Skip to main content
Version: latest

Permission Policy Actions and Resources

This reference catalogs every action and resource ARN that can appear in an API7 Gateway permission policy. Use it as the authoritative source when authoring policies — every action listed here is enforced by the Control Plane, and every resource ARN follows the exact format the policy engine accepts.

Permissions are organized into three namespaces:

NamespacePurpose
gateway:Data plane configuration — gateway groups, services, routes, consumers, plugins, certificates, alerts
iam:Identity and organization — users, roles, permission policies, license, audit logs, login options, SMTP, contact points
portal:Developer Portal — portals, API products, developers, DCR providers, portal tokens

Wildcards are expressed as * (literal wildcard in the resource path) or <regex> (regular expression enclosed in angle brackets, applied at match time). For example, arn:api7:gateway:gatewaygroup/<.*> matches every gateway group, while arn:api7:gateway:gatewaygroup/* is used in creation statements where there is no specific target yet.

gateway: namespace

Gateway Group

ActionResource
gateway:GetGatewayGrouparn:api7:gateway:gatewaygroup/%s
gateway:CreateGatewayGrouparn:api7:gateway:gatewaygroup/*
gateway:UpdateGatewayGrouparn:api7:gateway:gatewaygroup/%s
gateway:DeleteGatewayGrouparn:api7:gateway:gatewaygroup/%s
gateway:GetAdminKeyarn:api7:gateway:gatewaygroup/%s

Gateway Instance

ActionResource
gateway:GetGatewayInstancearn:api7:gateway:gatewaygroup/%s
gateway:GetGatewayInstanceCorearn:api7:gateway:gatewaygroup/*
gateway:CreateGatewayInstancearn:api7:gateway:gatewaygroup/%s
gateway:DeleteGatewayInstancearn:api7:gateway:gatewaygroup/%s

Consumer

ActionResource
gateway:GetConsumerarn:api7:gateway:gatewaygroup/%s/consumer/%s
gateway:CreateConsumerarn:api7:gateway:gatewaygroup/%s/consumer/*
gateway:UpdateConsumerarn:api7:gateway:gatewaygroup/%s/consumer/%s
gateway:DeleteConsumerarn:api7:gateway:gatewaygroup/%s/consumer/%s

Consumer Credential

ActionResource
gateway:GetConsumerCredentialarn:api7:gateway:gatewaygroup/%s/consumer/%s
gateway:CreateConsumerCredentialarn:api7:gateway:gatewaygroup/%s/consumer/%s
gateway:UpdateConsumerCredentialarn:api7:gateway:gatewaygroup/%s/consumer/%s
gateway:DeleteConsumerCredentialarn:api7:gateway:gatewaygroup/%s/consumer/%s

SSL Certificate

ActionResource
gateway:GetSSLCertificatearn:api7:gateway:gatewaygroup/%s
gateway:CreateSSLCertificatearn:api7:gateway:gatewaygroup/%s
gateway:UpdateSSLCertificatearn:api7:gateway:gatewaygroup/%s
gateway:DeleteSSLCertificatearn:api7:gateway:gatewaygroup/%s

Certificate

ActionResource
gateway:GetCertificatearn:api7:gateway:gatewaygroup/%s
gateway:CreateCertificatearn:api7:gateway:gatewaygroup/%s
gateway:UpdateCertificatearn:api7:gateway:gatewaygroup/%s
gateway:DeleteCertificatearn:api7:gateway:gatewaygroup/%s

CA Certificate

ActionResource
gateway:GetCACertificatearn:api7:gateway:gatewaygroup/%s
gateway:CreateCACertificatearn:api7:gateway:gatewaygroup/%s
gateway:UpdateCACertificatearn:api7:gateway:gatewaygroup/%s
gateway:DeleteCACertificatearn:api7:gateway:gatewaygroup/%s

SNI

ActionResource
gateway:GetSNIarn:api7:gateway:gatewaygroup/%s
gateway:CreateSNIarn:api7:gateway:gatewaygroup/%s
gateway:UpdateSNIarn:api7:gateway:gatewaygroup/%s
gateway:DeleteSNIarn:api7:gateway:gatewaygroup/%s

Global Plugin Rule

ActionResource
gateway:GetGlobalPluginRulearn:api7:gateway:gatewaygroup/%s
gateway:CreateGlobalPluginRulearn:api7:gateway:gatewaygroup/%s
gateway:UpdateGlobalPluginRulearn:api7:gateway:gatewaygroup/%s
gateway:DeleteGlobalPluginRulearn:api7:gateway:gatewaygroup/%s

Plugin Metadata

ActionResource
gateway:GetPluginMetadataarn:api7:gateway:gatewaygroup/%s
gateway:UpdatePluginMetadataarn:api7:gateway:gatewaygroup/%s
gateway:DeletePluginMetadataarn:api7:gateway:gatewaygroup/%s

Service Registry

ActionResource
gateway:GetServiceRegistryarn:api7:gateway:gatewaygroup/%s
gateway:ConnectServiceRegistryarn:api7:gateway:gatewaygroup/%s
gateway:UpdateServiceRegistryarn:api7:gateway:gatewaygroup/%s
gateway:DisconnectServiceRegistryarn:api7:gateway:gatewaygroup/%s

Secret Provider

ActionResource
gateway:GetSecretProviderarn:api7:gateway:gatewaygroup/%s/secret_provider/%s
gateway:PutSecretProviderarn:api7:gateway:gatewaygroup/%s/secret_provider/%s
gateway:DeleteSecretProviderarn:api7:gateway:gatewaygroup/%s/secret_provider/%s

Proto

For gRPC service definitions used by the grpc-transcode and proto plugins.

ActionResource
gateway:GetProtoarn:api7:gateway:gatewaygroup/%s
gateway:CreateProtoarn:api7:gateway:gatewaygroup/%s
gateway:UpdateProtoarn:api7:gateway:gatewaygroup/%s
gateway:DeleteProtoarn:api7:gateway:gatewaygroup/%s

Debug Session

For online request debugging and trace capture.

ActionResource
gateway:GetDebugSessionarn:api7:gateway:gatewaygroup/%s
gateway:CreateDebugSessionarn:api7:gateway:gatewaygroup/%s
gateway:StopDebugSessionarn:api7:gateway:gatewaygroup/%s
gateway:DeleteDebugSessionarn:api7:gateway:gatewaygroup/%s
gateway:ExportDebugSessionarn:api7:gateway:gatewaygroup/%s

Service Template

Service templates define reusable service configurations, including their routes and stream routes. See Services and Routes for the difference between ServiceTemplateID and ServiceID.

ActionResource
gateway:GetServiceTemplatearn:api7:gateway:servicetemplate/%s
gateway:CreateServiceTemplatearn:api7:gateway:servicetemplate/*
gateway:UpdateServiceTemplatearn:api7:gateway:servicetemplate/%s
gateway:DeleteServiceTemplatearn:api7:gateway:servicetemplate/%s

Published Service

A published service is a service template that has been deployed to a specific gateway group. The same four actions cover the service's routes and stream routes.

ActionResource
gateway:GetPublishedServicearn:api7:gateway:gatewaygroup/%s/publishedservice/%s
gateway:CreatePublishedServicearn:api7:gateway:gatewaygroup/%s/publishedservice/*
gateway:UpdatePublishedServicearn:api7:gateway:gatewaygroup/%s/publishedservice/%s
gateway:DeletePublishedServicearn:api7:gateway:gatewaygroup/%s/publishedservice/%s
gateway:PublishServicesarn:api7:gateway:gatewaygroup/%s/publishedservice/*

Deployment Settings

System-wide gateway deployment settings.

ActionResource
gateway:UpdateDeploymentSettingarn:api7:gateway:gatewaysetting/*

Custom Plugin

ActionResource
gateway:CreateCustomPluginarn:api7:gateway:gatewaysetting/*
gateway:UpdateCustomPluginarn:api7:gateway:gatewaysetting/*
gateway:DeleteCustomPluginarn:api7:gateway:gatewaysetting/*

Alert Policy

ActionResource
gateway:GetAlertPolicyarn:api7:gateway:alert/%s
gateway:CreateAlertPolicyarn:api7:gateway:alert/*
gateway:UpdateAlertPolicyarn:api7:gateway:alert/%s
gateway:DeleteAlertPolicyarn:api7:gateway:alert/%s

Webhook Template

Reusable webhook payload templates used by alert contact points.

ActionResource
gateway:GetWebhookTemplatearn:api7:gateway:gatewaysetting/*
gateway:CreateWebhookTemplatearn:api7:gateway:gatewaysetting/*
gateway:UpdateWebhookTemplatearn:api7:gateway:gatewaysetting/*
gateway:DeleteWebhookTemplatearn:api7:gateway:gatewaysetting/*

iam: namespace

User

ActionResource
iam:GetUserarn:api7:iam:user/%s
iam:InviteUserarn:api7:iam:user/*
iam:UpdateUserarn:api7:iam:user/%s
iam:DeleteUserarn:api7:iam:user/%s
iam:UpdateUserRolearn:api7:iam:user/%s
iam:ResetPasswordarn:api7:iam:user/%s
iam:UpdateUserBoundaryarn:api7:iam:user/%s

Role

ActionResource
iam:GetRolearn:api7:iam:role/%s
iam:CreateRolearn:api7:iam:role/*
iam:UpdateRolearn:api7:iam:role/%s
iam:DeleteRolearn:api7:iam:role/%s

Permission Policy

ActionResource
iam:GetPermissionPolicyarn:api7:iam:permissionpolicy/%s
iam:CreatePermissionPolicyarn:api7:iam:permissionpolicy/*
iam:UpdatePermissionPolicyarn:api7:iam:permissionpolicy/%s
iam:DeletePermissionPolicyarn:api7:iam:permissionpolicy/%s

License

ActionResource
iam:UpdateLicensearn:api7:iam:organization/*

Audit Log

ActionResource
iam:GetAuditarn:api7:iam:organization/*
iam:ExportAuditsarn:api7:iam:organization/*

Login Option

Login options configure authentication methods for the Dashboard (OIDC, SAML, LDAP, CAS).

ActionResource
iam:GetLoginOptionarn:api7:iam:organization/*
iam:CreateLoginOptionarn:api7:iam:organization/*
iam:UpdateLoginOptionarn:api7:iam:organization/*
iam:DeleteLoginOptionarn:api7:iam:organization/*

SCIM Provisioning

ActionResource
iam:GetSCIMProvisioningarn:api7:iam:organization/*
iam:UpdateSCIMProvisioningarn:api7:iam:organization/*

SMTP Server

Used for outbound email notifications and user invitations.

ActionResource
iam:GetSMTPServerarn:api7:iam:organization/*
iam:UpdateSMTPServerarn:api7:iam:organization/*

Contact Point

Contact points are alert notification targets (email, webhook, etc.) referenced by alert policies.

ActionResource
iam:GetContactPointarn:api7:iam:contactpoint/%s
iam:CreateContactPointarn:api7:iam:contactpoint/*
iam:UpdateContactPointarn:api7:iam:contactpoint/%s
iam:DeleteContactPointarn:api7:iam:contactpoint/%s

portal: namespace

Portal

ActionResource
portal:GetPortalarn:api7:portal:portal/%s
portal:CreatePortalarn:api7:portal:portal/*
portal:UpdatePortalarn:api7:portal:portal/%s
portal:DeletePortalarn:api7:portal:portal/%s

Portal Token

ActionResource
portal:GetPortalTokenarn:api7:portal:portal/%s/token/*
portal:CreatePortalTokenarn:api7:portal:portal/%s/token/*
portal:UpdatePortalTokenarn:api7:portal:portal/%s/token/*
portal:DeletePortalTokenarn:api7:portal:portal/%s/token/*

API Product

ActionResource
portal:GetAPIProductarn:api7:portal:portal/%s/apiproduct/%s
portal:CreateAPIProductarn:api7:portal:portal/%s/apiproduct/*
portal:UpdateAPIProductarn:api7:portal:portal/%s/apiproduct/%s
portal:DeleteAPIProductarn:api7:portal:portal/%s/apiproduct/%s

Developer

ActionResource
portal:GetDeveloperarn:api7:portal:portal/%s/developer/%s
portal:InviteDeveloperarn:api7:portal:portal/%s/developer/*
portal:DeleteDeveloperarn:api7:portal:portal/%s/developer/%s

DCR Provider

Dynamic Client Registration providers used by the Developer Portal.

ActionResource
portal:GetDCRProviderarn:api7:portal:dcrprovider/*
portal:CreateDCRProviderarn:api7:portal:dcrprovider/*
portal:UpdateDCRProviderarn:api7:portal:dcrprovider/*
portal:DeleteDCRProviderarn:api7:portal:dcrprovider/*

Developer Login Option

Configures authentication methods that developers can use to sign in to a Developer Portal.

ActionResource
portal:GetDeveloperLoginOptionarn:api7:portal:portal/%s/loginsetting/*
portal:CreateDeveloperLoginOptionarn:api7:portal:portal/%s/loginsetting/*
portal:UpdateDeveloperLoginOptionarn:api7:portal:portal/%s/loginsetting/*
portal:DeleteDeveloperLoginOptionarn:api7:portal:portal/%s/loginsetting/*

Developer SCIM Provisioning

ActionResource
portal:GetDeveloperSCIMProvisioningarn:api7:portal:portal/%s/loginsetting/*
portal:UpdateDeveloperSCIMProvisioningarn:api7:portal:portal/%s/loginsetting/*

Developer Portal Public Access

Controls whether a Developer Portal is publicly accessible without login.

ActionResource
portal:GetDeveloperPortalPublicAccessarn:api7:portal:portal/%s/loginsetting/*
portal:UpdateDeveloperPortalPublicAccessarn:api7:portal:portal/%s/loginsetting/*

Approvals

Approve pending API product subscriptions or new developer sign-ups.

ActionResource
portal:ApproveAPIProductSubscriptionarn:api7:portal:portal/%s/apiproduct/%s
portal:ApproveDeveloperSignUparn:api7:portal:portal/%s/developer/*

Next steps

API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway
API7 AI Gateway
API7 API Portal

Learn

API Gateway Guide
Plugin Hub
API Gateway Comparison
Customers

Resources

API Gateway Docs
Blog
Demo Hub
APISIX vs Kong

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2026. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation