Auto generate the permissions pages.

2 years ago · 85a72d357a
parent 8b90efcde3
commit 85a72d357a
3 changed files with 318 additions and 726 deletions
--- a/internal/types/action/registrar.go
+++ b/internal/types/action/registrar.go
@ -71,3 +71,23 @@ func ActionSetForResource(r resource.Type) (ActionSet, error) {
 	}
 	return a.valid, nil
 }
+
+// CollectionActionSetForResource returns the collection ActionSet registered
+// for r or an error if r has not been registered.
+func CollectionActionSetForResource(r resource.Type) (ActionSet, error) {
+	a, err := byResourceRegistrar.get(r)
+	if err != nil {
+		return nil, err
+	}
+	return a.collection, nil
+}
+
+// IdActionSetForResource returns the individual ActionSet registered
+// for r or an error if r has not been registered.
+func IdActionSetForResource(r resource.Type) (ActionSet, error) {
+	a, err := byResourceRegistrar.get(r)
+	if err != nil {
+		return nil, err
+	}
+	return a.individual, nil
+}
--- a/internal/website/permstable/permstable.go
+++ b/internal/website/permstable/permstable.go
@ -6,8 +6,15 @@ package main
 import (
 	"fmt"
 	"os"
+	"slices"
 	"sort"
 	"strings"
+
+	// Import the ratelimiter logic for the side effect of getting all service
+	// handlers imported and their resources and actions registered.
+	_ "github.com/hashicorp/boundary/internal/ratelimit"
+	"github.com/hashicorp/boundary/internal/types/action"
+	"github.com/hashicorp/boundary/internal/types/resource"
 )

 const permsFile = "website/content/docs/concepts/security/permissions/resource-table.mdx"
@ -49,24 +56,119 @@ var page = &Page{
 }

 func main() {
-	page.Resources = append(page.Resources,
-		account,
-		authMethod,
-		authToken,
-		group,
-		host,
-		hostCatalog,
-		hostSet,
-		managedGroup,
-		role,
-		scope,
-		session,
-		sessionRecording,
-		storageBucket,
-		target,
-		user,
-		worker,
-	)
+	var orderedResources []resource.Type
+	for _, res := range resource.Map {
+		orderedResources = append(orderedResources, res)
+	}
+	slices.SortFunc(orderedResources, func(a, b resource.Type) int {
+		return strings.Compare(a.String(), b.String())
+	})
+
+	for _, res := range orderedResources {
+		switch res {
+		case resource.Unknown, resource.All, resource.Controller:
+			continue
+		}
+		info := resources[res]
+
+		name := strings.Replace(res.String(), "-", " ", 1)
+		singularName := name
+		switch []rune(strings.ToLower(singularName))[0] {
+		case 'a', 'e', 'i', 'o', 'u':
+			singularName = "an " + singularName
+		default:
+			singularName = "a " + singularName
+		}
+
+		var pin string
+		if parent := resource.Parent(res); parent != res {
+			pin = parent.String()
+		}
+		collectionEndpoints := &Endpoint{
+			Path: fmt.Sprintf("/%s", res.PluralString()),
+			Params: map[string]string{
+				"Type": res.String(),
+			},
+		}
+		colActions, err := action.CollectionActionSetForResource(res)
+		if err != nil {
+			panic("This shouldn't happen!")
+		}
+		for a := range colActions {
+			examples := []string{
+				fmt.Sprintf("type=<type>;actions=%s", a.String()),
+			}
+			collectionEndpoints.Actions = append(collectionEndpoints.Actions, &Action{
+				Name:        a.String(),
+				Examples:    examples,
+				Description: info.description(a, singularName),
+			})
+		}
+		slices.SortFunc(collectionEndpoints.Actions, func(a, b *Action) int {
+			return strings.Compare(a.Name, b.Name)
+		})
+
+		idEndpoints := &Endpoint{
+			Path: fmt.Sprintf("/%s/<id>", res.PluralString()),
+			Params: map[string]string{
+				"ID":   "<id>",
+				"Type": res.String(),
+			},
+		}
+		if pin != "" {
+			idEndpoints.Params["Pin"] = fmt.Sprintf("<%s-id>", pin)
+		}
+		idActionSet, err := action.IdActionSetForResource(res)
+		if err != nil {
+			panic("This shouldn't happen!")
+		}
+		var idActions []action.Type
+		for a := range idActionSet {
+			idActions = append(idActions, a)
+		}
+
+		// Always put the first actions as Read, Update, Delete in that order
+		weighted := map[action.Type]int{
+			action.Read:   100,
+			action.Update: 90,
+			action.Delete: 80,
+		}
+		slices.SortFunc(idActions, func(a, b action.Type) int {
+			aWeight := weighted[a]
+			bWeight := weighted[b]
+			return strings.Compare(a.String(), b.String()) - aWeight + bWeight
+		})
+
+		fmt.Printf("======= Resource ======: %s\n", res.String())
+		for _, a := range idActions {
+			fmt.Printf("Action: %s\n", a.String())
+			if a == action.NoOp {
+				continue
+			}
+			examples := []string{
+				fmt.Sprintf("ids=<id>;actions=%s", a.String()),
+			}
+			if pin != "" {
+				examples = append(examples, fmt.Sprintf("ids=<pin>;type=<type>;actions=%s", a.String()))
+			}
+			idEndpoints.Actions = append(idEndpoints.Actions, &Action{
+				Name:        a.String(),
+				Examples:    examples,
+				Description: info.description(a, singularName),
+			})
+		}
+
+		pr := &Resource{
+			Type:   name,
+			Scopes: info.scopes,
+			Endpoints: []*Endpoint{
+				collectionEndpoints,
+				idEndpoints,
+			},
+		}
+
+		page.Resources = append(page.Resources, pr)
+	}

 	fileContents, err := os.ReadFile(permsFile)
 	if err != nil {
@ -217,10 +319,6 @@ func escape(s string) string {
 	return strings.Replace(ret, ">", "&gt;", -1)
 }

-func indent(num int) string {
-	return strings.Repeat(" ", num)
-}
-
 func sortedKeys(in map[string]string) []string {
 	out := make([]string, 0, len(in))
 	for k := range in {
@ -230,725 +328,139 @@ func sortedKeys(in map[string]string) []string {
 	return out
 }

-func lActions(typ string) []*Action {
-	listVersion := strings.TrimPrefix(strings.TrimPrefix(typ, "an "), "a ")
-	return []*Action{
-		{
-			Name:        "list",
-			Description: fmt.Sprintf("List %ss", listVersion),
-			Examples: []string{
-				"type=<type>;actions=list",
-			},
-		},
-	}
+type info struct {
+	scopes             []string
+	actionDescriptions map[action.Type]string
 }

-func clActions(typ string) []*Action {
-	return append([]*Action{
-		{
-			Name:        "create",
-			Description: fmt.Sprintf("Create %s", typ),
-			Examples: []string{
-				"type=<type>;actions=create",
-			},
-		},
-	}, lActions(typ)...)
-}
-
-func rudActions(typ string, pin bool) []*Action {
-	ret := []*Action{
-		{
-			Name:        "read",
-			Description: fmt.Sprintf("Read %s", typ),
-			Examples: []string{
-				"ids=<id>;actions=read",
-			},
-		},
-		{
-			Name:        "update",
-			Description: fmt.Sprintf("Update %s", typ),
-			Examples: []string{
-				"ids=<id>;actions=update",
-			},
-		},
-		{
-			Name:        "delete",
-			Description: fmt.Sprintf("Delete %s", typ),
-			Examples: []string{
-				"ids=<id>;actions=delete",
-			},
-		},
+func (i info) description(t action.Type, singleResourceName string) string {
+	if s, ok := i.actionDescriptions[t]; ok {
+		return s
 	}
-	if pin {
-		ret[0].Examples = append(ret[0].Examples, "ids=<pin>;type=<type>;actions=read")
-		ret[1].Examples = append(ret[1].Examples, "ids=<pin>;type=<type>;actions=update")
-		ret[2].Examples = append(ret[2].Examples, "ids=<pin>;type=<type>;actions=delete")
+	switch t {
+	case action.List:
+		singleResourceName := strings.TrimPrefix(strings.TrimPrefix(singleResourceName, "an "), "a ")
+		return fmt.Sprintf("List %ss", singleResourceName)
+	case action.Read:
+		return fmt.Sprintf("Read %s", singleResourceName)
+	case action.Update:
+		return fmt.Sprintf("Update %s", singleResourceName)
+	case action.Delete:
+		return fmt.Sprintf("Delete %s", singleResourceName)
+	case action.Create:
+		return fmt.Sprintf("Create %s", singleResourceName)
 	}
-
-	return ret
+	// TODO: Add something here which follows the template
+	// "Add Xs to an R"
+	// "Set the full set of Xs on an R"
+	// "Remove Xs from an R"
+	switch {
+	case strings.HasPrefix(t.String(), "add-"):
+	case strings.HasPrefix(t.String(), "set-"):
+	case strings.HasPrefix(t.String(), "remove-"):
+	}
+	return ""
 }

-var account = &Resource{
-	Type:   "Account",
-	Scopes: iamScopes,
-	Endpoints: []*Endpoint{
-		{
-			Path: "/accounts",
-			Params: map[string]string{
-				"Type": "account",
-			},
-			Actions: clActions("an account"),
-		},
-		{
-			Path: "/accounts/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "account",
-				"Pin":  "<auth-method-id>",
-			},
-			Actions: append(
-				rudActions("an account", true),
-				&Action{
-					Name:        "set-password",
-					Description: "Set a password on an account, without requiring the current password",
-					Examples: []string{
-						"ids=<id>;actions=set-password",
-						"ids=<pin>;type=<type>;actions=set-password",
-					},
-				},
-				&Action{
-					Name:        "change-password",
-					Description: "Change a password on an account given the current password",
-					Examples: []string{
-						"ids=<id>;actions=change-password",
-						"ids=<pin>;type=<type>;actions=change-password",
-					},
-				},
-			),
+var resources = map[resource.Type]info{
+	resource.Account: {
+		scopes: iamScopes,
+		actionDescriptions: map[action.Type]string{
+			action.SetPassword:    "Set a password on an account, without requiring the current password",
+			action.ChangePassword: "Change a password on an account given the current password",
 		},
 	},
-}
-
-var authMethod = &Resource{
-	Type:   "Auth Method",
-	Scopes: iamScopes,
-	Endpoints: []*Endpoint{
-		{
-			Path: "/auth-methods",
-			Params: map[string]string{
-				"Type": "auth-method",
-			},
-			Actions: clActions("an auth method"),
-		},
-		{
-			Path: "/auth-methods/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "auth-method",
-			},
-			Actions: append(
-				rudActions("an auth method", false),
-				&Action{
-					Name:        "authenticate",
-					Description: "Authenticate to an auth method",
-					Examples: []string{
-						"ids=<id>;actions=authenticate",
-					},
-				},
-			),
+	resource.AuthMethod: {
+		scopes: iamScopes,
+		actionDescriptions: map[action.Type]string{
+			action.Authenticate: "Authenticate to an auth method",
 		},
 	},
-}
-
-var authToken = &Resource{
-	Type:   "Auth Token",
-	Scopes: iamScopes,
-	Endpoints: []*Endpoint{
-		{
-			Path: "/auth-tokens",
-			Params: map[string]string{
-				"Type": "auth-token",
-			},
-			Actions: []*Action{
-				{
-					Name:        "list",
-					Description: "List auth tokens",
-					Examples: []string{
-						"type=<type>;actions=list",
-					},
-				},
-			},
-		},
-		{
-			Path: "/auth-tokens/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "auth-token",
-			},
-			Actions: []*Action{
-				{
-					Name:        "read",
-					Description: "Read an auth token",
-					Examples: []string{
-						"ids=<id>;actions=read",
-					},
-				},
-				{
-					Name:        "delete",
-					Description: "Delete an auth token",
-					Examples: []string{
-						"ids=<id>;actions=delete",
-					},
-				},
-			},
-		},
+	resource.AuthToken: {
+		scopes: iamScopes,
 	},
-}
-
-var group = &Resource{
-	Type:   "Group",
-	Scopes: append(iamScopes, infraScope...),
-	Endpoints: []*Endpoint{
-		{
-			Path: "/groups",
-			Params: map[string]string{
-				"Type": "group",
-			},
-			Actions: clActions("a group"),
-		},
-		{
-			Path: "/groups/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "group",
-			},
-			Actions: append(
-				rudActions("a group", false),
-				&Action{
-					Name:        "add-members",
-					Description: "Add members to a group",
-					Examples: []string{
-						"ids=<id>;actions=add-members",
-					},
-				},
-				&Action{
-					Name:        "set-members",
-					Description: "Set the full set of members on a group",
-					Examples: []string{
-						"ids=<id>;actions=set-members",
-					},
-				},
-				&Action{
-					Name:        "remove-members",
-					Description: "Remove members from a group",
-					Examples: []string{
-						"ids=<id>;actions=remove-members",
-					},
-				},
-			),
+	resource.Group: {
+		scopes: append(iamScopes, infraScope...),
+		actionDescriptions: map[action.Type]string{
+			action.AddMembers:    "Add members to a group",
+			action.SetMembers:    "Set the full set of members on a group",
+			action.RemoveMembers: "Remove members from a group",
 		},
 	},
-}
-
-var host = &Resource{
-	Type:   "Host",
-	Scopes: infraScope,
-	Endpoints: []*Endpoint{
-		{
-			Path: "/hosts",
-			Params: map[string]string{
-				"Type": "host",
-			},
-			Actions: clActions("a host"),
-		},
-		{
-			Path: "/hosts/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "host",
-				"Pin":  "<host-catalog-id>",
-			},
-			Actions: rudActions("a host", true),
-		},
+	resource.Host: {
+		scopes: infraScope,
 	},
-}
-
-var hostCatalog = &Resource{
-	Type:   "Host Catalog",
-	Scopes: infraScope,
-	Endpoints: []*Endpoint{
-		{
-			Path: "/host-catalogs",
-			Params: map[string]string{
-				"Type": "host-catalog",
-			},
-			Actions: clActions("a host catalog"),
-		},
-		{
-			Path: "/host-catalogs/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "host-catalog",
-			},
-			Actions: rudActions("a host catalog", false),
-		},
+	resource.HostCatalog: {
+		scopes: infraScope,
 	},
-}
-
-var hostSet = &Resource{
-	Type:   "Host Set",
-	Scopes: infraScope,
-	Endpoints: []*Endpoint{
-		{
-			Path: "/host-sets",
-			Params: map[string]string{
-				"Type": "host-set",
-			},
-			Actions: clActions("a host set"),
-		},
-		{
-			Path: "/host-sets/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "host-set",
-				"Pin":  "<host-catalog-id>",
-			},
-			Actions: append(
-				rudActions("a host set", true),
-				&Action{
-					Name:        "add-hosts",
-					Description: "Add hosts to a host-set",
-					Examples: []string{
-						"ids=<id>;actions=add-hosts",
-						"ids=<pin>;type=<type>;actions=add-hosts",
-					},
-				},
-				&Action{
-					Name:        "set-hosts",
-					Description: "Set the full set of hosts on a host set",
-					Examples: []string{
-						"ids=<id>;actions=set-hosts",
-						"ids=<pin>;type=<type>;actions=set-hosts",
-					},
-				},
-				&Action{
-					Name:        "remove-hosts",
-					Description: "Remove hosts from a host set",
-					Examples: []string{
-						"ids=<id>;actions=remove-hosts",
-						"ids=<pin>;type=<type>;actions=remove-hosts",
-					},
-				},
-			),
+	resource.HostSet: {
+		scopes: infraScope,
+		actionDescriptions: map[action.Type]string{
+			action.AddHosts:    "Add hosts to a host-set",
+			action.SetHosts:    "Set the full set of hosts on a host set",
+			action.RemoveHosts: "Remove hosts from a host set",
 		},
 	},
-}
-
-var managedGroup = &Resource{
-	Type:   "Managed Group",
-	Scopes: iamScopes,
-	Endpoints: []*Endpoint{
-		{
-			Path: "/managed-groups",
-			Params: map[string]string{
-				"Type": "managed-group",
-			},
-			Actions: clActions("a managed group"),
-		},
-		{
-			Path: "/managed-groups/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "managed-group",
-				"Pin":  "<auth-method-id>",
-			},
-			Actions: rudActions("a managed group", true),
-		},
+	resource.ManagedGroup: {
+		scopes: iamScopes,
 	},
-}
-
-var role = &Resource{
-	Type:   "Role",
-	Scopes: append(iamScopes, infraScope...),
-	Endpoints: []*Endpoint{
-		{
-			Path: "/roles",
-			Params: map[string]string{
-				"Type": "role",
-			},
-			Actions: clActions("a role"),
-		},
-		{
-			Path: "/roles/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "role",
-			},
-			Actions: append(
-				rudActions("a role", false),
-				&Action{
-					Name:        "add-principals",
-					Description: "Add principals to a role",
-					Examples: []string{
-						"ids=<id>;actions=add-principals",
-					},
-				},
-				&Action{
-					Name:        "set-principals",
-					Description: "Set the full set of principals on a role",
-					Examples: []string{
-						"ids=<id>;actions=set-principals",
-					},
-				},
-				&Action{
-					Name:        "remove-principals",
-					Description: "Remove principals from a role",
-					Examples: []string{
-						"ids=<id>;actions=remove-principals",
-					},
-				},
-				&Action{
-					Name:        "add-grants",
-					Description: "Add grants to a role",
-					Examples: []string{
-						"ids=<id>;actions=add-grants",
-					},
-				},
-				&Action{
-					Name:        "set-grants",
-					Description: "Set the full set of grants on a role",
-					Examples: []string{
-						"ids=<id>;actions=set-grants",
-					},
-				},
-				&Action{
-					Name:        "remove-grants",
-					Description: "Remove grants from a role",
-					Examples: []string{
-						"ids=<id>;actions=remove-grants",
-					},
-				},
-			),
+	resource.Role: {
+		scopes: append(iamScopes, infraScope...),
+		actionDescriptions: map[action.Type]string{
+			action.AddPrincipals:    "Add principals to a role",
+			action.SetPrincipals:    "Set the full set of principals on a role",
+			action.RemovePrincipals: "Remove principals from a role",
+			action.AddGrants:        "Add grants to a role",
+			action.SetGrants:        "Set the full set of grants on a role",
+			action.RemoveGrants:     "Remove grants from a role",
 		},
 	},
-}
-
-var scope = &Resource{
-	Type:   "Scope",
-	Scopes: iamScopes,
-	Endpoints: []*Endpoint{
-		{
-			Path: "/scopes",
-			Params: map[string]string{
-				"Type": "scope",
-			},
-			Actions: clActions("a scope"),
-		},
-		{
-			Path: "/scopes/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "scope",
-			},
-			Actions: rudActions("a scope", false),
-		},
+	resource.Scope: {
+		scopes: iamScopes,
 	},
-}
-
-var session = &Resource{
-	Type:   "Session",
-	Scopes: infraScope,
-	Endpoints: []*Endpoint{
-		{
-			Path: "/sessions",
-			Params: map[string]string{
-				"Type": "session",
-			},
-			Actions: []*Action{
-				{
-					Name:        "list",
-					Description: "List sessions",
-					Examples: []string{
-						"type=<type>;actions=list",
-					},
-				},
-			},
-		},
-		{
-			Path: "/session/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "session",
-			},
-			Actions: []*Action{
-				{
-					Name:        "read",
-					Description: "Read a session",
-					Examples: []string{
-						"ids=<id>;actions=read",
-					},
-				},
-				{
-					Name:        "cancel",
-					Description: "Cancel a session",
-					Examples: []string{
-						"ids=<id>;actions=cancel",
-					},
-				},
-				{
-					Name:        "read:self",
-					Description: "Read a session, which must be associated with the calling user",
-					Examples: []string{
-						"ids=*;type=session;actions=read:self",
-					},
-				},
-				{
-					Name:        "cancel:self",
-					Description: "Cancel a session, which must be associated with the calling user",
-					Examples: []string{
-						"ids=*;type=session;actions=cancel:self",
-					},
-				},
-			},
+	resource.Session: {
+		scopes: infraScope,
+		actionDescriptions: map[action.Type]string{
+			action.Cancel:     "Cancel a session",
+			action.CancelSelf: "Cancel a session, which must be associated with the calling user",
+			action.ReadSelf:   "Read a session, which must be associated with the calling user",
 		},
 	},
-}
-
-var sessionRecording = &Resource{
-	Type:   "Session Recording",
-	Scopes: iamScopes,
-	Endpoints: []*Endpoint{
-		{
-			Path: "/session-recordings",
-			Params: map[string]string{
-				"Type": "session-recording",
-			},
-			Actions: []*Action{
-				{
-					Name:        "list",
-					Description: "List session recordings",
-					Examples: []string{
-						"type=<type>;actions=list",
-					},
-				},
-			},
-		},
-		{
-			Path: "/session-recordings/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "session-recording",
-			},
-			Actions: []*Action{
-				{
-					Name:        "read",
-					Description: "Read a session recording",
-					Examples: []string{
-						"ids=<id>;actions=read",
-					},
-				},
-				{
-					Name:        "download",
-					Description: "Download a session recording",
-					Examples: []string{
-						"ids=<id>;actions=download",
-					},
-				},
-				{
-					Name:        "reapply-storage-policy",
-					Description: "Reapply the storage policy to a session recording",
-					Examples: []string{
-						"ids=<id>;actions=reapply-storage-policy",
-					},
-				},
-				{
-					Name:        "delete",
-					Description: "Delete a session recording",
-					Examples: []string{
-						"ids=<id>;actions=delete",
-					},
-				},
-			},
+	resource.SessionRecording: {
+		scopes: iamScopes,
+		actionDescriptions: map[action.Type]string{
+			action.Download:             "Download a session recording",
+			action.ReApplyStoragePolicy: "Reapply the storage policy to a session recording",
 		},
 	},
-}
-
-var storageBucket = &Resource{
-	Type:   "Storage Bucket",
-	Scopes: iamScopes,
-	Endpoints: []*Endpoint{
-		{
-			Path: "/storage-buckets",
-			Params: map[string]string{
-				"Type": "storage-bucket",
-			},
-			Actions: clActions("a storage bucket"),
-		},
-		{
-			Path: "/storage-buckets/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "storage-bucket",
-			},
-			Actions: rudActions("a storage bucket", false),
-		},
+	resource.StorageBucket: {
+		scopes: iamScopes,
 	},
-}
-
-var target = &Resource{
-	Type:   "Target",
-	Scopes: infraScope,
-	Endpoints: []*Endpoint{
-		{
-			Path: "/targets",
-			Params: map[string]string{
-				"Type": "target",
-			},
-			Actions: clActions("a target"),
-		},
-		{
-			Path: "/targets/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "target",
-			},
-			Actions: append(
-				rudActions("a target", false),
-				&Action{
-					Name:        "add-host-sources",
-					Description: "Add host sources to a target",
-					Examples: []string{
-						"ids=<id>;actions=add-host-sources",
-					},
-				},
-				&Action{
-					Name:        "set-host-sources",
-					Description: "Set the full set of host sources on a target",
-					Examples: []string{
-						"ids=<id>;actions=set-host-sources",
-					},
-				},
-				&Action{
-					Name:        "remove-host-sources",
-					Description: "Remove host sources from a target",
-					Examples: []string{
-						"ids=<id>;actions=remove-host-sources",
-					},
-				},
-				&Action{
-					Name:        "add-credential-sources",
-					Description: "Add credential sources to a target",
-					Examples: []string{
-						"ids=<id>;actions=add-credential-sources",
-					},
-				},
-				&Action{
-					Name:        "set-credential-sources",
-					Description: "Set the full set of credential sources on a target",
-					Examples: []string{
-						"ids=<id>;actions=set-credential-sources",
-					},
-				},
-				&Action{
-					Name:        "remove-credential-sources",
-					Description: "Remove credential sources from a target",
-					Examples: []string{
-						"ids=<id>;actions=remove-credential-sources",
-					},
-				},
-				&Action{
-					Name:        "authorize-session",
-					Description: "Authorize a session via the target",
-					Examples: []string{
-						"ids=<id>;actions=authorize-session",
-					},
-				},
-			),
+	resource.Target: {
+		scopes: infraScope,
+		actionDescriptions: map[action.Type]string{
+			action.AddHostSources:          "Add host sources to a target",
+			action.SetHostSources:          "Set the full set of host sources on a target",
+			action.RemoveHostSources:       "Remove host sources from a target",
+			action.AddCredentialSources:    "Add credential sources to a target",
+			action.SetCredentialSources:    "Set the full set of credential sources on a target",
+			action.RemoveCredentialSources: "Remove credential sources from a target",
+			action.AuthorizeSession:        "Authorize a session via the target",
 		},
 	},
-}
-
-var user = &Resource{
-	Type:   "User",
-	Scopes: iamScopes,
-	Endpoints: []*Endpoint{
-		{
-			Path: "/users",
-			Params: map[string]string{
-				"Type": "user",
-			},
-			Actions: clActions("a user"),
-		},
-		{
-			Path: "/users/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "user",
-			},
-			Actions: append(
-				rudActions("a user", false),
-				&Action{
-					Name:        "add-accounts",
-					Description: "Add accounts to a user",
-					Examples: []string{
-						"ids=<id>;actions=add-accounts",
-					},
-				},
-				&Action{
-					Name:        "set-accounts",
-					Description: "Set the full set of accounts on a user",
-					Examples: []string{
-						"ids=<id>;actions=set-accounts",
-					},
-				},
-				&Action{
-					Name:        "remove-accounts",
-					Description: "Remove accounts from a user",
-					Examples: []string{
-						"ids=<id>;actions=remove-accounts",
-					},
-				},
-			),
+	resource.User: {
+		scopes: iamScopes,
+		actionDescriptions: map[action.Type]string{
+			action.AddAccounts:    "Add accounts to a user",
+			action.SetAccounts:    "Set the full set of accounts on a user",
+			action.RemoveAccounts: "Remove accounts from a user",
 		},
 	},
-}
-
-var worker = &Resource{
-	Type:   "Worker",
-	Scopes: []string{"Global"},
-	Endpoints: []*Endpoint{
-		{
-			Path: "/workers",
-			Params: map[string]string{
-				"Type": "worker",
-			},
-			Actions: append(
-				lActions("a worker"),
-				&Action{
-					Name:        "create:controller-led",
-					Description: "Create a worker using the controller-led workflow",
-					Examples: []string{
-						"type=<type>;actions=create",
-						"type=<type>;actions=create:controller-led",
-					},
-				},
-				&Action{
-					Name:        "create:worker-led",
-					Description: "Create a worker using the worker-led workflow",
-					Examples: []string{
-						"type=<type>;actions=create",
-						"type=<type>;actions=create:worker-led",
-					},
-				},
-			),
-		},
-		{
-			Path: "/workers/<id>",
-			Params: map[string]string{
-				"ID":   "<id>",
-				"Type": "worker",
-			},
-			Actions: rudActions("a worker", false),
+	resource.Worker: {
+		scopes: []string{"Global"},
+		actionDescriptions: map[action.Type]string{
+			action.CreateControllerLed: "Create a worker using the controller-led workflow",
+			action.CreateWorkerLed:     "Create a worker using the worker-led workflow",
 		},
 	},
 }
--- a/website/content/docs/concepts/security/permissions/resource-table.mdx
+++ b/website/content/docs/concepts/security/permissions/resource-table.mdx
@ -19,13 +19,19 @@ Refer to the tables for more information about the following resource types:
 <!-- BEGIN TABLE -->

 - [Account](#account)
+- [Alias](#alias)
 - [Auth method](#auth-method)
 - [Auth token](#auth-token)
+- [Billing](#billing)
+- [Credential](#credential)
+- [Credential library](#credential-library)
+- [Credential store](#credential-store)
 - [Group](#group)
 - [Host](#host)
 - [Host catalog](#host-catalog)
 - [Host set](#host-set)
 - [Managed group](#managed-group)
+- [Policy](#policy)
 - [Role](#role)
 - [Scope](#scope)
 - [Session](#session)
@ -42,7 +48,16 @@ The **Account** resource type supports the following scopes: **Global**, **Org**
 | API endpoint | Parameters into permissions engine | Available actions / examples |
 | ------------ | ---------------------------------- | ---------------------------- |
 | <code>/accounts</code> | <ul><li>Type</li><ul><li><code>account</code></li></ul></ul> | <ul><li><code>create</code>: Create an account</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List accounts</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
-| <code>/accounts/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Pin</li><ul><li><code>&lt;auth-method-id&gt;</code></li></ul><li>Type</li><ul><li><code>account</code></li></ul></ul> | <ul><li><code>read</code>: Read an account</li><ul><li>`ids=<id>;actions=read`</li><li>`ids=<pin>;type=<type>;actions=read`</li></ul><li><code>update</code>: Update an account</li><ul><li>`ids=<id>;actions=update`</li><li>`ids=<pin>;type=<type>;actions=update`</li></ul><li><code>delete</code>: Delete an account</li><ul><li>`ids=<id>;actions=delete`</li><li>`ids=<pin>;type=<type>;actions=delete`</li></ul><li><code>set-password</code>: Set a password on an account, without requiring the current password</li><ul><li>`ids=<id>;actions=set-password`</li><li>`ids=<pin>;type=<type>;actions=set-password`</li></ul><li><code>change-password</code>: Change a password on an account given the current password</li><ul><li>`ids=<id>;actions=change-password`</li><li>`ids=<pin>;type=<type>;actions=change-password`</li></ul></ul> |
+| <code>/accounts/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Pin</li><ul><li><code>&lt;auth-method-id&gt;</code></li></ul><li>Type</li><ul><li><code>account</code></li></ul></ul> | <ul><li><code>read</code>: Read an account</li><ul><li>`ids=<id>;actions=read`</li><li>`ids=<pin>;type=<type>;actions=read`</li></ul><li><code>update</code>: Update an account</li><ul><li>`ids=<id>;actions=update`</li><li>`ids=<pin>;type=<type>;actions=update`</li></ul><li><code>delete</code>: Delete an account</li><ul><li>`ids=<id>;actions=delete`</li><li>`ids=<pin>;type=<type>;actions=delete`</li></ul><li><code>change-password</code>: Change a password on an account given the current password</li><ul><li>`ids=<id>;actions=change-password`</li><li>`ids=<pin>;type=<type>;actions=change-password`</li></ul><li><code>set-password</code>: Set a password on an account, without requiring the current password</li><ul><li>`ids=<id>;actions=set-password`</li><li>`ids=<pin>;type=<type>;actions=set-password`</li></ul></ul> |
+
+## Alias
+
+The **Alias** resource type supports the following scopes: 
+
+| API endpoint | Parameters into permissions engine | Available actions / examples |
+| ------------ | ---------------------------------- | ---------------------------- |
+| <code>/aliases</code> | <ul><li>Type</li><ul><li><code>alias</code></li></ul></ul> | <ul><li><code>create</code>: Create an alias</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List aliass</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
+| <code>/aliases/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>alias</code></li></ul></ul> | <ul><li><code>read</code>: Read an alias</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update an alias</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete an alias</li><ul><li>`ids=<id>;actions=delete`</li></ul></ul> |

 ## Auth method

@ -51,7 +66,7 @@ The **Auth method** resource type supports the following scopes: **Global**, **O
 | API endpoint | Parameters into permissions engine | Available actions / examples |
 | ------------ | ---------------------------------- | ---------------------------- |
 | <code>/auth-methods</code> | <ul><li>Type</li><ul><li><code>auth-method</code></li></ul></ul> | <ul><li><code>create</code>: Create an auth method</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List auth methods</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
-| <code>/auth-methods/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>auth-method</code></li></ul></ul> | <ul><li><code>read</code>: Read an auth method</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update an auth method</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete an auth method</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>authenticate</code>: Authenticate to an auth method</li><ul><li>`ids=<id>;actions=authenticate`</li></ul></ul> |
+| <code>/auth-methods/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>auth-method</code></li></ul></ul> | <ul><li><code>read</code>: Read an auth method</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update an auth method</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete an auth method</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>authenticate</code>: Authenticate to an auth method</li><ul><li>`ids=<id>;actions=authenticate`</li></ul><li><code>change-state</code>: </li><ul><li>`ids=<id>;actions=change-state`</li></ul></ul> |

 ## Auth token

@ -60,7 +75,43 @@ The **Auth token** resource type supports the following scopes: **Global**, **Or
 | API endpoint | Parameters into permissions engine | Available actions / examples |
 | ------------ | ---------------------------------- | ---------------------------- |
 | <code>/auth-tokens</code> | <ul><li>Type</li><ul><li><code>auth-token</code></li></ul></ul> | <ul><li><code>list</code>: List auth tokens</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
-| <code>/auth-tokens/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>auth-token</code></li></ul></ul> | <ul><li><code>read</code>: Read an auth token</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>delete</code>: Delete an auth token</li><ul><li>`ids=<id>;actions=delete`</li></ul></ul> |
+| <code>/auth-tokens/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>auth-token</code></li></ul></ul> | <ul><li><code>read</code>: Read an auth token</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>delete</code>: Delete an auth token</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>delete:self</code>: </li><ul><li>`ids=<id>;actions=delete:self`</li></ul><li><code>read:self</code>: </li><ul><li>`ids=<id>;actions=read:self`</li></ul></ul> |
+
+## Billing
+
+The **Billing** resource type supports the following scopes: 
+
+| API endpoint | Parameters into permissions engine | Available actions / examples |
+| ------------ | ---------------------------------- | ---------------------------- |
+| <code>/billing</code> | <ul><li>Type</li><ul><li><code>billing</code></li></ul></ul> | <ul><li><code>monthly-active-users</code>: </li><ul><li>`type=<type>;actions=monthly-active-users`</li></ul></ul> |
+| <code>/billing/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>billing</code></li></ul></ul> | <ul></ul> |
+
+## Credential
+
+The **Credential** resource type supports the following scopes: 
+
+| API endpoint | Parameters into permissions engine | Available actions / examples |
+| ------------ | ---------------------------------- | ---------------------------- |
+| <code>/credentials</code> | <ul><li>Type</li><ul><li><code>credential</code></li></ul></ul> | <ul><li><code>create</code>: Create a credential</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List credentials</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
+| <code>/credentials/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Pin</li><ul><li><code>&lt;credential-store-id&gt;</code></li></ul><li>Type</li><ul><li><code>credential</code></li></ul></ul> | <ul><li><code>read</code>: Read a credential</li><ul><li>`ids=<id>;actions=read`</li><li>`ids=<pin>;type=<type>;actions=read`</li></ul><li><code>update</code>: Update a credential</li><ul><li>`ids=<id>;actions=update`</li><li>`ids=<pin>;type=<type>;actions=update`</li></ul><li><code>delete</code>: Delete a credential</li><ul><li>`ids=<id>;actions=delete`</li><li>`ids=<pin>;type=<type>;actions=delete`</li></ul></ul> |
+
+## Credential library
+
+The **Credential library** resource type supports the following scopes: 
+
+| API endpoint | Parameters into permissions engine | Available actions / examples |
+| ------------ | ---------------------------------- | ---------------------------- |
+| <code>/credential-libraries</code> | <ul><li>Type</li><ul><li><code>credential-library</code></li></ul></ul> | <ul><li><code>create</code>: Create a credential library</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List credential librarys</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
+| <code>/credential-libraries/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Pin</li><ul><li><code>&lt;credential-store-id&gt;</code></li></ul><li>Type</li><ul><li><code>credential-library</code></li></ul></ul> | <ul><li><code>read</code>: Read a credential library</li><ul><li>`ids=<id>;actions=read`</li><li>`ids=<pin>;type=<type>;actions=read`</li></ul><li><code>update</code>: Update a credential library</li><ul><li>`ids=<id>;actions=update`</li><li>`ids=<pin>;type=<type>;actions=update`</li></ul><li><code>delete</code>: Delete a credential library</li><ul><li>`ids=<id>;actions=delete`</li><li>`ids=<pin>;type=<type>;actions=delete`</li></ul></ul> |
+
+## Credential store
+
+The **Credential store** resource type supports the following scopes: 
+
+| API endpoint | Parameters into permissions engine | Available actions / examples |
+| ------------ | ---------------------------------- | ---------------------------- |
+| <code>/credential-stores</code> | <ul><li>Type</li><ul><li><code>credential-store</code></li></ul></ul> | <ul><li><code>create</code>: Create a credential store</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List credential stores</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
+| <code>/credential-stores/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>credential-store</code></li></ul></ul> | <ul><li><code>read</code>: Read a credential store</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update a credential store</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete a credential store</li><ul><li>`ids=<id>;actions=delete`</li></ul></ul> |

 ## Group

@ -69,7 +120,7 @@ The **Group** resource type supports the following scopes: **Global**, **Org**,
 | API endpoint | Parameters into permissions engine | Available actions / examples |
 | ------------ | ---------------------------------- | ---------------------------- |
 | <code>/groups</code> | <ul><li>Type</li><ul><li><code>group</code></li></ul></ul> | <ul><li><code>create</code>: Create a group</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List groups</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
-| <code>/groups/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>group</code></li></ul></ul> | <ul><li><code>read</code>: Read a group</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update a group</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete a group</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>add-members</code>: Add members to a group</li><ul><li>`ids=<id>;actions=add-members`</li></ul><li><code>set-members</code>: Set the full set of members on a group</li><ul><li>`ids=<id>;actions=set-members`</li></ul><li><code>remove-members</code>: Remove members from a group</li><ul><li>`ids=<id>;actions=remove-members`</li></ul></ul> |
+| <code>/groups/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>group</code></li></ul></ul> | <ul><li><code>read</code>: Read a group</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update a group</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete a group</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>add-members</code>: Add members to a group</li><ul><li>`ids=<id>;actions=add-members`</li></ul><li><code>remove-members</code>: Remove members from a group</li><ul><li>`ids=<id>;actions=remove-members`</li></ul><li><code>set-members</code>: Set the full set of members on a group</li><ul><li>`ids=<id>;actions=set-members`</li></ul></ul> |

 ## Host

@ -96,7 +147,7 @@ The **Host set** resource type supports the following scopes: **Project**
 | API endpoint | Parameters into permissions engine | Available actions / examples |
 | ------------ | ---------------------------------- | ---------------------------- |
 | <code>/host-sets</code> | <ul><li>Type</li><ul><li><code>host-set</code></li></ul></ul> | <ul><li><code>create</code>: Create a host set</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List host sets</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
-| <code>/host-sets/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Pin</li><ul><li><code>&lt;host-catalog-id&gt;</code></li></ul><li>Type</li><ul><li><code>host-set</code></li></ul></ul> | <ul><li><code>read</code>: Read a host set</li><ul><li>`ids=<id>;actions=read`</li><li>`ids=<pin>;type=<type>;actions=read`</li></ul><li><code>update</code>: Update a host set</li><ul><li>`ids=<id>;actions=update`</li><li>`ids=<pin>;type=<type>;actions=update`</li></ul><li><code>delete</code>: Delete a host set</li><ul><li>`ids=<id>;actions=delete`</li><li>`ids=<pin>;type=<type>;actions=delete`</li></ul><li><code>add-hosts</code>: Add hosts to a host-set</li><ul><li>`ids=<id>;actions=add-hosts`</li><li>`ids=<pin>;type=<type>;actions=add-hosts`</li></ul><li><code>set-hosts</code>: Set the full set of hosts on a host set</li><ul><li>`ids=<id>;actions=set-hosts`</li><li>`ids=<pin>;type=<type>;actions=set-hosts`</li></ul><li><code>remove-hosts</code>: Remove hosts from a host set</li><ul><li>`ids=<id>;actions=remove-hosts`</li><li>`ids=<pin>;type=<type>;actions=remove-hosts`</li></ul></ul> |
+| <code>/host-sets/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Pin</li><ul><li><code>&lt;host-catalog-id&gt;</code></li></ul><li>Type</li><ul><li><code>host-set</code></li></ul></ul> | <ul><li><code>read</code>: Read a host set</li><ul><li>`ids=<id>;actions=read`</li><li>`ids=<pin>;type=<type>;actions=read`</li></ul><li><code>update</code>: Update a host set</li><ul><li>`ids=<id>;actions=update`</li><li>`ids=<pin>;type=<type>;actions=update`</li></ul><li><code>delete</code>: Delete a host set</li><ul><li>`ids=<id>;actions=delete`</li><li>`ids=<pin>;type=<type>;actions=delete`</li></ul><li><code>add-hosts</code>: Add hosts to a host-set</li><ul><li>`ids=<id>;actions=add-hosts`</li><li>`ids=<pin>;type=<type>;actions=add-hosts`</li></ul><li><code>remove-hosts</code>: Remove hosts from a host set</li><ul><li>`ids=<id>;actions=remove-hosts`</li><li>`ids=<pin>;type=<type>;actions=remove-hosts`</li></ul><li><code>set-hosts</code>: Set the full set of hosts on a host set</li><ul><li>`ids=<id>;actions=set-hosts`</li><li>`ids=<pin>;type=<type>;actions=set-hosts`</li></ul></ul> |

 ## Managed group

@ -107,6 +158,15 @@ The **Managed group** resource type supports the following scopes: **Global**, *
 | <code>/managed-groups</code> | <ul><li>Type</li><ul><li><code>managed-group</code></li></ul></ul> | <ul><li><code>create</code>: Create a managed group</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List managed groups</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
 | <code>/managed-groups/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Pin</li><ul><li><code>&lt;auth-method-id&gt;</code></li></ul><li>Type</li><ul><li><code>managed-group</code></li></ul></ul> | <ul><li><code>read</code>: Read a managed group</li><ul><li>`ids=<id>;actions=read`</li><li>`ids=<pin>;type=<type>;actions=read`</li></ul><li><code>update</code>: Update a managed group</li><ul><li>`ids=<id>;actions=update`</li><li>`ids=<pin>;type=<type>;actions=update`</li></ul><li><code>delete</code>: Delete a managed group</li><ul><li>`ids=<id>;actions=delete`</li><li>`ids=<pin>;type=<type>;actions=delete`</li></ul></ul> |

+## Policy
+
+The **Policy** resource type supports the following scopes: 
+
+| API endpoint | Parameters into permissions engine | Available actions / examples |
+| ------------ | ---------------------------------- | ---------------------------- |
+| <code>/policies</code> | <ul><li>Type</li><ul><li><code>policy</code></li></ul></ul> | <ul><li><code>create</code>: Create a policy</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List policys</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
+| <code>/policies/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>policy</code></li></ul></ul> | <ul><li><code>read</code>: Read a policy</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update a policy</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete a policy</li><ul><li>`ids=<id>;actions=delete`</li></ul></ul> |
+
 ## Role

 The **Role** resource type supports the following scopes: **Global**, **Org**, **Project**
@ -114,7 +174,7 @@ The **Role** resource type supports the following scopes: **Global**, **Org**, *
 | API endpoint | Parameters into permissions engine | Available actions / examples |
 | ------------ | ---------------------------------- | ---------------------------- |
 | <code>/roles</code> | <ul><li>Type</li><ul><li><code>role</code></li></ul></ul> | <ul><li><code>create</code>: Create a role</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List roles</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
-| <code>/roles/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>role</code></li></ul></ul> | <ul><li><code>read</code>: Read a role</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update a role</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete a role</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>add-principals</code>: Add principals to a role</li><ul><li>`ids=<id>;actions=add-principals`</li></ul><li><code>set-principals</code>: Set the full set of principals on a role</li><ul><li>`ids=<id>;actions=set-principals`</li></ul><li><code>remove-principals</code>: Remove principals from a role</li><ul><li>`ids=<id>;actions=remove-principals`</li></ul><li><code>add-grants</code>: Add grants to a role</li><ul><li>`ids=<id>;actions=add-grants`</li></ul><li><code>set-grants</code>: Set the full set of grants on a role</li><ul><li>`ids=<id>;actions=set-grants`</li></ul><li><code>remove-grants</code>: Remove grants from a role</li><ul><li>`ids=<id>;actions=remove-grants`</li></ul></ul> |
+| <code>/roles/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>role</code></li></ul></ul> | <ul><li><code>read</code>: Read a role</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update a role</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete a role</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>add-grant-scopes</code>: </li><ul><li>`ids=<id>;actions=add-grant-scopes`</li></ul><li><code>add-grants</code>: Add grants to a role</li><ul><li>`ids=<id>;actions=add-grants`</li></ul><li><code>add-principals</code>: Add principals to a role</li><ul><li>`ids=<id>;actions=add-principals`</li></ul><li><code>remove-grant-scopes</code>: </li><ul><li>`ids=<id>;actions=remove-grant-scopes`</li></ul><li><code>remove-grants</code>: Remove grants from a role</li><ul><li>`ids=<id>;actions=remove-grants`</li></ul><li><code>remove-principals</code>: Remove principals from a role</li><ul><li>`ids=<id>;actions=remove-principals`</li></ul><li><code>set-grant-scopes</code>: </li><ul><li>`ids=<id>;actions=set-grant-scopes`</li></ul><li><code>set-grants</code>: Set the full set of grants on a role</li><ul><li>`ids=<id>;actions=set-grants`</li></ul><li><code>set-principals</code>: Set the full set of principals on a role</li><ul><li>`ids=<id>;actions=set-principals`</li></ul></ul> |

 ## Scope

@ -122,8 +182,8 @@ The **Scope** resource type supports the following scopes: **Global**, **Org**

 | API endpoint | Parameters into permissions engine | Available actions / examples |
 | ------------ | ---------------------------------- | ---------------------------- |
-| <code>/scopes</code> | <ul><li>Type</li><ul><li><code>scope</code></li></ul></ul> | <ul><li><code>create</code>: Create a scope</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List scopes</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
-| <code>/scopes/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>scope</code></li></ul></ul> | <ul><li><code>read</code>: Read a scope</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update a scope</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete a scope</li><ul><li>`ids=<id>;actions=delete`</li></ul></ul> |
+| <code>/scopes</code> | <ul><li>Type</li><ul><li><code>scope</code></li></ul></ul> | <ul><li><code>create</code>: Create a scope</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>destroy-key-version</code>: </li><ul><li>`type=<type>;actions=destroy-key-version`</li></ul><li><code>list</code>: List scopes</li><ul><li>`type=<type>;actions=list`</li></ul><li><code>list-key-version-destruction-jobs</code>: </li><ul><li>`type=<type>;actions=list-key-version-destruction-jobs`</li></ul><li><code>list-keys</code>: </li><ul><li>`type=<type>;actions=list-keys`</li></ul><li><code>rotate-keys</code>: </li><ul><li>`type=<type>;actions=rotate-keys`</li></ul></ul> |
+| <code>/scopes/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>scope</code></li></ul></ul> | <ul><li><code>read</code>: Read a scope</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update a scope</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete a scope</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>attach-storage-policy</code>: </li><ul><li>`ids=<id>;actions=attach-storage-policy`</li></ul><li><code>detach-storage-policy</code>: </li><ul><li>`ids=<id>;actions=detach-storage-policy`</li></ul></ul> |

 ## Session

@ -132,7 +192,7 @@ The **Session** resource type supports the following scopes: **Project**
 | API endpoint | Parameters into permissions engine | Available actions / examples |
 | ------------ | ---------------------------------- | ---------------------------- |
 | <code>/sessions</code> | <ul><li>Type</li><ul><li><code>session</code></li></ul></ul> | <ul><li><code>list</code>: List sessions</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
-| <code>/session/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>session</code></li></ul></ul> | <ul><li><code>read</code>: Read a session</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>cancel</code>: Cancel a session</li><ul><li>`ids=<id>;actions=cancel`</li></ul><li><code>read:self</code>: Read a session, which must be associated with the calling user</li><ul><li>`ids=*;type=session;actions=read:self`</li></ul><li><code>cancel:self</code>: Cancel a session, which must be associated with the calling user</li><ul><li>`ids=*;type=session;actions=cancel:self`</li></ul></ul> |
+| <code>/sessions/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>session</code></li></ul></ul> | <ul><li><code>read</code>: Read a session</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>cancel</code>: Cancel a session</li><ul><li>`ids=<id>;actions=cancel`</li></ul><li><code>cancel:self</code>: Cancel a session, which must be associated with the calling user</li><ul><li>`ids=<id>;actions=cancel:self`</li></ul><li><code>read:self</code>: Read a session, which must be associated with the calling user</li><ul><li>`ids=<id>;actions=read:self`</li></ul></ul> |

 ## Session recording

@ -141,7 +201,7 @@ The **Session recording** resource type supports the following scopes: **Global*
 | API endpoint | Parameters into permissions engine | Available actions / examples |
 | ------------ | ---------------------------------- | ---------------------------- |
 | <code>/session-recordings</code> | <ul><li>Type</li><ul><li><code>session-recording</code></li></ul></ul> | <ul><li><code>list</code>: List session recordings</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
-| <code>/session-recordings/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>session-recording</code></li></ul></ul> | <ul><li><code>read</code>: Read a session recording</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>download</code>: Download a session recording</li><ul><li>`ids=<id>;actions=download`</li></ul><li><code>reapply-storage-policy</code>: Reapply the storage policy to a session recording</li><ul><li>`ids=<id>;actions=reapply-storage-policy`</li></ul><li><code>delete</code>: Delete a session recording</li><ul><li>`ids=<id>;actions=delete`</li></ul></ul> |
+| <code>/session-recordings/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>session-recording</code></li></ul></ul> | <ul><li><code>read</code>: Read a session recording</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>delete</code>: Delete a session recording</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>download</code>: Download a session recording</li><ul><li>`ids=<id>;actions=download`</li></ul><li><code>reapply-storage-policy</code>: Reapply the storage policy to a session recording</li><ul><li>`ids=<id>;actions=reapply-storage-policy`</li></ul></ul> |

 ## Storage bucket

@ -159,7 +219,7 @@ The **Target** resource type supports the following scopes: **Project**
 | API endpoint | Parameters into permissions engine | Available actions / examples |
 | ------------ | ---------------------------------- | ---------------------------- |
 | <code>/targets</code> | <ul><li>Type</li><ul><li><code>target</code></li></ul></ul> | <ul><li><code>create</code>: Create a target</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List targets</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
-| <code>/targets/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>target</code></li></ul></ul> | <ul><li><code>read</code>: Read a target</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update a target</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete a target</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>add-host-sources</code>: Add host sources to a target</li><ul><li>`ids=<id>;actions=add-host-sources`</li></ul><li><code>set-host-sources</code>: Set the full set of host sources on a target</li><ul><li>`ids=<id>;actions=set-host-sources`</li></ul><li><code>remove-host-sources</code>: Remove host sources from a target</li><ul><li>`ids=<id>;actions=remove-host-sources`</li></ul><li><code>add-credential-sources</code>: Add credential sources to a target</li><ul><li>`ids=<id>;actions=add-credential-sources`</li></ul><li><code>set-credential-sources</code>: Set the full set of credential sources on a target</li><ul><li>`ids=<id>;actions=set-credential-sources`</li></ul><li><code>remove-credential-sources</code>: Remove credential sources from a target</li><ul><li>`ids=<id>;actions=remove-credential-sources`</li></ul><li><code>authorize-session</code>: Authorize a session via the target</li><ul><li>`ids=<id>;actions=authorize-session`</li></ul></ul> |
+| <code>/targets/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>target</code></li></ul></ul> | <ul><li><code>read</code>: Read a target</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update a target</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete a target</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>add-credential-sources</code>: Add credential sources to a target</li><ul><li>`ids=<id>;actions=add-credential-sources`</li></ul><li><code>add-host-sources</code>: Add host sources to a target</li><ul><li>`ids=<id>;actions=add-host-sources`</li></ul><li><code>authorize-session</code>: Authorize a session via the target</li><ul><li>`ids=<id>;actions=authorize-session`</li></ul><li><code>remove-credential-sources</code>: Remove credential sources from a target</li><ul><li>`ids=<id>;actions=remove-credential-sources`</li></ul><li><code>remove-host-sources</code>: Remove host sources from a target</li><ul><li>`ids=<id>;actions=remove-host-sources`</li></ul><li><code>set-credential-sources</code>: Set the full set of credential sources on a target</li><ul><li>`ids=<id>;actions=set-credential-sources`</li></ul><li><code>set-host-sources</code>: Set the full set of host sources on a target</li><ul><li>`ids=<id>;actions=set-host-sources`</li></ul></ul> |

 ## User

@ -167,8 +227,8 @@ The **User** resource type supports the following scopes: **Global**, **Org**

 | API endpoint | Parameters into permissions engine | Available actions / examples |
 | ------------ | ---------------------------------- | ---------------------------- |
-| <code>/users</code> | <ul><li>Type</li><ul><li><code>user</code></li></ul></ul> | <ul><li><code>create</code>: Create a user</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List users</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
-| <code>/users/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>user</code></li></ul></ul> | <ul><li><code>read</code>: Read a user</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update a user</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete a user</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>add-accounts</code>: Add accounts to a user</li><ul><li>`ids=<id>;actions=add-accounts`</li></ul><li><code>set-accounts</code>: Set the full set of accounts on a user</li><ul><li>`ids=<id>;actions=set-accounts`</li></ul><li><code>remove-accounts</code>: Remove accounts from a user</li><ul><li>`ids=<id>;actions=remove-accounts`</li></ul></ul> |
+| <code>/users</code> | <ul><li>Type</li><ul><li><code>user</code></li></ul></ul> | <ul><li><code>create</code>: Create an user</li><ul><li>`type=<type>;actions=create`</li></ul><li><code>list</code>: List users</li><ul><li>`type=<type>;actions=list`</li></ul></ul> |
+| <code>/users/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>user</code></li></ul></ul> | <ul><li><code>read</code>: Read an user</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update an user</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete an user</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>add-accounts</code>: Add accounts to a user</li><ul><li>`ids=<id>;actions=add-accounts`</li></ul><li><code>list-resolvable-aliases</code>: </li><ul><li>`ids=<id>;actions=list-resolvable-aliases`</li></ul><li><code>remove-accounts</code>: Remove accounts from a user</li><ul><li>`ids=<id>;actions=remove-accounts`</li></ul><li><code>set-accounts</code>: Set the full set of accounts on a user</li><ul><li>`ids=<id>;actions=set-accounts`</li></ul></ul> |

 ## Worker

@ -176,8 +236,8 @@ The **Worker** resource type supports the following scopes: **Global**

 | API endpoint | Parameters into permissions engine | Available actions / examples |
 | ------------ | ---------------------------------- | ---------------------------- |
-| <code>/workers</code> | <ul><li>Type</li><ul><li><code>worker</code></li></ul></ul> | <ul><li><code>list</code>: List workers</li><ul><li>`type=<type>;actions=list`</li></ul><li><code>create:controller-led</code>: Create a worker using the controller-led workflow</li><ul><li>`type=<type>;actions=create`</li><li>`type=<type>;actions=create:controller-led`</li></ul><li><code>create:worker-led</code>: Create a worker using the worker-led workflow</li><ul><li>`type=<type>;actions=create`</li><li>`type=<type>;actions=create:worker-led`</li></ul></ul> |
-| <code>/workers/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>worker</code></li></ul></ul> | <ul><li><code>read</code>: Read a worker</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update a worker</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete a worker</li><ul><li>`ids=<id>;actions=delete`</li></ul></ul> |
+| <code>/workers</code> | <ul><li>Type</li><ul><li><code>worker</code></li></ul></ul> | <ul><li><code>create:controller-led</code>: Create a worker using the controller-led workflow</li><ul><li>`type=<type>;actions=create:controller-led`</li></ul><li><code>create:worker-led</code>: Create a worker using the worker-led workflow</li><ul><li>`type=<type>;actions=create:worker-led`</li></ul><li><code>list</code>: List workers</li><ul><li>`type=<type>;actions=list`</li></ul><li><code>read-certificate-authority</code>: </li><ul><li>`type=<type>;actions=read-certificate-authority`</li></ul><li><code>reinitialize-certificate-authority</code>: </li><ul><li>`type=<type>;actions=reinitialize-certificate-authority`</li></ul></ul> |
+| <code>/workers/&lt;id&gt;</code> | <ul><li>ID</li><ul><li><code>&lt;id&gt;</code></li></ul><li>Type</li><ul><li><code>worker</code></li></ul></ul> | <ul><li><code>read</code>: Read a worker</li><ul><li>`ids=<id>;actions=read`</li></ul><li><code>update</code>: Update a worker</li><ul><li>`ids=<id>;actions=update`</li></ul><li><code>delete</code>: Delete a worker</li><ul><li>`ids=<id>;actions=delete`</li></ul><li><code>add-worker-tags</code>: </li><ul><li>`ids=<id>;actions=add-worker-tags`</li></ul><li><code>remove-worker-tags</code>: </li><ul><li>`ids=<id>;actions=remove-worker-tags`</li></ul><li><code>set-worker-tags</code>: </li><ul><li>`ids=<id>;actions=set-worker-tags`</li></ul></ul> |


 <!-- END TABLE -->