From c01b8df2a35fe1fd6f4c8b972d1eb6cf9d2acfc8 Mon Sep 17 00:00:00 2001
From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com>
Date: Fri, 9 Feb 2024 11:24:56 -0500
Subject: [PATCH] docs: Clarify need for permissions to search (#4367)

* docs: Clarify need for permissions to search

* docs: List grants
---
 website/content/docs/api-clients/client-cache.mdx  |  9 +++++++++
 website/content/docs/commands/daemon/add-token.mdx | 10 ++++++++++
 2 files changed, 19 insertions(+)

diff --git a/website/content/docs/api-clients/client-cache.mdx b/website/content/docs/api-clients/client-cache.mdx
index 2c041b2588..7a2a5a3877 100644
--- a/website/content/docs/api-clients/client-cache.mdx
+++ b/website/content/docs/api-clients/client-cache.mdx
@@ -23,6 +23,15 @@ When you use the `search` command, however, Boundary searches the local cache to
 
 For more information, refer to the [`search`](/boundary/docs/commands/search) command documentation.
 
+<Note>
+
+The `search` operation only displays the resources that you have read permissions to view.
+If you are logged in as a user who does not have the permissions to view a resource, it does not display in the list of results.
+
+For more information, refer to [Identity and access management (IAM)](/boundary/docs/concepts/iam).
+
+</Note>
+
 ## Client cache management
 
 The Boundary client daemon starts automatically in the background when a user runs a CLI command that interacts with a Boundary instance.
diff --git a/website/content/docs/commands/daemon/add-token.mdx b/website/content/docs/commands/daemon/add-token.mdx
index dc06a08854..3e8c501911 100644
--- a/website/content/docs/commands/daemon/add-token.mdx
+++ b/website/content/docs/commands/daemon/add-token.mdx
@@ -17,6 +17,16 @@ If you authenticate to multiple Boundary instances, the client cache stores mult
 
 By adding auth tokens to your client cache, you can select which specific Boundary instance you want to search.
 
+<Note>
+
+The `search` operation only displays the resources that you have permissions to view.
+You must have the `read` or `read:self` grant on the auth token to successfully add it.
+If you are logged in as a user who does not have the permissions to view a resource, it does not display in the list of results.
+
+For more information, refer to [Identity and access management (IAM)](/boundary/docs/concepts/iam).
+
+</Note>
+
 ## Examples
 
 The following command adds an auth token to the client cache from your keyring: