# Permissions

Permissions define the actions that users can perform on specific resources within the NVIDIA Run:ai platform. Each permission consists of a resource type and an allowed action. The Permission Sets API provides a catalog of all available permission sets in the NVIDIA Run:ai platform. Each permission set is a predefined collection of permissions that represent the permissions required for a role to perform specific operations. Permission sets serve as the building blocks for roles and are used in both NVIDIA Run:ai predefined roles and custom roles defined through the Roles API.

## Get permission sets.

> Retrieve a list of all available permission sets. Each permission set defines a collection of permissions grouped by resource type and associated actions (such as create, read, update, or delete).

```json
{"openapi":"3.0.3","info":{"title":"NVIDIA Run:ai","version":"2.24"},"tags":[{"name":"Permissions","description":"Permissions define the actions that users can perform on specific resources within the NVIDIA Run:ai platform. \nEach permission consists of a resource type and an allowed action. \nThe Permission Sets API provides a catalog of all available permission sets in the NVIDIA Run:ai platform. \nEach permission set is a predefined collection of permissions that represent the permissions required for a role to perform specific operations. \nPermission sets serve as the building blocks for roles and are used in both NVIDIA Run:ai predefined roles and custom roles defined through the Roles API.\n"}],"servers":[{"url":"https://app.run.ai"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"Bearer authentication"}},"schemas":{"PermissionSets":{"type":"array","items":{"$ref":"#/components/schemas/PermissionSet"}},"PermissionSet":{"allOf":[{"$ref":"#/components/schemas/RolePermissionSet"},{"type":"object","required":["name","permissions"],"properties":{"description":{"type":"string","description":"A description of the permission set."},"permissions":{"$ref":"#/components/schemas/RolePermissions"}}}]},"RolePermissionSet":{"type":"object","required":["id"],"properties":{"id":{"type":"string","format":"uuid","description":"The universally unique ID (UUID) of the permission set."},"name":{"type":"string","description":"The name of the permission set."}}},"RolePermissions":{"type":"array","items":{"$ref":"#/components/schemas/RolePermission"}},"RolePermission":{"type":"object","required":["resourceType","actions"],"properties":{"resourceType":{"description":"The type of resource the permission applies to.","$ref":"#/components/schemas/ResourceType"},"actions":{"type":"array","description":"The list of allowed actions for this resource\n- create\n- read\n- update\n- delete\n","items":{"$ref":"#/components/schemas/PermissionAction"}}}},"ResourceType":{"type":"string","description":"Resource type enum for authorization. \n\nNote: The 'apps' resource type is DEPRECATED. Please use 'service-account' instead for managing service accounts.\n","enum":["department","tenant","project","cluster","cluster-config","nodepools","nodes","settings","security-settings","branding-settings","users","apps","service-account","dashboards-overview","dashboards-analytics","dashboards-consumption","roles","access_rules","workloads","workspaces","trainings","inferences","environments","pvc-assets","git-assets","host-path-assets","nfs-assets","s3-assets","compute-resources","templates","credentials","events-history","policies","cm-volume-assets","datavolumes","secret-volume-assets","storage-class-configuration","access-keys","workload-properties","network-topologies","registries","workload-integration-metrics","nodepools-minimal","clusters-minimal"]},"PermissionAction":{"type":"string","enum":["create","read","update","delete"]},"Error":{"required":["code","message"],"properties":{"code":{"type":"integer","minimum":100,"maximum":599},"message":{"type":"string"},"details":{"type":"string"}}}},"responses":{"400BadRequest":{"description":"Bad request.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401Unauthorized":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403Forbidden":{"description":"Forbidden","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500InternalServerError":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"503ServiceUnavailable":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/api/v1/authorization/permission-sets":{"get":{"summary":"Get permission sets.","description":"Retrieve a list of all available permission sets. Each permission set defines a collection of permissions grouped by resource type and associated actions (such as create, read, update, or delete).","operationId":"get_permission_sets","tags":["Permissions"],"responses":{"200":{"description":"Executed successfully.","content":{"application/json":{"schema":{"type":"object","required":["permissionSets"],"properties":{"permissionSets":{"$ref":"#/components/schemas/PermissionSets"}}}}}},"400":{"$ref":"#/components/responses/400BadRequest"},"401":{"$ref":"#/components/responses/401Unauthorized"},"403":{"$ref":"#/components/responses/403Forbidden"},"500":{"$ref":"#/components/responses/500InternalServerError"},"503":{"$ref":"#/components/responses/503ServiceUnavailable"}}}}}}
```

## Get permission set by id.

> Returns information about a single permission set, including its name, description, and the list of permissions it contains.

```json
{"openapi":"3.0.3","info":{"title":"NVIDIA Run:ai","version":"2.24"},"tags":[{"name":"Permissions","description":"Permissions define the actions that users can perform on specific resources within the NVIDIA Run:ai platform. \nEach permission consists of a resource type and an allowed action. \nThe Permission Sets API provides a catalog of all available permission sets in the NVIDIA Run:ai platform. \nEach permission set is a predefined collection of permissions that represent the permissions required for a role to perform specific operations. \nPermission sets serve as the building blocks for roles and are used in both NVIDIA Run:ai predefined roles and custom roles defined through the Roles API.\n"}],"servers":[{"url":"https://app.run.ai"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"Bearer authentication"}},"parameters":{"PermissionSetId":{"name":"permissionSetId","in":"path","required":true,"schema":{"type":"string","format":"uuid"}}},"schemas":{"PermissionSet":{"allOf":[{"$ref":"#/components/schemas/RolePermissionSet"},{"type":"object","required":["name","permissions"],"properties":{"description":{"type":"string","description":"A description of the permission set."},"permissions":{"$ref":"#/components/schemas/RolePermissions"}}}]},"RolePermissionSet":{"type":"object","required":["id"],"properties":{"id":{"type":"string","format":"uuid","description":"The universally unique ID (UUID) of the permission set."},"name":{"type":"string","description":"The name of the permission set."}}},"RolePermissions":{"type":"array","items":{"$ref":"#/components/schemas/RolePermission"}},"RolePermission":{"type":"object","required":["resourceType","actions"],"properties":{"resourceType":{"description":"The type of resource the permission applies to.","$ref":"#/components/schemas/ResourceType"},"actions":{"type":"array","description":"The list of allowed actions for this resource\n- create\n- read\n- update\n- delete\n","items":{"$ref":"#/components/schemas/PermissionAction"}}}},"ResourceType":{"type":"string","description":"Resource type enum for authorization. \n\nNote: The 'apps' resource type is DEPRECATED. Please use 'service-account' instead for managing service accounts.\n","enum":["department","tenant","project","cluster","cluster-config","nodepools","nodes","settings","security-settings","branding-settings","users","apps","service-account","dashboards-overview","dashboards-analytics","dashboards-consumption","roles","access_rules","workloads","workspaces","trainings","inferences","environments","pvc-assets","git-assets","host-path-assets","nfs-assets","s3-assets","compute-resources","templates","credentials","events-history","policies","cm-volume-assets","datavolumes","secret-volume-assets","storage-class-configuration","access-keys","workload-properties","network-topologies","registries","workload-integration-metrics","nodepools-minimal","clusters-minimal"]},"PermissionAction":{"type":"string","enum":["create","read","update","delete"]},"Error":{"required":["code","message"],"properties":{"code":{"type":"integer","minimum":100,"maximum":599},"message":{"type":"string"},"details":{"type":"string"}}}},"responses":{"400BadRequest":{"description":"Bad request.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401Unauthorized":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403Forbidden":{"description":"Forbidden","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500InternalServerError":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"503ServiceUnavailable":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/api/v1/authorization/permission-sets/{permissionSetId}":{"get":{"summary":"Get permission set by id.","description":"Returns information about a single permission set, including its name, description, and the list of permissions it contains.","operationId":"get_permission_set","tags":["Permissions"],"parameters":[{"$ref":"#/components/parameters/PermissionSetId"}],"responses":{"200":{"description":"Executed successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/PermissionSet"}}}},"400":{"$ref":"#/components/responses/400BadRequest"},"401":{"$ref":"#/components/responses/401Unauthorized"},"403":{"$ref":"#/components/responses/403Forbidden"},"500":{"$ref":"#/components/responses/500InternalServerError"},"503":{"$ref":"#/components/responses/503ServiceUnavailable"}}}}}}
```

## Get a summary of user permissions.

> Retrieve a summary of user permissions.

```json
{"openapi":"3.0.3","info":{"title":"NVIDIA Run:ai","version":"2.24"},"tags":[{"name":"Permissions","description":"Permissions define the actions that users can perform on specific resources within the NVIDIA Run:ai platform. \nEach permission consists of a resource type and an allowed action. \nThe Permission Sets API provides a catalog of all available permission sets in the NVIDIA Run:ai platform. \nEach permission set is a predefined collection of permissions that represent the permissions required for a role to perform specific operations. \nPermission sets serve as the building blocks for roles and are used in both NVIDIA Run:ai predefined roles and custom roles defined through the Roles API.\n"}],"servers":[{"url":"https://app.run.ai"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"Bearer authentication"}},"schemas":{"Permissions":{"type":"array","items":{"$ref":"#/components/schemas/Permission"}},"Permission":{"type":"object","required":["resourceType","actions","groupId","displayName"],"properties":{"resourceType":{"$ref":"#/components/schemas/ResourceType"},"displayName":{"type":"string"},"groupId":{"$ref":"#/components/schemas/ResourceTypeGroupId"},"actions":{"type":"array","items":{"$ref":"#/components/schemas/Action"}}}},"ResourceType":{"type":"string","description":"Resource type enum for authorization. \n\nNote: The 'apps' resource type is DEPRECATED. Please use 'service-account' instead for managing service accounts.\n","enum":["department","tenant","project","cluster","cluster-config","nodepools","nodes","settings","security-settings","branding-settings","users","apps","service-account","dashboards-overview","dashboards-analytics","dashboards-consumption","roles","access_rules","workloads","workspaces","trainings","inferences","environments","pvc-assets","git-assets","host-path-assets","nfs-assets","s3-assets","compute-resources","templates","credentials","events-history","policies","cm-volume-assets","datavolumes","secret-volume-assets","storage-class-configuration","access-keys","workload-properties","network-topologies","registries","workload-integration-metrics","nodepools-minimal","clusters-minimal"]},"ResourceTypeGroupId":{"type":"string","enum":["organization","physical-resource","iam","dashboard","workload","workload-asset"]},"Action":{"type":"string","enum":["create","read","update","delete","sync"]},"Error":{"required":["code","message"],"properties":{"code":{"type":"integer","minimum":100,"maximum":599},"message":{"type":"string"},"details":{"type":"string"}}}},"responses":{"401Unauthorized":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500InternalServerError":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"503ServiceUnavailable":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/api/v1/authorization/permissions":{"get":{"summary":"Get a summary of user permissions.","description":"Retrieve a summary of user permissions.","operationId":"get_permissions","tags":["Permissions"],"responses":{"200":{"description":"Executed successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Permissions"}}}},"401":{"$ref":"#/components/responses/401Unauthorized"},"500":{"$ref":"#/components/responses/500InternalServerError"},"503":{"$ref":"#/components/responses/503ServiceUnavailable"}}}}}}
```

## Calculate permitted scopes.

> Use to calculate user permitted scopes for an action on a resource.

```json
{"openapi":"3.0.3","info":{"title":"NVIDIA Run:ai","version":"2.24"},"tags":[{"name":"Permissions","description":"Permissions define the actions that users can perform on specific resources within the NVIDIA Run:ai platform. \nEach permission consists of a resource type and an allowed action. \nThe Permission Sets API provides a catalog of all available permission sets in the NVIDIA Run:ai platform. \nEach permission set is a predefined collection of permissions that represent the permissions required for a role to perform specific operations. \nPermission sets serve as the building blocks for roles and are used in both NVIDIA Run:ai predefined roles and custom roles defined through the Roles API.\n"}],"servers":[{"url":"https://app.run.ai"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"Bearer authentication"}},"schemas":{"ResourceType":{"type":"string","description":"Resource type enum for authorization. \n\nNote: The 'apps' resource type is DEPRECATED. Please use 'service-account' instead for managing service accounts.\n","enum":["department","tenant","project","cluster","cluster-config","nodepools","nodes","settings","security-settings","branding-settings","users","apps","service-account","dashboards-overview","dashboards-analytics","dashboards-consumption","roles","access_rules","workloads","workspaces","trainings","inferences","environments","pvc-assets","git-assets","host-path-assets","nfs-assets","s3-assets","compute-resources","templates","credentials","events-history","policies","cm-volume-assets","datavolumes","secret-volume-assets","storage-class-configuration","access-keys","workload-properties","network-topologies","registries","workload-integration-metrics","nodepools-minimal","clusters-minimal"]},"PermittedScopesActions":{"type":"object","required":["create","read","update","delete"],"properties":{"create":{"$ref":"#/components/schemas/PermittedScopes"},"read":{"$ref":"#/components/schemas/PermittedScopes"},"update":{"$ref":"#/components/schemas/PermittedScopes"},"delete":{"$ref":"#/components/schemas/PermittedScopes"}}},"PermittedScopes":{"type":"object","properties":{"system":{"type":"boolean"},"tenants":{"type":"array","items":{"type":"string"}},"tenant":{"deprecated":true,"type":"string"},"clusters":{"type":"array","items":{"type":"string"}},"departments":{"type":"array","items":{"type":"string"}},"projects":{"type":"array","items":{"type":"string"}}}},"Error":{"required":["code","message"],"properties":{"code":{"type":"integer","minimum":100,"maximum":599},"message":{"type":"string"},"details":{"type":"string"}}}},"responses":{"401Unauthorized":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500InternalServerError":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"503ServiceUnavailable":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/api/v1/authorization/permitted-scopes":{"post":{"summary":"Calculate permitted scopes.","description":"Use to calculate user permitted scopes for an action on a resource.","operationId":"get_permitted_scopes","tags":["Permissions"],"requestBody":{"description":"The request parameters.","required":true,"content":{"application/json":{"schema":{"type":"object","required":["resourceType"],"properties":{"resourceType":{"$ref":"#/components/schemas/ResourceType"},"action":{"nullable":true,"type":"string","enum":["create","read","update","delete"]}}}}}},"responses":{"200":{"description":"Executed successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/PermittedScopesActions"}}}},"401":{"$ref":"#/components/responses/401Unauthorized"},"500":{"$ref":"#/components/responses/500InternalServerError"},"503":{"$ref":"#/components/responses/503ServiceUnavailable"}}}}}}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://run-ai-docs.nvidia.com/multi-tenant-api/2.24/authentication-and-authorization/permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.