When listing the application's capabilities we currently show 'permissions' both for each version, and outside versions altogether: GET .../api/capabilities <capabilities> <permits></permits> <version major="3" minor="1" href="/api/capabilities/332e3133-2e31-332e-3133-2e31332e3133" id="332e3133-2e31-332e-3133-2e31332e3133"> <permits>...</permits> </version> <version major="3" minor="0" href="/api/capabilities/332e3033-2e30-332e-3033-2e30332e3033" id="332e3033-2e30-332e-3033-2e30332e3033"> <permits>...</permits> </version> </capabilities> 1) Permissions should only exist within a version; their current existence outside 'version' is for backwards compatibility only. We assume that no one (except perhaps Automation) uses these non-version-specific permissions these days, and we'd like to remove them. 2) Regarding permissions within a version - Oded brought up that some permissions which are only relevant for 3.1 are listed also under 3.0 (for example, quota related permissions). In order for the API layer to be able to group permissions by version, permission<-->version metadata must exist somewhere. The permissions enum in the engine seems a natural place to put it, as Michael commented. Setting out to do this, I realized that which-permission-belongs-to-which-version is knowledge that I don't have, and don't really know how to get efficiently, and I sort of got stuck because of this. Ideas regarding this issue? Thanks, Ori.