Permissions Reference
This page is auto-generated. Do not edit manually — run
pnpm generate-permissions-pageto regenerate.
Complete list of all IAM permission actions, grouped by module. Use these strings in the action field of a policy statement.
See IAM & Policies for how policies are evaluated.
Actors
| Permission | Description |
|---|---|
actors:ListActors | List actors in a project |
actors:CreateActor | Create a new actor |
actors:GetActor | Get an actor by ID |
actors:UpdateActor | Update an actor |
actors:DeleteActor | Delete an actor |
Agents
| Permission | Description |
|---|---|
agents:CreateAgent | Create a new agent |
agents:ListAgents | List agents in a project |
agents:GetAgent | Get an agent by ID |
agents:UpdateAgent | Update an agent |
agents:DeleteAgent | Delete an agent |
agents:CreateAgentGeneration | Run a generation for an agent |
agents:CreateAgentGeneration | Submit tool outputs to resume a paused generation |
Ai Providers
| Permission | Description |
|---|---|
ai-providers:ListAiProviders | List AI providers in a project |
ai-providers:CreateAiProvider | Create an AI provider |
ai-providers:GetAiProvider | Get an AI provider by ID |
ai-providers:UpdateAiProvider | Update an AI provider |
ai-providers:DeleteAiProvider | Delete an AI provider |
ai-providers:GetAiProviderPrices | List per-provider price overrides for an AI provider |
ai-providers:ManageAiProviderPrices | Upsert per-provider price overrides for an AI provider |
Api Keys
| Permission | Description |
|---|---|
api-keys:ListApiKeys | List API keys owned by the caller |
api-keys:CreateApiKey | Create a new API key |
api-keys:GetApiKey | Get an API key by ID (owner only) |
api-keys:UpdateApiKey | Update an API key's policy (owner only) |
api-keys:DeleteApiKey | Delete an API key (owner only) |
Chats
| Permission | Description |
|---|---|
chats:CreateChat | Create a new chat |
chats:ListChats | List chats in a project |
chats:GetChat | Get a chat by ID |
chats:DeleteChat | Delete a chat |
chats:CreateChatCompletionForChat | Generate a chat completion within a stored chat |
chats:CreateChatCompletion | Generate a stateless chat completion |
Conversations
| Permission | Description |
|---|---|
conversations:ListConversations | List conversations in a project |
conversations:CreateConversation | Create a new conversation |
conversations:GetConversation | Get a conversation by ID |
conversations:UpdateConversation | Update a conversation's status |
conversations:DeleteConversation | Delete a conversation |
conversations:GetConversation | List messages in a conversation |
conversations:UpdateConversation | Add a message to a conversation |
conversations:UpdateConversation | Remove a message from a conversation |
conversations:GenerateConversationMessage | Generate the next message in a conversation |
Discussions
| Permission | Description |
|---|---|
discussions:ListDiscussions | List discussions in a project |
discussions:CreateDiscussion | Create a new discussion |
discussions:GetDiscussion | Get a discussion by ID |
discussions:UpdateDiscussion | Update a discussion |
discussions:DeleteDiscussion | Delete a discussion |
discussions:CreateDiscussionRun | Invoke a discussion, creating a run |
discussions:ListDiscussionRuns | List the runs of a discussion |
discussions:GetDiscussionRun | Get a discussion run by ID |
Documents
| Permission | Description |
|---|---|
documents:ListDocuments | List documents in a project |
documents:CreateDocument | Create a new document |
documents:GetDocument | Get a document by ID |
documents:GetDocument | Get a document's lightweight ingestion status |
documents:UpdateDocument | Update a document |
documents:DeleteDocument | Delete a document |
documents:IngestDocument | Ingest a file (PDF or text) into a chunked document |
documents:IngestDocument | Re-ingest an existing document from its source file |
Resource Identifiers
| Pattern | Description |
|---|---|
soat:{project_id}:document:{id} | Specific document by ID |
soat:{project_id}:document:{path} | Document at a logical path |
soat:{project_id}:document:/prefix/* | All documents under a path prefix |
soat:{project_id}:document:* | All documents in a project |
Embeddings
| Permission | Description |
|---|---|
embeddings:CreateEmbeddings | Generate text embeddings using the server's embedding model |
Files
| Permission | Description |
|---|---|
files:GetFile | List files in a project |
files:CreateFile | Create a metadata-only file record |
files:UploadFile | Upload a file (multipart) |
files:UploadFile | Upload a file (base64-encoded) |
files:GetFile | Get file metadata by ID |
files:DownloadFile | Download file content |
files:DownloadFile | Download file content as base64 |
files:UpdateFileMetadata | Update file metadata |
files:DeleteFile | Delete a file |
Resource Identifiers
| Pattern | Description |
|---|---|
soat:{project_id}:file:{id} | Specific file by ID |
soat:{project_id}:file:/path/to/file.ext | File at an exact logical path |
soat:{project_id}:file:/prefix/* | All files under a path prefix |
soat:{project_id}:file:* | All files in a project |
Formations
| Permission | Description |
|---|---|
formations:ValidateFormation | Validate a formation template |
formations:PlanFormation | Plan a formation deployment |
formations:CreateFormation | Create a new agent formation stack |
formations:ListFormations | List formation stacks in a project |
formations:GetFormation | Get a formation stack by ID |
formations:UpdateFormation | Update a formation stack by applying a new template |
formations:DeleteFormation | Delete a formation stack and all its managed resources |
formations:ListFormationEvents | List operation events for a formation stack |
Generations
| Permission | Description |
|---|---|
generations:ListGenerations | List generations, optionally filtered by agent, trace, or status |
generations:GetGeneration | Get a generation record by ID |
Ingestion Rules
| Permission | Description |
|---|---|
ingestion-rules:ListIngestionRules | List ingestion rules in a project |
ingestion-rules:CreateIngestionRule | Create a new ingestion rule |
ingestion-rules:GetIngestionRule | Get an ingestion rule by ID |
ingestion-rules:UpdateIngestionRule | Update an ingestion rule |
ingestion-rules:DeleteIngestionRule | Delete an ingestion rule |
Knowledge
| Permission | Description |
|---|---|
knowledge:SearchKnowledge | Search across documents and knowledge sources |
Memories
| Permission | Description |
|---|---|
memories:ListMemories | List memory configurations in a project |
memories:CreateMemory | Create a new memory configuration |
memories:GetMemory | Get a memory configuration by ID |
memories:UpdateMemory | Update a memory configuration |
memories:DeleteMemory | Delete a memory configuration |
memories:ListMemoryEntries | List entries in a memory |
memories:CreateMemoryEntry | Create a new memory entry |
memories:GetMemoryEntry | Get a memory entry by ID |
memories:UpdateMemoryEntry | Update a memory entry |
memories:DeleteMemoryEntry | Delete a memory entry |
Orchestrations
| Permission | Description |
|---|---|
orchestrations:CreateOrchestration | Create an orchestration |
orchestrations:ValidateOrchestration | Statically validate an orchestration graph |
orchestrations:ListOrchestrations | List orchestrations in a project |
orchestrations:GetOrchestration | Get an orchestration by ID |
orchestrations:UpdateOrchestration | Update an orchestration |
orchestrations:DeleteOrchestration | Delete an orchestration |
orchestrations:StartRun | Start a new orchestration run |
orchestrations:ListRuns | List runs for an orchestration |
orchestrations:GetRun | Get an orchestration run by ID |
orchestrations:CancelRun | Cancel a running or paused orchestration run |
orchestrations:SubmitHumanInput | Submit human input to a paused orchestration run |
orchestrations:ResumeRun | Resume a paused orchestration run from its last checkpoint |
Policies
| Permission | Description |
|---|---|
policies:ListPolicies | List all policies (admin only) |
policies:CreatePolicy | Create a new policy (admin only) |
policies:GetPolicy | Get a policy by ID (admin only) |
policies:UpdatePolicy | Update a policy (admin only) |
policies:DeletePolicy | Delete a policy (admin only) |
Projects
| Permission | Description |
|---|---|
projects:CreateProject | Create a new project (admin only) |
projects:GetProject | Get a project by ID |
projects:UpdateProject | Rename a project (admin only) |
projects:DeleteProject | Delete a project (admin only) |
projects:GetProjectPrices | List a project's per-provider-slug price rows |
projects:ManageProjectPrices | Upsert a project's per-provider-slug price rows |
Secrets
| Permission | Description |
|---|---|
secrets:ListSecrets | List secrets in a project |
secrets:CreateSecret | Create a new secret |
secrets:GetSecret | Get a secret by ID (value is never returned) |
secrets:UpdateSecret | Update a secret's value |
secrets:DeleteSecret | Delete a secret |
Sessions
| Permission | Description |
|---|---|
agents:CreateSession | Create a new session for an agent |
agents:ListSessions | List sessions |
agents:GetSession | Get a session |
agents:UpdateSession | Update session name, status, or tags |
agents:DeleteSession | Delete a session |
agents:SendSessionMessage | Save a user message or trigger generation |
agents:SendSessionMessage | Generate an assistant response in a session |
agents:SubmitSessionToolOutputs | Submit tool outputs for client tools in a session |
Tools
| Permission | Description |
|---|---|
tools:CreateTool | Create a tool |
tools:ListTools | List tools in a project |
tools:GetTool | Get a tool by ID |
tools:UpdateTool | Update a tool |
tools:DeleteTool | Delete a tool |
tools:CallTool | Call (invoke) a tool directly |
Traces
| Permission | Description |
|---|---|
traces:ListTraces | List execution traces in a project |
traces:GetTrace | Get a trace by ID |
traces:GetTraceTree | Get the full execution tree for a trace |
Triggers
| Permission | Description |
|---|---|
triggers:ListTriggers | List triggers in a project |
triggers:CreateTrigger | Create a new trigger |
triggers:GetTrigger | Get a trigger by ID |
triggers:UpdateTrigger | Update a trigger |
triggers:DeleteTrigger | Delete a trigger |
triggers:FireTrigger | Fire a trigger manually |
triggers:GetTriggerSecret | Retrieve the signing secret for a webhook trigger |
triggers:RotateTriggerSecret | Rotate the signing secret for a webhook trigger |
triggers:ListTriggerFirings | List firings for a trigger |
triggers:GetTriggerFiring | Get details of a specific trigger firing |
Usage
| Permission | Description |
|---|---|
usage:ListUsageMeters | List raw usage-meter rows, optionally filtered by agent or generation |
usage:GetReceipt | Get a billing receipt for a generation |
usage:GetPriceBook | Read the global price book |
usage:ManagePriceBook | Upsert price-book rows (admin only) |
Users
| Permission | Description |
|---|---|
users:ListUsers | List all users |
users:CreateUser | Create a new user |
users:GetUser | Get a user by ID |
users:DeleteUser | Delete a user |
users:AttachUserPolicies | Replace the full set of policies attached to a user |
Webhooks
| Permission | Description |
|---|---|
webhooks:ListWebhooks | List webhooks in a project |
webhooks:CreateWebhook | Create a new webhook |
webhooks:GetWebhook | Get a webhook by ID |
webhooks:UpdateWebhook | Update a webhook |
webhooks:DeleteWebhook | Delete a webhook |
webhooks:RotateWebhookSecret | Rotate the signing secret for a webhook |
webhooks:GetWebhookSecret | Retrieve the signing secret for a webhook |
webhooks:ListWebhookDeliveries | List delivery attempts for a webhook |
webhooks:GetWebhookDelivery | Get details of a specific webhook delivery |