API Resource Name & Parent Patterns

This document catalogs every RPC method and its resource name/parent pattern, showing how the ACL layer can determine workspace ownership for each API call.

Pattern Categories

Category	ACL Validation	Example
Workspace-level (no parent)	Workspace from JWT context	`ListProjects`, `ListInstances`
`projects/{project}` parent	ACL validates project belongs to workspace	`ListIssues`, `CreatePlan`
`instances/{instance}` parent	ACL validates instance belongs to workspace	`ListInstanceRoles`
`instances/{instance}/databases/{database}` parent	ACL looks up database with workspace filter, resolves to project	`ListChangelogs`, `Query`
Multi-level (workspace/project/env/instance/database)	ACL matches the specific parent type	`OrgPolicyService`
Global (no workspace scope)	Skipped (allow_without_credential)	`Login`, `Signup`

Workspace-Level (No Parent)

These APIs list/create top-level resources. The workspace is resolved from the JWT context only.

Service	Method	Notes
ActuatorService	GetActuatorInfo, SetupSample, DeleteCache, GetResourcePackage	System operations
AuthService	Login, Logout, Signup, Refresh, ExchangeToken	allow_without_credential
CelService	BatchParse, BatchDeparse	Utility
GroupService	ListGroups, CreateGroup
IdentityProviderService	ListIdentityProviders, CreateIdentityProvider
InstanceService	ListInstances, CreateInstance, BatchSyncInstances, BatchUpdateInstances
ProjectService	ListProjects, SearchProjects, CreateProject, BatchDeleteProjects
ReviewConfigService	ListReviewConfigs, CreateReviewConfig
RoleService	ListRoles, CreateRole
SettingService	ListSettings
SubscriptionService	GetSubscription, UpdateSubscription
UserService	ListUsers, CreateUser, GetCurrentUser

Name-Based (Top-Level Resource by Name)

These APIs operate on a single top-level resource by its name. ACL validates via workspace context.

Service	Method	Name Pattern
GroupService	GetGroup, UpdateGroup, DeleteGroup	`groups/{group}`
GroupService	BatchGetGroups	`groups/{group}` (repeated)
IdentityProviderService	GetIdentityProvider, UpdateIdentityProvider, DeleteIdentityProvider, TestIdentityProvider	`idps/{idp}`
InstanceService	GetInstance, UpdateInstance, DeleteInstance, UndeleteInstance, SyncInstance, ListInstanceDatabase, AddDataSource, RemoveDataSource, UpdateDataSource	`instances/{instance}`
ProjectService	GetProject, UpdateProject, DeleteProject, UndeleteProject	`projects/{project}`
ProjectService	BatchGetProjects	`projects/{project}` (repeated)
ReviewConfigService	GetReviewConfig, UpdateReviewConfig, DeleteReviewConfig	`reviewConfigs/{reviewConfig}`
RoleService	GetRole, UpdateRole, DeleteRole	`roles/{role}`
SettingService	GetSetting, UpdateSetting	`settings/{setting}`
UserService	GetUser, UpdateUser, DeleteUser, UndeleteUser, UpdateEmail	`users/{user}`
UserService	BatchGetUsers	`users/{user}` (repeated)
ServiceAccountService	GetServiceAccount, UpdateServiceAccount, DeleteServiceAccount, UndeleteServiceAccount	`serviceAccounts/{email}`
WorkloadIdentityService	GetWorkloadIdentity, UpdateWorkloadIdentity, DeleteWorkloadIdentity, UndeleteWorkloadIdentity	`workloadIdentities/{email}`

`projects/{project}` Parent

These APIs are scoped to a project. ACL validates the project belongs to the workspace.

Service	Method	Resource Pattern
AccessGrantService	ListAccessGrants, CreateAccessGrant, SearchMyAccessGrants	parent: `projects/{project}`
AccessGrantService	GetAccessGrant, ActivateAccessGrant, RevokeAccessGrant	name: `projects/{project}/accessGrants/{accessGrant}`
DatabaseGroupService	ListDatabaseGroups, CreateDatabaseGroup	parent: `projects/{project}`
DatabaseGroupService	GetDatabaseGroup, UpdateDatabaseGroup, DeleteDatabaseGroup	name: `projects/{project}/databaseGroups/{databaseGroup}`
IssueService	ListIssues, SearchIssues, CreateIssue, BatchUpdateIssuesStatus	parent: `projects/{project}`
IssueService	GetIssue, UpdateIssue, ApproveIssue, RejectIssue, RequestIssue	name: `projects/{project}/issues/{issue}`
IssueService	ListIssueComments, CreateIssueComment, UpdateIssueComment	parent: `projects/{project}/issues/{issue}`
PlanService	ListPlans, CreatePlan	parent: `projects/{project}`
PlanService	GetPlan, UpdatePlan, RunPlanChecks	name: `projects/{project}/plans/{plan}`
PlanService	GetPlanCheckRun, CancelPlanCheckRun	name: `projects/{project}/plans/{plan}/planCheckRun`
ProjectService	GetIamPolicy, SetIamPolicy	resource: `projects/{project}`
ProjectService	AddWebhook, TestWebhook	project: `projects/{project}`
ProjectService	UpdateWebhook, RemoveWebhook	name: `projects/{project}/webhooks/{webhook}`
ReleaseService	ListReleases, CreateRelease, CheckRelease, ListReleaseCategories	parent: `projects/{project}`
ReleaseService	GetRelease, UpdateRelease, DeleteRelease, UndeleteRelease	name: `projects/{project}/releases/{release}`
RolloutService	ListRollouts	parent: `projects/{project}`
RolloutService	CreateRollout	parent: `projects/{project}/plans/{plan}`
RolloutService	GetRollout	name: `projects/{project}/plans/{plan}/rollout`
RolloutService	BatchRunTasks, BatchSkipTasks	parent: `projects/{project}/plans/{plan}/rollout/stages/{stage}`
RolloutService	ListTaskRuns, BatchCancelTaskRuns	parent: `projects/{project}/plans/{plan}/rollout/stages/{stage}/tasks/{task}`
RolloutService	GetTaskRun, GetTaskRunLog, GetTaskRunSession, PreviewTaskRunRollback	name: `projects/{project}/.../taskRuns/{taskRun}`
SheetService	CreateSheet, BatchCreateSheets	parent: `projects/{project}`
SheetService	GetSheet	name: `projects/{project}/sheets/{sheet}`
WorksheetService	CreateWorksheet, SearchWorksheets	parent: `projects/{project}`
WorksheetService	GetWorksheet, UpdateWorksheet, DeleteWorksheet, UpdateWorksheetOrganizer	name: `projects/{project}/worksheets/{worksheet}`
WorksheetService	BatchUpdateWorksheetOrganizer	workspace-level batch

`instances/{instance}` Parent

Service	Method	Resource Pattern
InstanceRoleService	ListInstanceRoles	parent: `instances/{instance}`

`instances/{instance}/databases/{database}` Parent

These APIs are scoped to a database. ACL looks up the database with workspace filter and resolves to the parent project.

Service	Method	Resource Pattern
DatabaseService	GetDatabase, UpdateDatabase, SyncDatabase	name: `instances/{instance}/databases/{database}`
DatabaseService	GetDatabaseMetadata, GetDatabaseSchema, GetDatabaseSDLSchema, GetSchemaString	name: `instances/{instance}/databases/{database}/...`
DatabaseService	ListChangelogs	parent: `instances/{instance}/databases/{database}`
DatabaseService	GetChangelog, DiffSchema	name: `instances/{instance}/databases/{database}/changelogs/{changelog}`
DatabaseService	BatchUpdateDatabases, BatchSyncDatabases	parent: `instances/{instance}`
DatabaseCatalogService	GetDatabaseCatalog, UpdateDatabaseCatalog	name: `instances/{instance}/databases/{database}/catalog`
RevisionService	ListRevisions, BatchCreateRevisions	parent: `instances/{instance}/databases/{database}`
RevisionService	GetRevision, DeleteRevision	name: `instances/{instance}/databases/{database}/revisions/{revision}`
SQLService	Query, Export, AdminExecute	name: `instances/{instance}/databases/{database}`

Multi-Parent APIs

These APIs accept different parent types depending on the use case.

DatabaseService — ListDatabases / BatchGetDatabases

Accepts multiple parent types:

projects/{project} — list databases in a project
instances/{instance} — list databases in an instance
workspaces/{workspace} — list all databases in a workspace

ServiceAccountService / WorkloadIdentityService — List / Create

Accepts multiple parent types:

projects/{project} — project-scoped accounts
workspaces/{workspace} — workspace-scoped accounts

OrgPolicyService — All Methods

Accepts 5 different parent/name levels:

workspaces/{workspace}/policies/{policy}
projects/{project}/policies/{policy}
environments/{environment}/policies/{policy}
instances/{instance}/policies/{policy}
instances/{instance}/databases/{database}/policies/{policy}

AuditLogService — SearchAuditLogs / ExportAuditLogs

Accepts:

projects/{project} — project-scoped audit logs
No parent — workspace-level audit logs

WorkspaceService — GetIamPolicy / SetIamPolicy

workspaces/{workspace} resource

SQLService — DiffMetadata / AICompletion / SearchQueryHistories

Workspace-level utility methods (no resource parent)

ACL Resource Resolution Summary

The ACL interceptor (populateRawResources) handles these patterns:

workspaces/{id}                    → ResourceTypeWorkspace (direct match)
projects/{id}[/...]                → ResourceTypeProject (extract project ID)
instances/{id}/databases/{name}... → Look up database → ResourceTypeProject (parent project)
instances/{id}[/...]               → Look up instance → ResourceTypeWorkspace
(default)                          → ResourceTypeWorkspace (from context)

All API resource patterns map to one of these ACL cases. No API endpoint bypasses workspace validation (except allow_without_credential methods like Login/Signup).

API Resource Name & Parent Patterns

API Resource Name & Parent Patterns

Pattern Categories

Workspace-Level (No Parent)

Name-Based (Top-Level Resource by Name)

projects/{project} Parent

instances/{instance} Parent

instances/{instance}/databases/{database} Parent

Multi-Parent APIs

DatabaseService — ListDatabases / BatchGetDatabases

ServiceAccountService / WorkloadIdentityService — List / Create

OrgPolicyService — All Methods

AuditLogService — SearchAuditLogs / ExportAuditLogs

WorkspaceService — GetIamPolicy / SetIamPolicy

SQLService — DiffMetadata / AICompletion / SearchQueryHistories

ACL Resource Resolution Summary

`projects/{project}` Parent

`instances/{instance}` Parent

`instances/{instance}/databases/{database}` Parent