| Concept | What it means |
|---|---|
| Resource | The kind of object the permission applies to. Currently agents. |
| Action | What the member is allowed to do: view, edit, delete, publish, or create. |
| Scope | How far the action reaches — from a user’s owned resources all the way to the whole organization. |
| Principal | Who the set is assigned to. Currently users. |
| Scope | Grants the action on… |
|---|---|
| all | Every agent in the organization (broadest). |
| project | Agents belonging to projects the member can access. |
| team | Agents user’s team(s) can access. |
| own | Only agents the member owns (narrowest). |
| Action | Type | Description |
|---|---|---|
| view | scope | null | View / read access to agents in scope. |
| edit | scope | null | Modify an agent's configuration. |
| delete | scope | null | Delete agents in scope. |
| publish | scope | null | Publish staging changes live to production. |
| create | boolean | Whether the member may create new agents. |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v2/permission-sets | List the organization's permission sets. Supports search (query), sorting (sort_by=name), and optional pagination. |
| POST | /api/v2/permission-sets | Create a permission set from a name, optional description, default flag, and permissions object. |
| GET | /api/v2/permission-sets/{permission_set_id} | Retrieve a single permission set by ID. |
| PUT | /api/v2/permission-sets/{permission_set_id} | Update name, description, default flag, or permission scopes. |
| DELETE | /api/v2/permission-sets/{permission_set_id} | Delete a permission set and revoke its permission grants. System sets cannot be deleted. |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v2/permission-sets/{permission_set_id}/members | List the users assigned to a set. Supports search, sorting (name, subject_type), and pagination. |
| POST | /api/v2/permission-sets/{permission_set_id}/members | Assign one or more users to the set. |
| DELETE | /api/v2/permission-sets/{permission_set_id}/members | Remove one or more users from the set. |
| POST | /api/v2/users/{user_id}/permission-sets | Assign a single user to multiple permission sets in one call. |
| Share level | What it can unlock (given a matching permission set) |
|---|---|
| member | View only. |
| admin | View, edit, delete, and publish. |
Note: Direct shares to a team behave slightly differently — a team share is gated at teamscope rather than by the scope-agnostic capability. The capability-based resolution above applies to shares made directly to an individual user.