--- layout: docs page_title: Resource table description: |- Resource table --- # Resource tables The following tables work as a quick cheat sheet to help you manage your permissions. Note that the tables are not exhaustive; for brevity they do _not_ show wildcard or templated grant strings. Additionally, these tables do not include available output fields; see the [service documentation](/boundary/api-docs) for guidance. Refer to the tables for more information about the following resource types: - [Account](#account) - [Alias](#alias) - [Auth method](#auth-method) - [Auth token](#auth-token) - [Billing](#billing) - [Credential](#credential) - [Credential library](#credential-library) - [Credential store](#credential-store) - [Group](#group) - [Host](#host) - [Host catalog](#host-catalog) - [Host set](#host-set) - [Managed group](#managed-group) - [Policy](#policy) - [Role](#role) - [Scope](#scope) - [Session](#session) - [Session recording](#session-recording) - [Storage bucket](#storage-bucket) - [Target](#target) - [User](#user) - [Worker](#worker) ## Account The **Account** resource type supports the following scopes: **Global**, **Org** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /accounts |

Type

account

create: Create an account

`type=;actions=create`

list: List accounts

`type=;actions=list`

| | /accounts/<id> |

<id>

<auth-method-id>

Type

account

read: Read an account

`ids=;actions=read`
`ids=;type=;actions=read`

update: Update an account

`ids=;actions=update`
`ids=;type=;actions=update`

delete: Delete an account

`ids=;actions=delete`
`ids=;type=;actions=delete`

change-password: Change a password on an account given the current password

`ids=;actions=change-password`
`ids=;type=;actions=change-password`

set-password: Set a password on an account, without requiring the current password

`ids=;actions=set-password`
`ids=;type=;actions=set-password`

| ## Alias The **Alias** resource type supports the following scopes: **Global** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /aliases |

Type

alias

create: Create an alias

`type=;actions=create`

list: List aliass

`type=;actions=list`

| | /aliases/<id> |

<id>

Type

alias

read: Read an alias

`ids=;actions=read`

update: Update an alias

`ids=;actions=update`

delete: Delete an alias

`ids=;actions=delete`

| ## Auth method The **Auth method** resource type supports the following scopes: **Global**, **Org** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /auth-methods |

Type

auth-method

create: Create an auth method

`type=;actions=create`

list: List auth methods

`type=;actions=list`

| | /auth-methods/<id> |

<id>

Type

auth-method

read: Read an auth method

`ids=;actions=read`

update: Update an auth method

`ids=;actions=update`

delete: Delete an auth method

`ids=;actions=delete`

authenticate: Authenticate to an auth method

`ids=;actions=authenticate`

change-state:

`ids=;actions=change-state`

| ## Auth token The **Auth token** resource type supports the following scopes: **Global**, **Org** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /auth-tokens |

Type

auth-token

list: List auth tokens

`type=;actions=list`

| | /auth-tokens/<id> |

<id>

Type

auth-token

read: Read an auth token

`ids=;actions=read`

delete: Delete an auth token

`ids=;actions=delete`

delete:self:

`ids=;actions=delete:self`

read:self:

`ids=;actions=read:self`

| ## Billing | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /billing |

Type

billing

monthly-active-users:

`type=;actions=monthly-active-users`

| ## Credential The **Credential** resource type supports the following scopes: **Project** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /credentials |

Type

credential

create: Create a credential

`type=;actions=create`

list: List credentials

`type=;actions=list`

| | /credentials/<id> |

<id>

<credential-store-id>

Type

credential

read: Read a credential

`ids=;actions=read`
`ids=;type=;actions=read`

update: Update a credential

`ids=;actions=update`
`ids=;type=;actions=update`

delete: Delete a credential

`ids=;actions=delete`
`ids=;type=;actions=delete`

| ## Credential library The **Credential library** resource type supports the following scopes: **Project** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /credential-libraries |

Type

credential-library

create: Create a credential library

`type=;actions=create`

list: List credential librarys

`type=;actions=list`

| | /credential-libraries/<id> |

<id>

<credential-store-id>

Type

credential-library

read: Read a credential library

`ids=;actions=read`
`ids=;type=;actions=read`

update: Update a credential library

`ids=;actions=update`
`ids=;type=;actions=update`

delete: Delete a credential library

`ids=;actions=delete`
`ids=;type=;actions=delete`

| ## Credential store The **Credential store** resource type supports the following scopes: **Project** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /credential-stores |

Type

credential-store

create: Create a credential store

`type=;actions=create`

list: List credential stores

`type=;actions=list`

| | /credential-stores/<id> |

<id>

Type

credential-store

read: Read a credential store

`ids=;actions=read`

update: Update a credential store

`ids=;actions=update`

delete: Delete a credential store

`ids=;actions=delete`

| ## Group The **Group** resource type supports the following scopes: **Global**, **Org**, **Project** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /groups |

Type

group

create: Create a group

`type=;actions=create`

list: List groups

`type=;actions=list`

| | /groups/<id> |

<id>

Type

group

read: Read a group

`ids=;actions=read`

update: Update a group

`ids=;actions=update`

delete: Delete a group

`ids=;actions=delete`

add-members: Add members to a group

`ids=;actions=add-members`

remove-members: Remove members from a group

`ids=;actions=remove-members`

set-members: Set the full set of members on a group

`ids=;actions=set-members`

| ## Host The **Host** resource type supports the following scopes: **Project** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /hosts |

Type

host

create: Create a host

`type=;actions=create`

list: List hosts

`type=;actions=list`

| | /hosts/<id> |

<id>

<host-catalog-id>

Type

host

read: Read a host

`ids=;actions=read`
`ids=;type=;actions=read`

update: Update a host

`ids=;actions=update`
`ids=;type=;actions=update`

delete: Delete a host

`ids=;actions=delete`
`ids=;type=;actions=delete`

| ## Host catalog The **Host catalog** resource type supports the following scopes: **Project** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /host-catalogs |

Type

host-catalog

create: Create a host catalog

`type=;actions=create`

list: List host catalogs

`type=;actions=list`

| | /host-catalogs/<id> |

<id>

Type

host-catalog

read: Read a host catalog

`ids=;actions=read`

update: Update a host catalog

`ids=;actions=update`

delete: Delete a host catalog

`ids=;actions=delete`

| ## Host set The **Host set** resource type supports the following scopes: **Project** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /host-sets |

Type

host-set

create: Create a host set

`type=;actions=create`

list: List host sets

`type=;actions=list`

| | /host-sets/<id> |

<id>

<host-catalog-id>

Type

host-set

read: Read a host set

`ids=;actions=read`
`ids=;type=;actions=read`

update: Update a host set

`ids=;actions=update`
`ids=;type=;actions=update`

delete: Delete a host set

`ids=;actions=delete`
`ids=;type=;actions=delete`

add-hosts: Add hosts to a host set

`ids=;actions=add-hosts`
`ids=;type=;actions=add-hosts`

remove-hosts: Remove hosts from a host set

`ids=;actions=remove-hosts`
`ids=;type=;actions=remove-hosts`

set-hosts: Set the full set of hosts on a host set

`ids=;actions=set-hosts`
`ids=;type=;actions=set-hosts`

| ## Managed group The **Managed group** resource type supports the following scopes: **Global**, **Org** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /managed-groups |

Type

managed-group

create: Create a managed group

`type=;actions=create`

list: List managed groups

`type=;actions=list`

| | /managed-groups/<id> |

<id>

<auth-method-id>

Type

managed-group

read: Read a managed group

`ids=;actions=read`
`ids=;type=;actions=read`

update: Update a managed group

`ids=;actions=update`
`ids=;type=;actions=update`

delete: Delete a managed group

`ids=;actions=delete`
`ids=;type=;actions=delete`

| ## Policy | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /policies |

Type

policy

create: Create a policy

`type=;actions=create`

list: List policys

`type=;actions=list`

| | /policies/<id> |

<id>

Type

policy

read: Read a policy

`ids=;actions=read`

update: Update a policy

`ids=;actions=update`

delete: Delete a policy

`ids=;actions=delete`

| ## Role The **Role** resource type supports the following scopes: **Global**, **Org**, **Project** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /roles |

Type

role

create: Create a role

`type=;actions=create`

list: List roles

`type=;actions=list`

| | /roles/<id> |

<id>

Type

role

read: Read a role

`ids=;actions=read`

update: Update a role

`ids=;actions=update`

delete: Delete a role

`ids=;actions=delete`

add-grant-scopes: Add grant scopes to a role

`ids=;actions=add-grant-scopes`

add-grants: Add grants to a role

`ids=;actions=add-grants`

add-principals: Add principals to a role

`ids=;actions=add-principals`

remove-grant-scopes: Remove grant scopes from a role

`ids=;actions=remove-grant-scopes`

remove-grants: Remove grants from a role

`ids=;actions=remove-grants`

remove-principals: Remove principals from a role

`ids=;actions=remove-principals`

set-grant-scopes: Set the full set of grant scopes on a role

`ids=;actions=set-grant-scopes`

set-grants: Set the full set of grants on a role

`ids=;actions=set-grants`

set-principals: Set the full set of principals on a role

`ids=;actions=set-principals`

| ## Scope The **Scope** resource type supports the following scopes: **Global**, **Org** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /scopes |

Type

scope

create: Create a scope

`type=;actions=create`

destroy-key-version:

`type=;actions=destroy-key-version`

list: List scopes

`type=;actions=list`

list-key-version-destruction-jobs:

`type=;actions=list-key-version-destruction-jobs`

list-keys:

`type=;actions=list-keys`

rotate-keys:

`type=;actions=rotate-keys`

| | /scopes/<id> |

<id>

Type

scope

read: Read a scope

`ids=;actions=read`

update: Update a scope

`ids=;actions=update`

delete: Delete a scope

`ids=;actions=delete`

attach-storage-policy:

`ids=;actions=attach-storage-policy`

detach-storage-policy:

`ids=;actions=detach-storage-policy`

| ## Session The **Session** resource type supports the following scopes: **Project** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /sessions |

Type

session

list: List sessions

`type=;actions=list`

| | /sessions/<id> |

<id>

Type

session

read: Read a session

`ids=;actions=read`

cancel: Cancel a session

`ids=;actions=cancel`

cancel:self: Cancel a session, which must be associated with the calling user

`ids=;actions=cancel:self`

read:self: Read a session, which must be associated with the calling user

`ids=;actions=read:self`

| ## Session recording The **Session recording** resource type supports the following scopes: **Global**, **Org** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /session-recordings |

Type

session-recording

list: List session recordings

`type=;actions=list`

| | /session-recordings/<id> |

<id>

Type

session-recording

read: Read a session recording

`ids=;actions=read`

delete: Delete a session recording

`ids=;actions=delete`

download: Download a session recording

`ids=;actions=download`

reapply-storage-policy: Reapply the storage policy to a session recording

`ids=;actions=reapply-storage-policy`

| ## Storage bucket The **Storage bucket** resource type supports the following scopes: **Global**, **Org** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /storage-buckets |

Type

storage-bucket

create: Create a storage bucket

`type=;actions=create`

list: List storage buckets

`type=;actions=list`

| | /storage-buckets/<id> |

<id>

Type

storage-bucket

read: Read a storage bucket

`ids=;actions=read`

update: Update a storage bucket

`ids=;actions=update`

delete: Delete a storage bucket

`ids=;actions=delete`

| ## Target The **Target** resource type supports the following scopes: **Project** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /targets |

Type

target

create: Create a target

`type=;actions=create`

list: List targets

`type=;actions=list`

| | /targets/<id> |

<id>

Type

target

read: Read a target

`ids=;actions=read`

update: Update a target

`ids=;actions=update`

delete: Delete a target

`ids=;actions=delete`

add-credential-sources: Add credential sources to a target

`ids=;actions=add-credential-sources`

add-host-sources: Add host sources to a target

`ids=;actions=add-host-sources`

authorize-session: Authorize a session via the target

`ids=;actions=authorize-session`

remove-credential-sources: Remove credential sources from a target

`ids=;actions=remove-credential-sources`

remove-host-sources: Remove host sources from a target

`ids=;actions=remove-host-sources`

set-credential-sources: Set the full set of credential sources on a target

`ids=;actions=set-credential-sources`

set-host-sources: Set the full set of host sources on a target

`ids=;actions=set-host-sources`

| ## User The **User** resource type supports the following scopes: **Global**, **Org** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /users |

Type

user

create: Create a user

`type=;actions=create`

list: List users

`type=;actions=list`

| | /users/<id> |

<id>

Type

user

read: Read a user

`ids=;actions=read`

update: Update a user

`ids=;actions=update`

delete: Delete a user

`ids=;actions=delete`

add-accounts: Add accounts to a user

`ids=;actions=add-accounts`

list-resolvable-aliases:

`ids=;actions=list-resolvable-aliases`

remove-accounts: Remove accounts from a user

`ids=;actions=remove-accounts`

set-accounts: Set the full set of accounts on a user

`ids=;actions=set-accounts`

| ## Worker The **Worker** resource type supports the following scopes: **Global** | API endpoint | Parameters into permissions engine | Available actions / examples | | ------------ | ---------------------------------- | ---------------------------- | | /workers |

Type

worker

create:controller-led: Create a worker using the controller-led workflow

`type=;actions=create:controller-led`
`type=;actions=create:controller-led`

create:worker-led: Create a worker using the worker-led workflow

`type=;actions=create:worker-led`
`type=;actions=create:worker-led`

list: List workers

`type=;actions=list`

read-certificate-authority:

`type=;actions=read-certificate-authority`

reinitialize-certificate-authority:

`type=;actions=reinitialize-certificate-authority`

| | /workers/<id> |

<id>

Type

worker

read: Read a worker

`ids=;actions=read`

update: Update a worker

`ids=;actions=update`

delete: Delete a worker

`ids=;actions=delete`

add-worker-tags: Add worker tags to a worker

`ids=;actions=add-worker-tags`

remove-worker-tags: Remove worker tags from a worker

`ids=;actions=remove-worker-tags`

set-worker-tags: Set the full set of worker tags on a worker

`ids=;actions=set-worker-tags`