Skip to main content
Restricted environments let organization Admins lock down specific environments so that only designated users can modify settings and configurations. Use restricted environments to prevent unauthorized changes to critical environments like production. For more information on user roles, see Access control and Environments.

​
How restricted environments work

By default, environments are unrestricted, meaning any organization member can modify deployments, autoscaling settings, and other configurations. When you mark an environment as restricted, only users you explicitly grant access can make changes. Restricted environments apply across all models and Chains in your organization. For example, if you restrict an environment named production, that restriction applies to every model and chain’s production environment, not just one specific model or chain.
If your organization uses teams, restricted environments are scoped to individual teams. Team Admins can create and manage restricted environments for their team.

​
Permissions by access level

ActionWith accessWithout access
View environment and configurationβœ…βœ… (read-only)
View metricsβœ…βœ… (read-only)
Call inference on models and chainsβœ…βœ…
View logsβœ…βœ…
Modify deployment settingsβœ…βŒ
Change autoscaling configurationsβœ…βŒ
Promote deployments to the environmentβœ…βŒ
Manage environment-specific settingsβœ…βŒ
Users without access see a grayed-out UI for restricted actions. They retain full read access and can still call inference endpoints.

​
Managing restricted environments

Only organization Admins can create or modify restricted environments. Members (non-admin users) can only create unrestricted environments and cannot change environment restrictions.

​
From the environments page

  1. Navigate to Settings and then choose Environments.
  2. Select an existing environment to modify, or select Create environment to create a new one.
  3. Set the access level to Restricted.
  4. Add users by searching by name or by email.
  5. Select Save changes or Create environment.

​
From a model or chain

  1. Go to your model or chain’s management page.
  2. Select an existing environment to modify, or select Add environment then Create environment to create a new one.
  3. Set the access level to Restricted.
  4. Add users by searching by name or by email.
  5. Select Save changes or Create environment.
Only admins can create restricted environments, and all admins have implicit access to every restricted environment. If an admin is later demoted to a member role, they lose this implicit access and can be removed from the environment like any other member.

​
API behavior

Restricted environments apply the same permission checks to API and truss CLI operations as the UI. API keys inherit the permissions of their associated user. If you attempt to modify a restricted environment using an API key associated with a user without access, you’ll receive a 403 Forbidden error. This includes operations like: Users without access can still call inference endpoints, as restrictions only apply to management operations.