# Permissions

Permissions define the actions that users can perform on specific resources within the NVIDIA Run:ai platform. Each permission consists of a resource type and an allowed action. The Permission Sets API provides a catalog of all available permission sets in the NVIDIA Run:ai platform. Each permission set is a predefined collection of permissions that represent the permissions required for a role to perform specific operations. Permission sets serve as the building blocks for roles and are used in both NVIDIA Run:ai predefined roles and custom roles defined through the Roles API.

## Get permission sets.

> Retrieve a list of all available permission sets. Each permission set defines a collection of permissions grouped by resource type and associated actions (such as create, read, update, or delete).

```json
{"openapi":"3.0.3","info":{"title":"NVIDIA Run:ai","version":"2.24"},"tags":[{"name":"Permissions","description":"Permissions define the actions that users can perform on specific resources within the NVIDIA Run:ai platform. \nEach permission consists of a resource type and an allowed action. \nThe Permission Sets API provides a catalog of all available permission sets in the NVIDIA Run:ai platform. \nEach permission set is a predefined collection of permissions that represent the permissions required for a role to perform specific operations. \nPermission sets serve as the building blocks for roles and are used in both NVIDIA Run:ai predefined roles and custom roles defined through the Roles API.\n"}],"servers":[{"url":"https://app.run.ai"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"Bearer authentication"}},"schemas":{"PermissionSets":{"type":"array","items":{"$ref":"#/components/schemas/PermissionSet"}},"PermissionSet":{"allOf":[{"$ref":"#/components/schemas/RolePermissionSet"},{"type":"object","required":["name","permissions"],"properties":{"description":{"type":"string","description":"A description of the permission set."},"permissions":{"$ref":"#/components/schemas/RolePermissions"}}}]},"RolePermissionSet":{"type":"object","required":["id"],"properties":{"id":{"type":"string","format":"uuid","description":"The universally unique ID (UUID) of the permission set."},"name":{"type":"string","description":"The name of the permission set."}}},"RolePermissions":{"type":"array","items":{"$ref":"#/components/schemas/RolePermission"}},"RolePermission":{"type":"object","required":["resourceType","actions"],"properties":{"resourceType":{"description":"The type of resource the permission applies to.","$ref":"#/components/schemas/ResourceType"},"actions":{"type":"array","description":"The list of allowed actions for this resource\n- create\n- read\n- update\n- delete\n","items":{"$ref":"#/components/schemas/PermissionAction"}}}},"ResourceType":{"type":"string","description":"Resource type enum for authorization. \n\nNote: The 'apps' resource type is DEPRECATED. Please use 'service-account' instead for managing service accounts.\n","enum":["department","tenant","project","cluster","cluster-config","nodepools","nodes","settings","security-settings","branding-settings","users","apps","service-account","dashboards-overview","dashboards-analytics","dashboards-consumption","roles","access_rules","workloads","workspaces","trainings","inferences","environments","pvc-assets","git-assets","host-path-assets","nfs-assets","s3-assets","compute-resources","templates","credentials","events-history","policies","cm-volume-assets","datavolumes","secret-volume-assets","storage-class-configuration","access-keys","workload-properties","network-topologies","registries","workload-integration-metrics","nodepools-minimal","clusters-minimal"]},"PermissionAction":{"type":"string","enum":["create","read","update","delete"]},"Error":{"required":["code","message"],"properties":{"code":{"type":"integer","minimum":100,"maximum":599},"message":{"type":"string"},"details":{"type":"string"}}}},"responses":{"400BadRequest":{"description":"Bad request.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401Unauthorized":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403Forbidden":{"description":"Forbidden","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500InternalServerError":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"503ServiceUnavailable":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/api/v1/authorization/permission-sets":{"get":{"summary":"Get permission sets.","description":"Retrieve a list of all available permission sets. Each permission set defines a collection of permissions grouped by resource type and associated actions (such as create, read, update, or delete).","operationId":"get_permission_sets","tags":["Permissions"],"responses":{"200":{"description":"Executed successfully.","content":{"application/json":{"schema":{"type":"object","required":["permissionSets"],"properties":{"permissionSets":{"$ref":"#/components/schemas/PermissionSets"}}}}}},"400":{"$ref":"#/components/responses/400BadRequest"},"401":{"$ref":"#/components/responses/401Unauthorized"},"403":{"$ref":"#/components/responses/403Forbidden"},"500":{"$ref":"#/components/responses/500InternalServerError"},"503":{"$ref":"#/components/responses/503ServiceUnavailable"}}}}}}
```

## Get permission set by id.

> Returns information about a single permission set, including its name, description, and the list of permissions it contains.

```json
{"openapi":"3.0.3","info":{"title":"NVIDIA Run:ai","version":"2.24"},"tags":[{"name":"Permissions","description":"Permissions define the actions that users can perform on specific resources within the NVIDIA Run:ai platform. \nEach permission consists of a resource type and an allowed action. \nThe Permission Sets API provides a catalog of all available permission sets in the NVIDIA Run:ai platform. \nEach permission set is a predefined collection of permissions that represent the permissions required for a role to perform specific operations. \nPermission sets serve as the building blocks for roles and are used in both NVIDIA Run:ai predefined roles and custom roles defined through the Roles API.\n"}],"servers":[{"url":"https://app.run.ai"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"Bearer authentication"}},"parameters":{"PermissionSetId":{"name":"permissionSetId","in":"path","required":true,"schema":{"type":"string","format":"uuid"}}},"schemas":{"PermissionSet":{"allOf":[{"$ref":"#/components/schemas/RolePermissionSet"},{"type":"object","required":["name","permissions"],"properties":{"description":{"type":"string","description":"A description of the permission set."},"permissions":{"$ref":"#/components/schemas/RolePermissions"}}}]},"RolePermissionSet":{"type":"object","required":["id"],"properties":{"id":{"type":"string","format":"uuid","description":"The universally unique ID (UUID) of the permission set."},"name":{"type":"string","description":"The name of the permission set."}}},"RolePermissions":{"type":"array","items":{"$ref":"#/components/schemas/RolePermission"}},"RolePermission":{"type":"object","required":["resourceType","actions"],"properties":{"resourceType":{"description":"The type of resource the permission applies to.","$ref":"#/components/schemas/ResourceType"},"actions":{"type":"array","description":"The list of allowed actions for this resource\n- create\n- read\n- update\n- delete\n","items":{"$ref":"#/components/schemas/PermissionAction"}}}},"ResourceType":{"type":"string","description":"Resource type enum for authorization. \n\nNote: The 'apps' resource type is DEPRECATED. Please use 'service-account' instead for managing service accounts.\n","enum":["department","tenant","project","cluster","cluster-config","nodepools","nodes","settings","security-settings","branding-settings","users","apps","service-account","dashboards-overview","dashboards-analytics","dashboards-consumption","roles","access_rules","workloads","workspaces","trainings","inferences","environments","pvc-assets","git-assets","host-path-assets","nfs-assets","s3-assets","compute-resources","templates","credentials","events-history","policies","cm-volume-assets","datavolumes","secret-volume-assets","storage-class-configuration","access-keys","workload-properties","network-topologies","registries","workload-integration-metrics","nodepools-minimal","clusters-minimal"]},"PermissionAction":{"type":"string","enum":["create","read","update","delete"]},"Error":{"required":["code","message"],"properties":{"code":{"type":"integer","minimum":100,"maximum":599},"message":{"type":"string"},"details":{"type":"string"}}}},"responses":{"400BadRequest":{"description":"Bad request.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401Unauthorized":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403Forbidden":{"description":"Forbidden","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500InternalServerError":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"503ServiceUnavailable":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/api/v1/authorization/permission-sets/{permissionSetId}":{"get":{"summary":"Get permission set by id.","description":"Returns information about a single permission set, including its name, description, and the list of permissions it contains.","operationId":"get_permission_set","tags":["Permissions"],"parameters":[{"$ref":"#/components/parameters/PermissionSetId"}],"responses":{"200":{"description":"Executed successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/PermissionSet"}}}},"400":{"$ref":"#/components/responses/400BadRequest"},"401":{"$ref":"#/components/responses/401Unauthorized"},"403":{"$ref":"#/components/responses/403Forbidden"},"500":{"$ref":"#/components/responses/500InternalServerError"},"503":{"$ref":"#/components/responses/503ServiceUnavailable"}}}}}}
```

## Get a summary of user permissions.

> Retrieve a summary of user permissions.

```json
{"openapi":"3.0.3","info":{"title":"NVIDIA Run:ai","version":"2.24"},"tags":[{"name":"Permissions","description":"Permissions define the actions that users can perform on specific resources within the NVIDIA Run:ai platform. \nEach permission consists of a resource type and an allowed action. \nThe Permission Sets API provides a catalog of all available permission sets in the NVIDIA Run:ai platform. \nEach permission set is a predefined collection of permissions that represent the permissions required for a role to perform specific operations. \nPermission sets serve as the building blocks for roles and are used in both NVIDIA Run:ai predefined roles and custom roles defined through the Roles API.\n"}],"servers":[{"url":"https://app.run.ai"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"Bearer authentication"}},"schemas":{"Permissions":{"type":"array","items":{"$ref":"#/components/schemas/Permission"}},"Permission":{"type":"object","required":["resourceType","actions","groupId","displayName"],"properties":{"resourceType":{"$ref":"#/components/schemas/ResourceType"},"displayName":{"type":"string"},"groupId":{"$ref":"#/components/schemas/ResourceTypeGroupId"},"actions":{"type":"array","items":{"$ref":"#/components/schemas/Action"}}}},"ResourceType":{"type":"string","description":"Resource type enum for authorization. \n\nNote: The 'apps' resource type is DEPRECATED. Please use 'service-account' instead for managing service accounts.\n","enum":["department","tenant","project","cluster","cluster-config","nodepools","nodes","settings","security-settings","branding-settings","users","apps","service-account","dashboards-overview","dashboards-analytics","dashboards-consumption","roles","access_rules","workloads","workspaces","trainings","inferences","environments","pvc-assets","git-assets","host-path-assets","nfs-assets","s3-assets","compute-resources","templates","credentials","events-history","policies","cm-volume-assets","datavolumes","secret-volume-assets","storage-class-configuration","access-keys","workload-properties","network-topologies","registries","workload-integration-metrics","nodepools-minimal","clusters-minimal"]},"ResourceTypeGroupId":{"type":"string","enum":["organization","physical-resource","iam","dashboard","workload","workload-asset"]},"Action":{"type":"string","enum":["create","read","update","delete","sync"]},"Error":{"required":["code","message"],"properties":{"code":{"type":"integer","minimum":100,"maximum":599},"message":{"type":"string"},"details":{"type":"string"}}}},"responses":{"401Unauthorized":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500InternalServerError":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"503ServiceUnavailable":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/api/v1/authorization/permissions":{"get":{"summary":"Get a summary of user permissions.","description":"Retrieve a summary of user permissions.","operationId":"get_permissions","tags":["Permissions"],"responses":{"200":{"description":"Executed successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Permissions"}}}},"401":{"$ref":"#/components/responses/401Unauthorized"},"500":{"$ref":"#/components/responses/500InternalServerError"},"503":{"$ref":"#/components/responses/503ServiceUnavailable"}}}}}}
```

## Calculate permitted scopes.

> Use to calculate user permitted scopes for an action on a resource.

```json
{"openapi":"3.0.3","info":{"title":"NVIDIA Run:ai","version":"2.24"},"tags":[{"name":"Permissions","description":"Permissions define the actions that users can perform on specific resources within the NVIDIA Run:ai platform. \nEach permission consists of a resource type and an allowed action. \nThe Permission Sets API provides a catalog of all available permission sets in the NVIDIA Run:ai platform. \nEach permission set is a predefined collection of permissions that represent the permissions required for a role to perform specific operations. \nPermission sets serve as the building blocks for roles and are used in both NVIDIA Run:ai predefined roles and custom roles defined through the Roles API.\n"}],"servers":[{"url":"https://app.run.ai"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"Bearer authentication"}},"schemas":{"ResourceType":{"type":"string","description":"Resource type enum for authorization. \n\nNote: The 'apps' resource type is DEPRECATED. Please use 'service-account' instead for managing service accounts.\n","enum":["department","tenant","project","cluster","cluster-config","nodepools","nodes","settings","security-settings","branding-settings","users","apps","service-account","dashboards-overview","dashboards-analytics","dashboards-consumption","roles","access_rules","workloads","workspaces","trainings","inferences","environments","pvc-assets","git-assets","host-path-assets","nfs-assets","s3-assets","compute-resources","templates","credentials","events-history","policies","cm-volume-assets","datavolumes","secret-volume-assets","storage-class-configuration","access-keys","workload-properties","network-topologies","registries","workload-integration-metrics","nodepools-minimal","clusters-minimal"]},"PermittedScopesActions":{"type":"object","required":["create","read","update","delete"],"properties":{"create":{"$ref":"#/components/schemas/PermittedScopes"},"read":{"$ref":"#/components/schemas/PermittedScopes"},"update":{"$ref":"#/components/schemas/PermittedScopes"},"delete":{"$ref":"#/components/schemas/PermittedScopes"}}},"PermittedScopes":{"type":"object","properties":{"system":{"type":"boolean"},"tenants":{"type":"array","items":{"type":"string"}},"tenant":{"deprecated":true,"type":"string"},"clusters":{"type":"array","items":{"type":"string"}},"departments":{"type":"array","items":{"type":"string"}},"projects":{"type":"array","items":{"type":"string"}}}},"Error":{"required":["code","message"],"properties":{"code":{"type":"integer","minimum":100,"maximum":599},"message":{"type":"string"},"details":{"type":"string"}}}},"responses":{"401Unauthorized":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500InternalServerError":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"503ServiceUnavailable":{"description":"unexpected error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/api/v1/authorization/permitted-scopes":{"post":{"summary":"Calculate permitted scopes.","description":"Use to calculate user permitted scopes for an action on a resource.","operationId":"get_permitted_scopes","tags":["Permissions"],"requestBody":{"description":"The request parameters.","required":true,"content":{"application/json":{"schema":{"type":"object","required":["resourceType"],"properties":{"resourceType":{"$ref":"#/components/schemas/ResourceType"},"action":{"nullable":true,"type":"string","enum":["create","read","update","delete"]}}}}}},"responses":{"200":{"description":"Executed successfully.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/PermittedScopesActions"}}}},"401":{"$ref":"#/components/responses/401Unauthorized"},"500":{"$ref":"#/components/responses/500InternalServerError"},"503":{"$ref":"#/components/responses/503ServiceUnavailable"}}}}}}
```