> ## Documentation Index
> Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Policy

> Fine-grained permission policies for all resource types. Covers policy bindings, principal targeting, permission sets, and built-in system policies.

## Overview

Refer to the [policy concepts](/concepts/access-control) page.

## Creating a Policy

Refer to the [Create a Policy](/guides/policy) guide for additional details.

## Resource Permissions

Each resource has a set of permissions that can be assigned to a policy.

Expand the dropdown below and click on a resource to view their assignable permissions.

<Accordion title="Resources">
  After clicking on a link, expand the `Examples` dropdown to view the list.

  * [Agent](/cli-reference/commands/agent#agent-permissions)
  * [Audit Context](/cli-reference/commands/auditctx#auditctx-permissions)
  * [Cloud Account](/cli-reference/commands/cloudaccount#cloudaccount-permissions)
  * [Domain](/cli-reference/commands/domain#domain-permissions)
  * [Group](/cli-reference/commands/group#group-permissions)
  * [GVC (Global Virtual Cloud)](/cli-reference/commands/gvc#gvc-permissions)
  * [Identity](/cli-reference/commands/identity#identity-permissions)
  * [Image](/cli-reference/commands/image#image-permissions)
  * [Location](/cli-reference/commands/location#location-permissions)
  * [Org](/cli-reference/commands/org#org-permissions)
  * [Policy](/cli-reference/commands/policy#policy-permissions)
  * [Quota](/cli-reference/commands/quota#quota-permissions)
  * [Secret](/cli-reference/commands/secret#secret-permissions)
  * [Service Account](/cli-reference/commands/serviceaccount#serviceaccount-permissions)
  * [User](/cli-reference/commands/user#user-permissions)
  * [Volume Set](/cli-reference/commands/volumeset#volumeset-permissions)
  * [Workload](/cli-reference/commands/workload#workload-permissions)
</Accordion>

## Built-in Policies

Each [org](/reference/org) has the following built-in policies for each resource (agent, GVC, etc.):

| Policy Name         | Description                                                    | Target    | Permission | Group                                          | Service Account                                                     |
| :------------------ | :------------------------------------------------------------- | :-------- | :--------- | :--------------------------------------------- | :------------------------------------------------------------------ |
| superusers-RESOURCE | Built-in policy granting full access to the superusers group   | All Items | manage     | [superusers](/reference/group#built-in-groups) | [controlplane](/reference/serviceaccount#built-in-service-accounts) |
| viewers-RESOURCE    | Built-in policy granting read-only access to the viewers group | All Items | view       | [viewers](/reference/group#built-in-groups)    | none                                                                |

## Permissions

The permissions below are used to define [policies](/reference/policy) together with one or more of the four
[principal types](/concepts/access-control):

| Permission | Description              | Implies                            |
| :--------- | :----------------------- | :--------------------------------- |
| create     | Create new policies      |                                    |
| delete     | Delete existing policies |                                    |
| edit       | Modify existing policies | view                               |
| manage     | Full access              | create, delete, edit, manage, view |
| view       | Read-only view           |                                    |

## Access Report

Displays the permissions granted to principals for the policy.

## CLI

To view the CLI documentation for policies, see the [Policy CLI reference](/cli-reference/commands/policy).