Permissions Reference
This page is auto-generated. Do not edit manually — run
pnpm generate-permissions-pageto regenerate.
Complete list of all IAM permission actions, grouped by module. Use these strings in the action field of a policy statement.
See IAM & Policies for how policies are evaluated.
Actors
| Permission | Description |
|---|---|
actors:ListActors | List actors in a project |
actors:CreateActor | Create a new actor |
actors:GetActor | Get an actor by ID |
actors:UpdateActor | Update an actor |
actors:DeleteActor | Delete an actor |
Agent Formations
| Permission | Description |
|---|---|
agent-formations:ValidateAgentFormation | Validate a formation template |
agent-formations:PlanAgentFormation | Plan a formation deployment |
agent-formations:CreateAgentFormation | Create a new agent formation stack |
agent-formations:ListAgentFormations | List formation stacks in a project |
agent-formations:GetAgentFormation | Get a formation stack by ID |
agent-formations:UpdateAgentFormation | Update a formation stack by applying a new template |
agent-formations:DeleteAgentFormation | Delete a formation stack and all its managed resources |
agent-formations:ListAgentFormationEvents | List operation events for a formation stack |
Agents
| Permission | Description |
|---|---|
agents:CreateAgent | Create a new agent |
agents:ListAgents | List agents in a project |
agents:GetAgent | Get an agent by ID |
agents:UpdateAgent | Update an agent |
agents:DeleteAgent | Delete an agent |
agents:CreateAgentGeneration | Run a generation for an agent |
agents:CreateAgentGeneration | Submit tool outputs to resume a paused generation |
agents:CreateAgentTool | Create an agent tool |
agents:ListAgentTools | List agent tools in a project |
agents:GetAgentTool | Get an agent tool by ID |
agents:UpdateAgentTool | Update an agent tool |
agents:DeleteAgentTool | Delete an agent tool |
Ai Providers
| Permission | Description |
|---|---|
ai-providers:ListAiProviders | List AI providers in a project |
ai-providers:CreateAiProvider | Create an AI provider |
ai-providers:GetAiProvider | Get an AI provider by ID |
ai-providers:UpdateAiProvider | Update an AI provider |
ai-providers:DeleteAiProvider | Delete an AI provider |
Api Keys
| Permission | Description |
|---|---|
api-keys:ListApiKeys | List API keys owned by the caller |
api-keys:CreateApiKey | Create a new API key |
api-keys:GetApiKey | Get an API key by ID (owner only) |
api-keys:UpdateApiKey | Update an API key's policy (owner only) |
api-keys:DeleteApiKey | Delete an API key (owner only) |
Chats
| Permission | Description |
|---|---|
chats:CreateChat | Create a new chat |
chats:ListChats | List chats in a project |
chats:GetChat | Get a chat by ID |
chats:DeleteChat | Delete a chat |
chats:CreateChatCompletionForChat | Generate a chat completion within a stored chat |
chats:CreateChatCompletion | Generate a stateless chat completion |
Conversations
| Permission | Description |
|---|---|
conversations:ListConversations | List conversations in a project |
conversations:CreateConversation | Create a new conversation |
conversations:GetConversation | Get a conversation by ID |
conversations:UpdateConversation | Update a conversation's status |
conversations:DeleteConversation | Delete a conversation |
conversations:GetConversation | List messages in a conversation |
conversations:UpdateConversation | Add a message to a conversation |
conversations:UpdateConversation | Remove a message from a conversation |
conversations:GenerateConversationMessage | Generate the next message in a conversation |
conversations:GetConversation | List actors in a conversation |
Documents
| Permission | Description |
|---|---|
documents:ListDocuments | List documents in a project |
documents:CreateDocument | Create a new document |
documents:GetDocument | Get a document by ID |
documents:UpdateDocument | Update a document |
documents:DeleteDocument | Delete a document |
Resource Identifiers
| Pattern | Description |
|---|---|
soat:{project_id}:document:{id} | Specific document by ID |
soat:{project_id}:document:{path} | Document at a logical path |
soat:{project_id}:document:/prefix/* | All documents under a path prefix |
soat:{project_id}:document:* | All documents in a project |
Files
| Permission | Description |
|---|---|
files:GetFile | List files in a project |
files:CreateFile | Create a metadata-only file record |
files:UploadFile | Upload a file (multipart) |
files:UploadFile | Upload a file (base64-encoded) |
files:GetFile | Get file metadata by ID |
files:DownloadFile | Download file content |
files:DownloadFile | Download file content as base64 |
files:UpdateFileMetadata | Update file metadata |
files:DeleteFile | Delete a file |
Resource Identifiers
| Pattern | Description |
|---|---|
soat:{project_id}:file:{id} | Specific file by ID |
soat:{project_id}:file:/path/to/file.ext | File at an exact logical path |
soat:{project_id}:file:/prefix/* | All files under a path prefix |
soat:{project_id}:file:* | All files in a project |
Knowledge
| Permission | Description |
|---|---|
knowledge:SearchKnowledge | Search across documents and knowledge sources |
Memories
| Permission | Description |
|---|---|
memories:ListMemories | List memory configurations in a project |
memories:CreateMemory | Create a new memory configuration |
memories:GetMemory | Get a memory configuration by ID |
memories:UpdateMemory | Update a memory configuration |
memories:DeleteMemory | Delete a memory configuration |
memories:ListMemoryEntries | List entries in a memory |
memories:CreateMemoryEntry | Create a new memory entry |
memories:GetMemoryEntry | Get a memory entry by ID |
memories:UpdateMemoryEntry | Update a memory entry |
memories:DeleteMemoryEntry | Delete a memory entry |
Policies
| Permission | Description |
|---|---|
policies:ListPolicies | List all policies (admin only) |
policies:CreatePolicy | Create a new policy (admin only) |
policies:GetPolicy | Get a policy by ID (admin only) |
policies:UpdatePolicy | Update a policy (admin only) |
policies:DeletePolicy | Delete a policy (admin only) |
Projects
| Permission | Description |
|---|---|
projects:CreateProject | Create a new project (admin only) |
projects:GetProject | Get a project by ID |
projects:DeleteProject | Delete a project (admin only) |
Secrets
| Permission | Description |
|---|---|
secrets:ListSecrets | List secrets in a project |
secrets:CreateSecret | Create a new secret |
secrets:GetSecret | Get a secret by ID (value is never returned) |
secrets:UpdateSecret | Update a secret's value |
secrets:DeleteSecret | Delete a secret |
Sessions
| Permission | Description |
|---|---|
agents:CreateSession | Create a new session for an agent |
agents:ListSessions | List sessions for an agent |
agents:GetSession | Get a session and its messages |
agents:UpdateSession | Update session name, status, or tags |
agents:DeleteSession | Delete a session |
agents:SendSessionMessage | Save a user message or trigger generation |
agents:SendSessionMessage | Generate an assistant response in a session |
agents:SubmitSessionToolOutputs | Submit tool outputs for client tools in a session |
agents:ListSessionMessages | List messages in a session |
Traces
| Permission | Description |
|---|---|
traces:ListTraces | List execution traces in a project |
traces:GetTrace | Get a trace by ID |
traces:GetTraceTree | Get the full execution tree for a trace |
Users
| Permission | Description |
|---|---|
users:ListUsers | List all users |
users:CreateUser | Create a new user |
users:GetUser | Get a user by ID |
users:DeleteUser | Delete a user |
users:GetUserPolicies | Get policies attached to a user |
users:AttachUserPolicies | Replace the full set of policies attached to a user |
Webhooks
| Permission | Description |
|---|---|
webhooks:ListWebhooks | List webhooks in a project |
webhooks:CreateWebhook | Create a new webhook |
webhooks:GetWebhook | Get a webhook by ID |
webhooks:UpdateWebhook | Update a webhook |
webhooks:DeleteWebhook | Delete a webhook |
webhooks:RotateWebhookSecret | Rotate the signing secret for a webhook |
webhooks:ListWebhookDeliveries | List delivery attempts for a webhook |
webhooks:GetWebhookDelivery | Get details of a specific webhook delivery |