> ## Documentation Index
> Fetch the complete documentation index at: https://docs.monk.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Project Organization

> Cluster assignment, team secrets, and environment-scoped access control

## The Short Version

You've got environments. You've got clusters. You've got teammates who shouldn't touch production. Project Organization is where those three things connect.

No config files. No manual wiring. You tell Monk the rules, and it enforces them.

## Cluster Assignment

Every environment maps to one cluster. That's the boundary.

```
link staging to my-digitalocean-cluster
link prod to my-aws-cluster
```

Multiple environments can share a cluster -- Monk separates them with tags. Or give each environment its own cluster. Either way, you set it once and deployments route automatically.

Change a link anytime. Existing deployments aren't affected.

## Team Secrets

Secrets are environment-scoped. Staging gets its own `DATABASE_URL`. Production gets a different one. They don't leak across boundaries.

```
add DATABASE_URL as a team secret for staging
```

Team secrets require two things:

* An organization context
* An environment linked to an org cluster

Once that's in place, every org member with the right permissions sees the same secrets for that environment. Monk stores them on the cluster.

## Environment-Scoped RBAC

You can lock down access per environment. A junior dev gets deploy rights to staging. Production stays off-limits.

Permissions use path-based scoping:

* `/environments/staging/templates/**` -- staging templates only
* `/environments/*/secrets/**` -- secrets across all environments

That's it. Define the role, assign it, and Monk handles enforcement.

```
create a role called staging-deployer with deploy access to /environments/staging/templates/**
```

## Putting It Together

A typical setup looks like this:

```
link dev to my-local-cluster
link staging to my-digitalocean-cluster
link prod to my-aws-cluster
```

Dev, staging, and prod each hit different infrastructure. Secrets stay isolated per environment. RBAC controls who can touch what. You manage the whole thing in chat or the Clusters panel.

<CardGroup cols={2}>
  <Card title="Multiple Environments" icon="layer-group" href="/features/environments">
    Creating, deploying, and managing environment lifecycles.
  </Card>

  <Card title="Access Control & Security" icon="lock" href="/features/access-control">
    RBAC roles, permissions, and audit logging.
  </Card>
</CardGroup>