diff --git a/README.md b/README.md
index 7306bc5..c39026f 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [tfe_notification_configuration.default](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/notification_configuration) | resource |
-| [tfe_team_access.defautl](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/team_access) | resource |
+| [tfe_team_access.default](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/team_access) | resource |
 | [tfe_variable.clear_text_env_variables](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variable) | resource |
 | [tfe_variable.clear_text_hcl_variables](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variable) | resource |
 | [tfe_variable.clear_text_terraform_variables](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variable) | resource |
@@ -38,6 +38,7 @@ No modules.
 | [tfe_variable.sensitive_terraform_variables](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variable) | resource |
 | [tfe_workspace.default](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/workspace) | resource |
 | [tfe_workspace_settings.default](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/workspace_settings) | resource |
+| [tfe_team.default](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/data-sources/team) | data source |
 
 ## Inputs
 
@@ -66,7 +67,7 @@ No modules.
 | <a name="input_sensitive_hcl_variables"></a> [sensitive\_hcl\_variables](#input\_sensitive\_hcl\_variables) | An optional map with sensitive HCL Terraform variables | <pre>map(object({<br>    sensitive = string<br>  }))</pre> | `{}` | no |
 | <a name="input_sensitive_terraform_variables"></a> [sensitive\_terraform\_variables](#input\_sensitive\_terraform\_variables) | An optional map with sensitive Terraform variables | `map(string)` | `{}` | no |
 | <a name="input_ssh_key_id"></a> [ssh\_key\_id](#input\_ssh\_key\_id) | The SSH key ID to assign to the workspace | `string` | `null` | no |
-| <a name="input_team_access"></a> [team\_access](#input\_team\_access) | An optional map with team IDs and workspace access to assign | <pre>map(object({<br>    access  = string,<br>    team_id = string,<br>  }))</pre> | `{}` | no |
+| <a name="input_team_access"></a> [team\_access](#input\_team\_access) | Map of team names and either type of fixed access or custom permissions to assign | <pre>map(object({<br>    access = optional(string, null),<br>    permissions = optional(object({<br>      run_tasks         = bool<br>      runs              = string<br>      sentinel_mocks    = string<br>      state_versions    = string<br>      variables         = string<br>      workspace_locking = bool<br>    }), null)<br>  }))</pre> | `{}` | no |
 | <a name="input_terraform_version"></a> [terraform\_version](#input\_terraform\_version) | The version of Terraform to use for this workspace | `string` | `"latest"` | no |
 | <a name="input_trigger_prefixes"></a> [trigger\_prefixes](#input\_trigger\_prefixes) | List of repository-root-relative paths which should be tracked for changes | `list(string)` | <pre>[<br>  "modules"<br>]</pre> | no |
 | <a name="input_working_directory"></a> [working\_directory](#input\_working\_directory) | A relative path that Terraform will execute within | `string` | `"terraform"` | no |
diff --git a/main.tf b/main.tf
index 24753ec..f8eb56e 100644
--- a/main.tf
+++ b/main.tf
@@ -2,20 +2,24 @@ locals {
   connect_vcs_repo = var.repository_identifier != null ? { create = true } : {}
 }
 
+################################################################################
+# Workspace
+################################################################################
+
 resource "tfe_workspace" "default" {
   name                      = var.name
-  organization              = var.terraform_organization
   auto_apply                = var.auto_apply
   auto_apply_run_trigger    = var.auto_apply_run_trigger
   file_triggers_enabled     = var.file_triggers_enabled
   global_remote_state       = var.global_remote_state
+  organization              = var.terraform_organization
   project_id                = var.project_id
+  queue_all_runs            = var.queue_all_runs
   remote_state_consumer_ids = var.remote_state_consumer_ids
   ssh_key_id                = var.ssh_key_id
   tag_names                 = var.workspace_tags
   terraform_version         = var.terraform_version
   trigger_prefixes          = var.trigger_prefixes
-  queue_all_runs            = var.queue_all_runs
   working_directory         = var.working_directory
 
   dynamic "vcs_repo" {
@@ -48,14 +52,6 @@ resource "tfe_notification_configuration" "default" {
   workspace_id     = tfe_workspace.default.id
 }
 
-resource "tfe_team_access" "defautl" {
-  for_each = var.team_access
-
-  access       = each.value.access
-  team_id      = each.value.team_id
-  workspace_id = tfe_workspace.default.id
-}
-
 resource "tfe_variable" "clear_text_env_variables" {
   for_each = var.clear_text_env_variables
 
@@ -114,3 +110,35 @@ resource "tfe_variable" "sensitive_terraform_variables" {
   sensitive    = true
   workspace_id = tfe_workspace.default.id
 }
+
+################################################################################
+# RBAC
+################################################################################
+
+data "tfe_team" "default" {
+  for_each = toset(keys(var.team_access))
+
+  name         = each.value
+  organization = var.terraform_organization
+}
+
+resource "tfe_team_access" "default" {
+  for_each = var.team_access
+
+  access       = each.value.access
+  team_id      = data.tfe_team.default[each.key].id
+  workspace_id = tfe_workspace.default.id
+
+  dynamic "permissions" {
+    for_each = each.value.permissions != null ? { create = true } : {}
+
+    content {
+      run_tasks         = each.value.permissions["run_tasks"]
+      runs              = each.value.permissions["runs"]
+      sentinel_mocks    = each.value.permissions["sentinel_mocks"]
+      state_versions    = each.value.permissions["state_versions"]
+      variables         = each.value.permissions["variables"]
+      workspace_locking = each.value.permissions["workspace_locking"]
+    }
+  }
+}
diff --git a/moved.tf b/moved.tf
new file mode 100644
index 0000000..7fdd929
--- /dev/null
+++ b/moved.tf
@@ -0,0 +1,4 @@
+moved {
+  from = tfe_team_access.defautl
+  to   = tfe_team_access.default
+}
diff --git a/variables.tf b/variables.tf
index eaede3e..b74a729 100644
--- a/variables.tf
+++ b/variables.tf
@@ -155,11 +155,23 @@ variable "ssh_key_id" {
 
 variable "team_access" {
   type = map(object({
-    access  = string,
-    team_id = string,
+    access = optional(string, null),
+    permissions = optional(object({
+      run_tasks         = bool
+      runs              = string
+      sentinel_mocks    = string
+      state_versions    = string
+      variables         = string
+      workspace_locking = bool
+    }), null)
   }))
   default     = {}
-  description = "An optional map with team IDs and workspace access to assign"
+  description = "Map of team names and either type of fixed access or custom permissions to assign"
+
+  validation {
+    condition     = alltrue([for o in var.team_access : !(o.access != null && o.permissions != null)])
+    error_message = "Cannot use \"access\" and \"permissions\" keys together when specifying a team's access."
+  }
 }
 
 variable "terraform_version" {