId: 12345,
permissions: [{
permissionSet: "developer",
projectId: 100,
allProjects: false,
writableEnvironmentCategories: ["development"],
}],
});
import pulumi
import pulumi_dbtcloud as dbtcloud
# Terraform State 1 (Platform Team)
platform = dbtcloud.ScimGroupPartialPermissions("platform",
group_id=12345,
permissions=[{
"permission_set": "developer",
"project_id": 100,
"all_projects": False,
"writable_environment_categories": ["development"],
}])
# Terraform State 2 (Another Team) - IDENTICAL permission!
other_team = dbtcloud.ScimGroupPartialPermissions("other_team",
group_id=12345,
permissions=[{
"permission_set": "developer",
"project_id": 100,
"all_projects": False,
"writable_environment_categories": ["development"],
}])
package main
import (
"github.com/pulumi/pulumi-dbtcloud/sdk/go/dbtcloud"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Terraform State 1 (Platform Team)
_, err := dbtcloud.NewScimGroupPartialPermissions(ctx, "platform", &dbtcloud.ScimGroupPartialPermissionsArgs{
GroupId: pulumi.Int(12345),
Permissions: dbtcloud.ScimGroupPartialPermissionsPermissionArray{
&dbtcloud.ScimGroupPartialPermissionsPermissionArgs{
PermissionSet: pulumi.String("developer"),
ProjectId: pulumi.Int(100),
AllProjects: pulumi.Bool(false),
WritableEnvironmentCategories: pulumi.StringArray{
pulumi.String("development"),
},
},
},
})
if err != nil {
return err
}
// Terraform State 2 (Another Team) - IDENTICAL permission!
_, err = dbtcloud.NewScimGroupPartialPermissions(ctx, "other_team", &dbtcloud.ScimGroupPartialPermissionsArgs{
GroupId: pulumi.Int(12345),
Permissions: dbtcloud.ScimGroupPartialPermissionsPermissionArray{
&dbtcloud.ScimGroupPartialPermissionsPermissionArgs{
PermissionSet: pulumi.String("developer"),
ProjectId: pulumi.Int(100),
AllProjects: pulumi.Bool(false),
WritableEnvironmentCategories: pulumi.StringArray{
pulumi.String("development"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using DbtCloud = Pulumi.DbtCloud;
return await Deployment.RunAsync(() =>
{
// Terraform State 1 (Platform Team)
var platform = new DbtCloud.ScimGroupPartialPermissions("platform", new()
{
GroupId = 12345,
Permissions = new[]
{
new DbtCloud.Inputs.ScimGroupPartialPermissionsPermissionArgs
{
PermissionSet = "developer",
ProjectId = 100,
AllProjects = false,
WritableEnvironmentCategories = new[]
{
"development",
},
},
},
});
// Terraform State 2 (Another Team) - IDENTICAL permission!
var otherTeam = new DbtCloud.ScimGroupPartialPermissions("other_team", new()
{
GroupId = 12345,
Permissions = new[]
{
new DbtCloud.Inputs.ScimGroupPartialPermissionsPermissionArgs
{
PermissionSet = "developer",
ProjectId = 100,
AllProjects = false,
WritableEnvironmentCategories = new[]
{
"development",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.dbtcloud.ScimGroupPartialPermissions;
import com.pulumi.dbtcloud.ScimGroupPartialPermissionsArgs;
import com.pulumi.dbtcloud.inputs.ScimGroupPartialPermissionsPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Terraform State 1 (Platform Team)
var platform = new ScimGroupPartialPermissions("platform", ScimGroupPartialPermissionsArgs.builder()
.groupId(12345)
.permissions(ScimGroupPartialPermissionsPermissionArgs.builder()
.permissionSet("developer")
.projectId(100)
.allProjects(false)
.writableEnvironmentCategories("development")
.build())
.build());
// Terraform State 2 (Another Team) - IDENTICAL permission!
var otherTeam = new ScimGroupPartialPermissions("otherTeam", ScimGroupPartialPermissionsArgs.builder()
.groupId(12345)
.permissions(ScimGroupPartialPermissionsPermissionArgs.builder()
.permissionSet("developer")
.projectId(100)
.allProjects(false)
.writableEnvironmentCategories("development")
.build())
.build());
}
}
resources:
# Terraform State 1 (Platform Team)
platform:
type: dbtcloud:ScimGroupPartialPermissions
properties:
groupId: 12345
permissions:
- permissionSet: developer
projectId: 100
allProjects: false
writableEnvironmentCategories:
- development
# Terraform State 2 (Another Team) - IDENTICAL permission!
otherTeam:
type: dbtcloud:ScimGroupPartialPermissions
name: other_team
properties:
groupId: 12345
permissions:
- permissionSet: developer
projectId: 100
allProjects: false
writableEnvironmentCategories:
- development
Example of Safe Usage (✅ Recommended):
import * as pulumi from "@pulumi/pulumi";
import * as dbtcloud from "@pulumi/dbtcloud";
// Terraform State 1 (Platform Team) - Development environments
const platformDev = new dbtcloud.ScimGroupPartialPermissions("platform_dev", {
groupId: 12345,
permissions: [{
permissionSet: "developer",
projectId: 100,
allProjects: false,
writableEnvironmentCategories: ["development"],
}],
});
// Terraform State 2 (SRE Team) - Production environments
const sreProd = new dbtcloud.ScimGroupPartialPermissions("sre_prod", {
groupId: 12345,
permissions: [{
permissionSet: "developer",
projectId: 100,
allProjects: false,
writableEnvironmentCategories: [
"staging",
"production",
],
}],
});
import pulumi
import pulumi_dbtcloud as dbtcloud
# Terraform State 1 (Platform Team) - Development environments
platform_dev = dbtcloud.ScimGroupPartialPermissions("platform_dev",
group_id=12345,
permissions=[{
"permission_set": "developer",
"project_id": 100,
"all_projects": False,
"writable_environment_categories": ["development"],
}])
# Terraform State 2 (SRE Team) - Production environments
sre_prod = dbtcloud.ScimGroupPartialPermissions("sre_prod",
group_id=12345,
permissions=[{
"permission_set": "developer",
"project_id": 100,
"all_projects": False,
"writable_environment_categories": [
"staging",
"production",
],
}])
package main
import (
"github.com/pulumi/pulumi-dbtcloud/sdk/go/dbtcloud"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Terraform State 1 (Platform Team) - Development environments
_, err := dbtcloud.NewScimGroupPartialPermissions(ctx, "platform_dev", &dbtcloud.ScimGroupPartialPermissionsArgs{
GroupId: pulumi.Int(12345),
Permissions: dbtcloud.ScimGroupPartialPermissionsPermissionArray{
&dbtcloud.ScimGroupPartialPermissionsPermissionArgs{
PermissionSet: pulumi.String("developer"),
ProjectId: pulumi.Int(100),
AllProjects: pulumi.Bool(false),
WritableEnvironmentCategories: pulumi.StringArray{
pulumi.String("development"),
},
},
},
})
if err != nil {
return err
}
// Terraform State 2 (SRE Team) - Production environments
_, err = dbtcloud.NewScimGroupPartialPermissions(ctx, "sre_prod", &dbtcloud.ScimGroupPartialPermissionsArgs{
GroupId: pulumi.Int(12345),
Permissions: dbtcloud.ScimGroupPartialPermissionsPermissionArray{
&dbtcloud.ScimGroupPartialPermissionsPermissionArgs{
PermissionSet: pulumi.String("developer"),
ProjectId: pulumi.Int(100),
AllProjects: pulumi.Bool(false),
WritableEnvironmentCategories: pulumi.StringArray{
pulumi.String("staging"),
pulumi.String("production"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using DbtCloud = Pulumi.DbtCloud;
return await Deployment.RunAsync(() =>
{
// Terraform State 1 (Platform Team) - Development environments
var platformDev = new DbtCloud.ScimGroupPartialPermissions("platform_dev", new()
{
GroupId = 12345,
Permissions = new[]
{
new DbtCloud.Inputs.ScimGroupPartialPermissionsPermissionArgs
{
PermissionSet = "developer",
ProjectId = 100,
AllProjects = false,
WritableEnvironmentCategories = new[]
{
"development",
},
},
},
});
// Terraform State 2 (SRE Team) - Production environments
var sreProd = new DbtCloud.ScimGroupPartialPermissions("sre_prod", new()
{
GroupId = 12345,
Permissions = new[]
{
new DbtCloud.Inputs.ScimGroupPartialPermissionsPermissionArgs
{
PermissionSet = "developer",
ProjectId = 100,
AllProjects = false,
WritableEnvironmentCategories = new[]
{
"staging",
"production",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.dbtcloud.ScimGroupPartialPermissions;
import com.pulumi.dbtcloud.ScimGroupPartialPermissionsArgs;
import com.pulumi.dbtcloud.inputs.ScimGroupPartialPermissionsPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Terraform State 1 (Platform Team) - Development environments
var platformDev = new ScimGroupPartialPermissions("platformDev", ScimGroupPartialPermissionsArgs.builder()
.groupId(12345)
.permissions(ScimGroupPartialPermissionsPermissionArgs.builder()
.permissionSet("developer")
.projectId(100)
.allProjects(false)
.writableEnvironmentCategories("development")
.build())
.build());
// Terraform State 2 (SRE Team) - Production environments
var sreProd = new ScimGroupPartialPermissions("sreProd", ScimGroupPartialPermissionsArgs.builder()
.groupId(12345)
.permissions(ScimGroupPartialPermissionsPermissionArgs.builder()
.permissionSet("developer")
.projectId(100)
.allProjects(false)
.writableEnvironmentCategories(
"staging",
"production")
.build())
.build());
}
}
resources:
# Terraform State 1 (Platform Team) - Development environments
platformDev:
type: dbtcloud:ScimGroupPartialPermissions
name: platform_dev
properties:
groupId: 12345
permissions:
- permissionSet: developer
projectId: 100
allProjects: false
writableEnvironmentCategories:
- development
# Terraform State 2 (SRE Team) - Production environments
sreProd:
type: dbtcloud:ScimGroupPartialPermissions
name: sre_prod
properties:
groupId: 12345
permissions:
- permissionSet: developer
projectId: 100
allProjects: false
writableEnvironmentCategories:
- staging
- production
Coordination Strategies:
- Differentiate by writable environments - Most common and recommended
- Assign permission ownership - Document which team manages which permission
- Use single state for identical permissions - If needed, manage from one place
- Consider full permissions resource - Use
dbtcloud.ScimGroupPermissionsif one state should own all permissions
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as dbtcloud from "@pulumi/dbtcloud";
// Retrieve the SCIM-managed group
const engineering = dbtcloud.getGroups({
name: "Engineering Team",
});
// Get the project to apply permissions to
const myProject = dbtcloud.getProject({
name: "My Analytics Project",
});
// Platform team can manage base account permissions
const baseAccess = new dbtcloud.ScimGroupPartialPermissions("base_access", {
groupId: engineering.then(engineering => engineering.groups?.[0]?.id),
permissions: [{
permissionSet: "member",
allProjects: true,
}],
});
// Project team can manage project-specific permissions independently
const projectAccess = new dbtcloud.ScimGroupPartialPermissions("project_access", {
groupId: engineering.then(engineering => engineering.groups?.[0]?.id),
permissions: [
{
permissionSet: "developer",
projectId: myProject.then(myProject => myProject.id),
allProjects: false,
writableEnvironmentCategories: [
"development",
"staging",
],
},
{
permissionSet: "job_admin",
projectId: myProject.then(myProject => myProject.id),
allProjects: false,
},
],
});
// Example: Multiple projects managed by different teams
const analytics = dbtcloud.getProject({
name: "Analytics",
});
const dataScience = dbtcloud.getProject({
name: "Data Science",
});
// Analytics team manages their own project permissions
const analyticsScimGroupPartialPermissions = new dbtcloud.ScimGroupPartialPermissions("analytics", {
groupId: engineering.then(engineering => engineering.groups?.[0]?.id),
permissions: [{
permissionSet: "developer",
projectId: analytics.then(analytics => analytics.id),
allProjects: false,
writableEnvironmentCategories: ["development"],
}],
});
// Data Science team manages their own project permissions
const dataScienceScimGroupPartialPermissions = new dbtcloud.ScimGroupPartialPermissions("data_science", {
groupId: engineering.then(engineering => engineering.groups?.[0]?.id),
permissions: [{
permissionSet: "analyst",
projectId: dataScience.then(dataScience => dataScience.id),
allProjects: false,
}],
});
import pulumi
import pulumi_dbtcloud as dbtcloud
# Retrieve the SCIM-managed group
engineering = dbtcloud.get_groups(name="Engineering Team")
# Get the project to apply permissions to
my_project = dbtcloud.get_project(name="My Analytics Project")
# Platform team can manage base account permissions
base_access = dbtcloud.ScimGroupPartialPermissions("base_access",
group_id=engineering.groups[0].id,
permissions=[{
"permission_set": "member",
"all_projects": True,
}])
# Project team can manage project-specific permissions independently
project_access = dbtcloud.ScimGroupPartialPermissions("project_access",
group_id=engineering.groups[0].id,
permissions=[
{
"permission_set": "developer",
"project_id": my_project.id,
"all_projects": False,
"writable_environment_categories": [
"development",
"staging",
],
},
{
"permission_set": "job_admin",
"project_id": my_project.id,
"all_projects": False,
},
])
# Example: Multiple projects managed by different teams
analytics = dbtcloud.get_project(name="Analytics")
data_science = dbtcloud.get_project(name="Data Science")
# Analytics team manages their own project permissions
analytics_scim_group_partial_permissions = dbtcloud.ScimGroupPartialPermissions("analytics",
group_id=engineering.groups[0].id,
permissions=[{
"permission_set": "developer",
"project_id": analytics.id,
"all_projects": False,
"writable_environment_categories": ["development"],
}])
# Data Science team manages their own project permissions
data_science_scim_group_partial_permissions = dbtcloud.ScimGroupPartialPermissions("data_science",
group_id=engineering.groups[0].id,
permissions=[{
"permission_set": "analyst",
"project_id": data_science.id,
"all_projects": False,
}])
package main
import (
"github.com/pulumi/pulumi-dbtcloud/sdk/go/dbtcloud"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Retrieve the SCIM-managed group
engineering, err := dbtcloud.GetGroups(ctx, &dbtcloud.GetGroupsArgs{
Name: pulumi.StringRef("Engineering Team"),
}, nil)
if err != nil {
return err
}
// Get the project to apply permissions to
myProject, err := dbtcloud.LookupProject(ctx, &dbtcloud.LookupProjectArgs{
Name: pulumi.StringRef("My Analytics Project"),
}, nil)
if err != nil {
return err
}
// Platform team can manage base account permissions
_, err = dbtcloud.NewScimGroupPartialPermissions(ctx, "base_access", &dbtcloud.ScimGroupPartialPermissionsArgs{
GroupId: pulumi.Int(engineering.Groups[0].Id),
Permissions: dbtcloud.ScimGroupPartialPermissionsPermissionArray{
&dbtcloud.ScimGroupPartialPermissionsPermissionArgs{
PermissionSet: pulumi.String("member"),
AllProjects: pulumi.Bool(true),
},
},
})
if err != nil {
return err
}
// Project team can manage project-specific permissions independently
_, err = dbtcloud.NewScimGroupPartialPermissions(ctx, "project_access", &dbtcloud.ScimGroupPartialPermissionsArgs{
GroupId: pulumi.Int(engineering.Groups[0].Id),
Permissions: dbtcloud.ScimGroupPartialPermissionsPermissionArray{
&dbtcloud.ScimGroupPartialPermissionsPermissionArgs{
PermissionSet: pulumi.String("developer"),
ProjectId: pulumi.Int(myProject.Id),
AllProjects: pulumi.Bool(false),
WritableEnvironmentCategories: pulumi.StringArray{
pulumi.String("development"),
pulumi.String("staging"),
},
},
&dbtcloud.ScimGroupPartialPermissionsPermissionArgs{
PermissionSet: pulumi.String("job_admin"),
ProjectId: pulumi.Int(myProject.Id),
AllProjects: pulumi.Bool(false),
},
},
})
if err != nil {
return err
}
// Example: Multiple projects managed by different teams
analytics, err := dbtcloud.LookupProject(ctx, &dbtcloud.LookupProjectArgs{
Name: pulumi.StringRef("Analytics"),
}, nil)
if err != nil {
return err
}
dataScience, err := dbtcloud.LookupProject(ctx, &dbtcloud.LookupProjectArgs{
Name: pulumi.StringRef("Data Science"),
}, nil)
if err != nil {
return err
}
// Analytics team manages their own project permissions
_, err = dbtcloud.NewScimGroupPartialPermissions(ctx, "analytics", &dbtcloud.ScimGroupPartialPermissionsArgs{
GroupId: pulumi.Int(engineering.Groups[0].Id),
Permissions: dbtcloud.ScimGroupPartialPermissionsPermissionArray{
&dbtcloud.ScimGroupPartialPermissionsPermissionArgs{
PermissionSet: pulumi.String("developer"),
ProjectId: pulumi.Int(analytics.Id),
AllProjects: pulumi.Bool(false),
WritableEnvironmentCategories: pulumi.StringArray{
pulumi.String("development"),
},
},
},
})
if err != nil {
return err
}
// Data Science team manages their own project permissions
_, err = dbtcloud.NewScimGroupPartialPermissions(ctx, "data_science", &dbtcloud.ScimGroupPartialPermissionsArgs{
GroupId: pulumi.Int(engineering.Groups[0].Id),
Permissions: dbtcloud.ScimGroupPartialPermissionsPermissionArray{
&dbtcloud.ScimGroupPartialPermissionsPermissionArgs{
PermissionSet: pulumi.String("analyst"),
ProjectId: pulumi.Int(dataScience.Id),
AllProjects: pulumi.Bool(false),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using DbtCloud = Pulumi.DbtCloud;
return await Deployment.RunAsync(() =>
{
// Retrieve the SCIM-managed group
var engineering = DbtCloud.GetGroups.Invoke(new()
{
Name = "Engineering Team",
});
// Get the project to apply permissions to
var myProject = DbtCloud.GetProject.Invoke(new()
{
Name = "My Analytics Project",
});
// Platform team can manage base account permissions
var baseAccess = new DbtCloud.ScimGroupPartialPermissions("base_access", new()
{
GroupId = engineering.Apply(getGroupsResult => getGroupsResult.Groups[0]?.Id),
Permissions = new[]
{
new DbtCloud.Inputs.ScimGroupPartialPermissionsPermissionArgs
{
PermissionSet = "member",
AllProjects = true,
},
},
});
// Project team can manage project-specific permissions independently
var projectAccess = new DbtCloud.ScimGroupPartialPermissions("project_access", new()
{
GroupId = engineering.Apply(getGroupsResult => getGroupsResult.Groups[0]?.Id),
Permissions = new[]
{
new DbtCloud.Inputs.ScimGroupPartialPermissionsPermissionArgs
{
PermissionSet = "developer",
ProjectId = myProject.Apply(getProjectResult => getProjectResult.Id),
AllProjects = false,
WritableEnvironmentCategories = new[]
{
"development",
"staging",
},
},
new DbtCloud.Inputs.ScimGroupPartialPermissionsPermissionArgs
{
PermissionSet = "job_admin",
ProjectId = myProject.Apply(getProjectResult => getProjectResult.Id),
AllProjects = false,
},
},
});
// Example: Multiple projects managed by different teams
var analytics = DbtCloud.GetProject.Invoke(new()
{
Name = "Analytics",
});
var dataScience = DbtCloud.GetProject.Invoke(new()
{
Name = "Data Science",
});
// Analytics team manages their own project permissions
var analyticsScimGroupPartialPermissions = new DbtCloud.ScimGroupPartialPermissions("analytics", new()
{
GroupId = engineering.Apply(getGroupsResult => getGroupsResult.Groups[0]?.Id),
Permissions = new[]
{
new DbtCloud.Inputs.ScimGroupPartialPermissionsPermissionArgs
{
PermissionSet = "developer",
ProjectId = analytics.Apply(getProjectResult => getProjectResult.Id),
AllProjects = false,
WritableEnvironmentCategories = new[]
{
"development",
},
},
},
});
// Data Science team manages their own project permissions
var dataScienceScimGroupPartialPermissions = new DbtCloud.ScimGroupPartialPermissions("data_science", new()
{
GroupId = engineering.Apply(getGroupsResult => getGroupsResult.Groups[0]?.Id),
Permissions = new[]
{
new DbtCloud.Inputs.ScimGroupPartialPermissionsPermissionArgs
{
PermissionSet = "analyst",
ProjectId = dataScience.Apply(getProjectResult => getProjectResult.Id),
AllProjects = false,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.dbtcloud.DbtcloudFunctions;
import com.pulumi.dbtcloud.inputs.GetGroupsArgs;
import com.pulumi.dbtcloud.inputs.GetProjectArgs;
import com.pulumi.dbtcloud.ScimGroupPartialPermissions;
import com.pulumi.dbtcloud.ScimGroupPartialPermissionsArgs;
import com.pulumi.dbtcloud.inputs.ScimGroupPartialPermissionsPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Retrieve the SCIM-managed group
final var engineering = DbtcloudFunctions.getGroups(GetGroupsArgs.builder()
.name("Engineering Team")
.build());
// Get the project to apply permissions to
final var myProject = DbtcloudFunctions.getProject(GetProjectArgs.builder()
.name("My Analytics Project")
.build());
// Platform team can manage base account permissions
var baseAccess = new ScimGroupPartialPermissions("baseAccess", ScimGroupPartialPermissionsArgs.builder()
.groupId(engineering.groups()[0].id())
.permissions(ScimGroupPartialPermissionsPermissionArgs.builder()
.permissionSet("member")
.allProjects(true)
.build())
.build());
// Project team can manage project-specific permissions independently
var projectAccess = new ScimGroupPartialPermissions("projectAccess", ScimGroupPartialPermissionsArgs.builder()
.groupId(engineering.groups()[0].id())
.permissions(
ScimGroupPartialPermissionsPermissionArgs.builder()
.permissionSet("developer")
.projectId(myProject.id())
.allProjects(false)
.writableEnvironmentCategories(
"development",
"staging")
.build(),
ScimGroupPartialPermissionsPermissionArgs.builder()
.permissionSet("job_admin")
.projectId(myProject.id())
.allProjects(false)
.build())
.build());
// Example: Multiple projects managed by different teams
final var analytics = DbtcloudFunctions.getProject(GetProjectArgs.builder()
.name("Analytics")
.build());
final var dataScience = DbtcloudFunctions.getProject(GetProjectArgs.builder()
.name("Data Science")
.build());
// Analytics team manages their own project permissions
var analyticsScimGroupPartialPermissions = new ScimGroupPartialPermissions("analyticsScimGroupPartialPermissions", ScimGroupPartialPermissionsArgs.builder()
.groupId(engineering.groups()[0].id())
.permissions(ScimGroupPartialPermissionsPermissionArgs.builder()
.permissionSet("developer")
.projectId(analytics.id())
.allProjects(false)
.writableEnvironmentCategories("development")
.build())
.build());
// Data Science team manages their own project permissions
var dataScienceScimGroupPartialPermissions = new ScimGroupPartialPermissions("dataScienceScimGroupPartialPermissions", ScimGroupPartialPermissionsArgs.builder()
.groupId(engineering.groups()[0].id())
.permissions(ScimGroupPartialPermissionsPermissionArgs.builder()
.permissionSet("analyst")
.projectId(dataScience.id())
.allProjects(false)
.build())
.build());
}
}
resources:
# Platform team can manage base account permissions
baseAccess:
type: dbtcloud:ScimGroupPartialPermissions
name: base_access
properties:
groupId: ${engineering.groups[0].id}
permissions:
- permissionSet: member
allProjects: true
# Project team can manage project-specific permissions independently
projectAccess:
type: dbtcloud:ScimGroupPartialPermissions
name: project_access
properties:
groupId: ${engineering.groups[0].id}
permissions:
- permissionSet: developer
projectId: ${myProject.id}
allProjects: false
writableEnvironmentCategories:
- development
- staging
- permissionSet: job_admin
projectId: ${myProject.id}
allProjects: false
# Analytics team manages their own project permissions
analyticsScimGroupPartialPermissions:
type: dbtcloud:ScimGroupPartialPermissions
name: analytics
properties:
groupId: ${engineering.groups[0].id}
permissions:
- permissionSet: developer
projectId: ${analytics.id}
allProjects: false
writableEnvironmentCategories:
- development
# Data Science team manages their own project permissions
dataScienceScimGroupPartialPermissions:
type: dbtcloud:ScimGroupPartialPermissions
name: data_science
properties:
groupId: ${engineering.groups[0].id}
permissions:
- permissionSet: analyst
projectId: ${dataScience.id}
allProjects: false
variables:
# Retrieve the SCIM-managed group
engineering:
fn::invoke:
function: dbtcloud:getGroups
arguments:
name: Engineering Team
# Get the project to apply permissions to
myProject:
fn::invoke:
function: dbtcloud:getProject
arguments:
name: My Analytics Project
# Example: Multiple projects managed by different teams
analytics:
fn::invoke:
function: dbtcloud:getProject
arguments:
name: Analytics
dataScience:
fn::invoke:
function: dbtcloud:getProject
arguments:
name: Data Science
Create ScimGroupPartialPermissions Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ScimGroupPartialPermissions(name: string, args: ScimGroupPartialPermissionsArgs, opts?: CustomResourceOptions);@overload
def ScimGroupPartialPermissions(resource_name: str,
args: ScimGroupPartialPermissionsArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ScimGroupPartialPermissions(resource_name: str,
opts: Optional[ResourceOptions] = None,
group_id: Optional[int] = None,
permissions: Optional[Sequence[ScimGroupPartialPermissionsPermissionArgs]] = None)func NewScimGroupPartialPermissions(ctx *Context, name string, args ScimGroupPartialPermissionsArgs, opts ...ResourceOption) (*ScimGroupPartialPermissions, error)public ScimGroupPartialPermissions(string name, ScimGroupPartialPermissionsArgs args, CustomResourceOptions? opts = null)
public ScimGroupPartialPermissions(String name, ScimGroupPartialPermissionsArgs args)
public ScimGroupPartialPermissions(String name, ScimGroupPartialPermissionsArgs args, CustomResourceOptions options)
type: dbtcloud:ScimGroupPartialPermissions
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ScimGroupPartialPermissionsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ScimGroupPartialPermissionsArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ScimGroupPartialPermissionsArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ScimGroupPartialPermissionsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ScimGroupPartialPermissionsArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var scimGroupPartialPermissionsResource = new DbtCloud.ScimGroupPartialPermissions("scimGroupPartialPermissionsResource", new()
{
GroupId = 0,
Permissions = new[]
{
new DbtCloud.Inputs.ScimGroupPartialPermissionsPermissionArgs
{
AllProjects = false,
PermissionSet = "string",
ProjectId = 0,
WritableEnvironmentCategories = new[]
{
"string",
},
},
},
});
example, err := dbtcloud.NewScimGroupPartialPermissions(ctx, "scimGroupPartialPermissionsResource", &dbtcloud.ScimGroupPartialPermissionsArgs{
GroupId: pulumi.Int(0),
Permissions: dbtcloud.ScimGroupPartialPermissionsPermissionArray{
&dbtcloud.ScimGroupPartialPermissionsPermissionArgs{
AllProjects: pulumi.Bool(false),
PermissionSet: pulumi.String("string"),
ProjectId: pulumi.Int(0),
WritableEnvironmentCategories: pulumi.StringArray{
pulumi.String("string"),
},
},
},
})
var scimGroupPartialPermissionsResource = new ScimGroupPartialPermissions("scimGroupPartialPermissionsResource", ScimGroupPartialPermissionsArgs.builder()
.groupId(0)
.permissions(ScimGroupPartialPermissionsPermissionArgs.builder()
.allProjects(false)
.permissionSet("string")
.projectId(0)
.writableEnvironmentCategories("string")
.build())
.build());
scim_group_partial_permissions_resource = dbtcloud.ScimGroupPartialPermissions("scimGroupPartialPermissionsResource",
group_id=0,
permissions=[{
"all_projects": False,
"permission_set": "string",
"project_id": 0,
"writable_environment_categories": ["string"],
}])
const scimGroupPartialPermissionsResource = new dbtcloud.ScimGroupPartialPermissions("scimGroupPartialPermissionsResource", {
groupId: 0,
permissions: [{
allProjects: false,
permissionSet: "string",
projectId: 0,
writableEnvironmentCategories: ["string"],
}],
});
type: dbtcloud:ScimGroupPartialPermissions
properties:
groupId: 0
permissions:
- allProjects: false
permissionSet: string
projectId: 0
writableEnvironmentCategories:
- string
ScimGroupPartialPermissions Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ScimGroupPartialPermissions resource accepts the following input properties:
- Group
Id int - The ID of the existing group to manage partial permissions for. This group must already exist and is typically from an external identity provider synced via SCIM.
- Permissions
List<Pulumi.
Dbt Cloud. Inputs. Scim Group Partial Permissions Permission> - Partial set of permissions to apply to the group. These permissions will be added to any existing permissions. Other permissions on the group will not be affected.
- Group
Id int - The ID of the existing group to manage partial permissions for. This group must already exist and is typically from an external identity provider synced via SCIM.
- Permissions
[]Scim
Group Partial Permissions Permission Args - Partial set of permissions to apply to the group. These permissions will be added to any existing permissions. Other permissions on the group will not be affected.
- group
Id Integer - The ID of the existing group to manage partial permissions for. This group must already exist and is typically from an external identity provider synced via SCIM.
- permissions
List<Scim
Group Partial Permissions Permission> - Partial set of permissions to apply to the group. These permissions will be added to any existing permissions. Other permissions on the group will not be affected.
- group
Id number - The ID of the existing group to manage partial permissions for. This group must already exist and is typically from an external identity provider synced via SCIM.
- permissions
Scim
Group Partial Permissions Permission[] - Partial set of permissions to apply to the group. These permissions will be added to any existing permissions. Other permissions on the group will not be affected.
- group_
id int - The ID of the existing group to manage partial permissions for. This group must already exist and is typically from an external identity provider synced via SCIM.
- permissions
Sequence[Scim
Group Partial Permissions Permission Args] - Partial set of permissions to apply to the group. These permissions will be added to any existing permissions. Other permissions on the group will not be affected.
- group
Id Number - The ID of the existing group to manage partial permissions for. This group must already exist and is typically from an external identity provider synced via SCIM.
- permissions List<Property Map>
- Partial set of permissions to apply to the group. These permissions will be added to any existing permissions. Other permissions on the group will not be affected.
Outputs
All input properties are implicitly available as output properties. Additionally, the ScimGroupPartialPermissions resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ScimGroupPartialPermissions Resource
Get an existing ScimGroupPartialPermissions resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ScimGroupPartialPermissionsState, opts?: CustomResourceOptions): ScimGroupPartialPermissions@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
group_id: Optional[int] = None,
permissions: Optional[Sequence[ScimGroupPartialPermissionsPermissionArgs]] = None) -> ScimGroupPartialPermissionsfunc GetScimGroupPartialPermissions(ctx *Context, name string, id IDInput, state *ScimGroupPartialPermissionsState, opts ...ResourceOption) (*ScimGroupPartialPermissions, error)public static ScimGroupPartialPermissions Get(string name, Input<string> id, ScimGroupPartialPermissionsState? state, CustomResourceOptions? opts = null)public static ScimGroupPartialPermissions get(String name, Output<String> id, ScimGroupPartialPermissionsState state, CustomResourceOptions options)resources: _: type: dbtcloud:ScimGroupPartialPermissions get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Group
Id int - The ID of the existing group to manage partial permissions for. This group must already exist and is typically from an external identity provider synced via SCIM.
- Permissions
List<Pulumi.
Dbt Cloud. Inputs. Scim Group Partial Permissions Permission> - Partial set of permissions to apply to the group. These permissions will be added to any existing permissions. Other permissions on the group will not be affected.
- Group
Id int - The ID of the existing group to manage partial permissions for. This group must already exist and is typically from an external identity provider synced via SCIM.
- Permissions
[]Scim
Group Partial Permissions Permission Args - Partial set of permissions to apply to the group. These permissions will be added to any existing permissions. Other permissions on the group will not be affected.
- group
Id Integer - The ID of the existing group to manage partial permissions for. This group must already exist and is typically from an external identity provider synced via SCIM.
- permissions
List<Scim
Group Partial Permissions Permission> - Partial set of permissions to apply to the group. These permissions will be added to any existing permissions. Other permissions on the group will not be affected.
- group
Id number - The ID of the existing group to manage partial permissions for. This group must already exist and is typically from an external identity provider synced via SCIM.
- permissions
Scim
Group Partial Permissions Permission[] - Partial set of permissions to apply to the group. These permissions will be added to any existing permissions. Other permissions on the group will not be affected.
- group_
id int - The ID of the existing group to manage partial permissions for. This group must already exist and is typically from an external identity provider synced via SCIM.
- permissions
Sequence[Scim
Group Partial Permissions Permission Args] - Partial set of permissions to apply to the group. These permissions will be added to any existing permissions. Other permissions on the group will not be affected.
- group
Id Number - The ID of the existing group to manage partial permissions for. This group must already exist and is typically from an external identity provider synced via SCIM.
- permissions List<Property Map>
- Partial set of permissions to apply to the group. These permissions will be added to any existing permissions. Other permissions on the group will not be affected.
Supporting Types
ScimGroupPartialPermissionsPermission, ScimGroupPartialPermissionsPermissionArgs
- All
Projects bool - Whether access should be provided for all projects or not.
- Permission
Set string - Set of permissions to apply. The permissions allowed are the same as the ones for the
dbtcloud.Groupresource. - Project
Id int - Project ID to apply this permission to for this group.
- Writable
Environment List<string>Categories - What types of environments to apply Write permissions to.
Even if Write access is restricted to some environment types, the permission set will have Read access to all environments.
The values allowed are
all,development,staging,productionandother. Not setting a value is the same as selectingall. Not all permission sets support environment level write settings, onlyanalyst,database_admin,developer,git_adminandteam_admin.
- All
Projects bool - Whether access should be provided for all projects or not.
- Permission
Set string - Set of permissions to apply. The permissions allowed are the same as the ones for the
dbtcloud.Groupresource. - Project
Id int - Project ID to apply this permission to for this group.
- Writable
Environment []stringCategories - What types of environments to apply Write permissions to.
Even if Write access is restricted to some environment types, the permission set will have Read access to all environments.
The values allowed are
all,development,staging,productionandother. Not setting a value is the same as selectingall. Not all permission sets support environment level write settings, onlyanalyst,database_admin,developer,git_adminandteam_admin.
- all
Projects Boolean - Whether access should be provided for all projects or not.
- permission
Set String - Set of permissions to apply. The permissions allowed are the same as the ones for the
dbtcloud.Groupresource. - project
Id Integer - Project ID to apply this permission to for this group.
- writable
Environment List<String>Categories - What types of environments to apply Write permissions to.
Even if Write access is restricted to some environment types, the permission set will have Read access to all environments.
The values allowed are
all,development,staging,productionandother. Not setting a value is the same as selectingall. Not all permission sets support environment level write settings, onlyanalyst,database_admin,developer,git_adminandteam_admin.
- all
Projects boolean - Whether access should be provided for all projects or not.
- permission
Set string - Set of permissions to apply. The permissions allowed are the same as the ones for the
dbtcloud.Groupresource. - project
Id number - Project ID to apply this permission to for this group.
- writable
Environment string[]Categories - What types of environments to apply Write permissions to.
Even if Write access is restricted to some environment types, the permission set will have Read access to all environments.
The values allowed are
all,development,staging,productionandother. Not setting a value is the same as selectingall. Not all permission sets support environment level write settings, onlyanalyst,database_admin,developer,git_adminandteam_admin.
- all_
projects bool - Whether access should be provided for all projects or not.
- permission_
set str - Set of permissions to apply. The permissions allowed are the same as the ones for the
dbtcloud.Groupresource. - project_
id int - Project ID to apply this permission to for this group.
- writable_
environment_ Sequence[str]categories - What types of environments to apply Write permissions to.
Even if Write access is restricted to some environment types, the permission set will have Read access to all environments.
The values allowed are
all,development,staging,productionandother. Not setting a value is the same as selectingall. Not all permission sets support environment level write settings, onlyanalyst,database_admin,developer,git_adminandteam_admin.
- all
Projects Boolean - Whether access should be provided for all projects or not.
- permission
Set String - Set of permissions to apply. The permissions allowed are the same as the ones for the
dbtcloud.Groupresource. - project
Id Number - Project ID to apply this permission to for this group.
- writable
Environment List<String>Categories - What types of environments to apply Write permissions to.
Even if Write access is restricted to some environment types, the permission set will have Read access to all environments.
The values allowed are
all,development,staging,productionandother. Not setting a value is the same as selectingall. Not all permission sets support environment level write settings, onlyanalyst,database_admin,developer,git_adminandteam_admin.
Import
Import Not Supported: This resource does not support
pulumi importbecause it manages only a partial subset of permissions. There is no way for Terraform to know which specific permissions this resource instance should manage versus permissions managed by other resources or applied outside of Terraform. You must define the resource in your configuration from the start.
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- dbtcloud pulumi/pulumi-dbtcloud
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
dbtcloudTerraform Provider.
Viewing docs for dbt Cloud v1.6.1
published on Thursday, Feb 26, 2026 by Pulumi
published on Thursday, Feb 26, 2026 by Pulumi
