diff --git a/api/external/applications/applications.pb.go b/api/external/applications/applications.pb.go
index 99bbc43d3f4..e63ab3cb5a0 100644
--- a/api/external/applications/applications.pb.go
+++ b/api/external/applications/applications.pb.go
@@ -56,7 +56,7 @@ func (x ServiceStatus) String() string {
 	return proto.EnumName(ServiceStatus_name, int32(x))
 }
 func (ServiceStatus) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_applications_7f567d19e862e844, []int{0}
+	return fileDescriptor_applications_e70a6f38a053c99d, []int{0}
 }
 
 // The HealthStatus enum matches the habitat implementation for health-check status:
@@ -87,7 +87,7 @@ func (x HealthStatus) String() string {
 	return proto.EnumName(HealthStatus_name, int32(x))
 }
 func (HealthStatus) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_applications_7f567d19e862e844, []int{1}
+	return fileDescriptor_applications_e70a6f38a053c99d, []int{1}
 }
 
 type ServicesReq struct {
@@ -103,7 +103,7 @@ func (m *ServicesReq) Reset()         { *m = ServicesReq{} }
 func (m *ServicesReq) String() string { return proto.CompactTextString(m) }
 func (*ServicesReq) ProtoMessage()    {}
 func (*ServicesReq) Descriptor() ([]byte, []int) {
-	return fileDescriptor_applications_7f567d19e862e844, []int{0}
+	return fileDescriptor_applications_e70a6f38a053c99d, []int{0}
 }
 func (m *ServicesReq) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ServicesReq.Unmarshal(m, b)
@@ -158,7 +158,7 @@ func (m *ServicesBySGReq) Reset()         { *m = ServicesBySGReq{} }
 func (m *ServicesBySGReq) String() string { return proto.CompactTextString(m) }
 func (*ServicesBySGReq) ProtoMessage()    {}
 func (*ServicesBySGReq) Descriptor() ([]byte, []int) {
-	return fileDescriptor_applications_7f567d19e862e844, []int{1}
+	return fileDescriptor_applications_e70a6f38a053c99d, []int{1}
 }
 func (m *ServicesBySGReq) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ServicesBySGReq.Unmarshal(m, b)
@@ -219,7 +219,7 @@ func (m *ServicesBySGRes) Reset()         { *m = ServicesBySGRes{} }
 func (m *ServicesBySGRes) String() string { return proto.CompactTextString(m) }
 func (*ServicesBySGRes) ProtoMessage()    {}
 func (*ServicesBySGRes) Descriptor() ([]byte, []int) {
-	return fileDescriptor_applications_7f567d19e862e844, []int{2}
+	return fileDescriptor_applications_e70a6f38a053c99d, []int{2}
 }
 func (m *ServicesBySGRes) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ServicesBySGRes.Unmarshal(m, b)
@@ -271,7 +271,7 @@ func (m *ServicesRes) Reset()         { *m = ServicesRes{} }
 func (m *ServicesRes) String() string { return proto.CompactTextString(m) }
 func (*ServicesRes) ProtoMessage()    {}
 func (*ServicesRes) Descriptor() ([]byte, []int) {
-	return fileDescriptor_applications_7f567d19e862e844, []int{3}
+	return fileDescriptor_applications_e70a6f38a053c99d, []int{3}
 }
 func (m *ServicesRes) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ServicesRes.Unmarshal(m, b)
@@ -318,7 +318,7 @@ func (m *Service) Reset()         { *m = Service{} }
 func (m *Service) String() string { return proto.CompactTextString(m) }
 func (*Service) ProtoMessage()    {}
 func (*Service) Descriptor() ([]byte, []int) {
-	return fileDescriptor_applications_7f567d19e862e844, []int{4}
+	return fileDescriptor_applications_e70a6f38a053c99d, []int{4}
 }
 func (m *Service) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_Service.Unmarshal(m, b)
@@ -418,7 +418,7 @@ func (m *ServiceGroupsHealthCountsReq) Reset()         { *m = ServiceGroupsHealt
 func (m *ServiceGroupsHealthCountsReq) String() string { return proto.CompactTextString(m) }
 func (*ServiceGroupsHealthCountsReq) ProtoMessage()    {}
 func (*ServiceGroupsHealthCountsReq) Descriptor() ([]byte, []int) {
-	return fileDescriptor_applications_7f567d19e862e844, []int{5}
+	return fileDescriptor_applications_e70a6f38a053c99d, []int{5}
 }
 func (m *ServiceGroupsHealthCountsReq) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ServiceGroupsHealthCountsReq.Unmarshal(m, b)
@@ -451,7 +451,7 @@ func (m *ServiceGroupsReq) Reset()         { *m = ServiceGroupsReq{} }
 func (m *ServiceGroupsReq) String() string { return proto.CompactTextString(m) }
 func (*ServiceGroupsReq) ProtoMessage()    {}
 func (*ServiceGroupsReq) Descriptor() ([]byte, []int) {
-	return fileDescriptor_applications_7f567d19e862e844, []int{6}
+	return fileDescriptor_applications_e70a6f38a053c99d, []int{6}
 }
 func (m *ServiceGroupsReq) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ServiceGroupsReq.Unmarshal(m, b)
@@ -515,7 +515,7 @@ func (m *ServiceGroup) Reset()         { *m = ServiceGroup{} }
 func (m *ServiceGroup) String() string { return proto.CompactTextString(m) }
 func (*ServiceGroup) ProtoMessage()    {}
 func (*ServiceGroup) Descriptor() ([]byte, []int) {
-	return fileDescriptor_applications_7f567d19e862e844, []int{7}
+	return fileDescriptor_applications_e70a6f38a053c99d, []int{7}
 }
 func (m *ServiceGroup) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ServiceGroup.Unmarshal(m, b)
@@ -606,7 +606,7 @@ func (m *HealthCounts) Reset()         { *m = HealthCounts{} }
 func (m *HealthCounts) String() string { return proto.CompactTextString(m) }
 func (*HealthCounts) ProtoMessage()    {}
 func (*HealthCounts) Descriptor() ([]byte, []int) {
-	return fileDescriptor_applications_7f567d19e862e844, []int{8}
+	return fileDescriptor_applications_e70a6f38a053c99d, []int{8}
 }
 func (m *HealthCounts) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_HealthCounts.Unmarshal(m, b)
@@ -679,7 +679,7 @@ func (m *PackageIdent) Reset()         { *m = PackageIdent{} }
 func (m *PackageIdent) String() string { return proto.CompactTextString(m) }
 func (*PackageIdent) ProtoMessage()    {}
 func (*PackageIdent) Descriptor() ([]byte, []int) {
-	return fileDescriptor_applications_7f567d19e862e844, []int{9}
+	return fileDescriptor_applications_e70a6f38a053c99d, []int{9}
 }
 func (m *PackageIdent) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_PackageIdent.Unmarshal(m, b)
@@ -738,7 +738,7 @@ func (m *ServiceGroups) Reset()         { *m = ServiceGroups{} }
 func (m *ServiceGroups) String() string { return proto.CompactTextString(m) }
 func (*ServiceGroups) ProtoMessage()    {}
 func (*ServiceGroups) Descriptor() ([]byte, []int) {
-	return fileDescriptor_applications_7f567d19e862e844, []int{10}
+	return fileDescriptor_applications_e70a6f38a053c99d, []int{10}
 }
 func (m *ServiceGroups) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ServiceGroups.Unmarshal(m, b)
@@ -986,84 +986,84 @@ var _ApplicationsService_serviceDesc = grpc.ServiceDesc{
 }
 
 func init() {
-	proto.RegisterFile("api/external/applications/applications.proto", fileDescriptor_applications_7f567d19e862e844)
+	proto.RegisterFile("api/external/applications/applications.proto", fileDescriptor_applications_e70a6f38a053c99d)
 }
 
-var fileDescriptor_applications_7f567d19e862e844 = []byte{
-	// 1195 bytes of a gzipped FileDescriptorProto
+var fileDescriptor_applications_e70a6f38a053c99d = []byte{
+	// 1197 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xd4, 0x57, 0x4f, 0x6f, 0x1b, 0x45,
-	0x14, 0xef, 0xae, 0xe3, 0x7f, 0x63, 0x3b, 0x75, 0x87, 0x28, 0x5a, 0xdc, 0x50, 0xcc, 0xf6, 0x40,
-	0x48, 0x63, 0x2f, 0x84, 0x88, 0x43, 0x84, 0x10, 0x69, 0x52, 0x19, 0xd3, 0xc8, 0x89, 0xd6, 0x2d,
-	0x15, 0x95, 0x90, 0x35, 0x59, 0x8f, 0xd7, 0xa3, 0xd8, 0x33, 0x9b, 0x9d, 0x71, 0xda, 0x08, 0x71,
-	0x20, 0xe2, 0x94, 0x2b, 0x1f, 0x80, 0x2f, 0x81, 0x0f, 0x7c, 0x03, 0x8e, 0x08, 0xbe, 0x01, 0x42,
-	0xe2, 0xc4, 0x91, 0x1b, 0x12, 0x68, 0x76, 0x67, 0x9d, 0xdd, 0x24, 0x6e, 0xe2, 0x96, 0x03, 0x9c,
-	0x76, 0xdf, 0x9b, 0xf7, 0xef, 0xf7, 0xe6, 0x37, 0x6f, 0x67, 0xc1, 0x2a, 0xf2, 0x88, 0x85, 0x9f,
-	0x0b, 0xec, 0x53, 0x34, 0xb0, 0x90, 0xe7, 0x0d, 0x88, 0x83, 0x04, 0x61, 0x94, 0x27, 0x84, 0xba,
-	0xe7, 0x33, 0xc1, 0xe0, 0x1d, 0xa7, 0x8f, 0x7b, 0x75, 0x34, 0x12, 0x6c, 0x88, 0x04, 0xae, 0x23,
-	0x8f, 0xd4, 0xe3, 0x56, 0x95, 0x25, 0x97, 0x31, 0x77, 0x80, 0x2d, 0x19, 0x14, 0x51, 0xca, 0x44,
-	0xdc, 0xbb, 0xf2, 0x4e, 0x22, 0x97, 0xc3, 0x86, 0x43, 0x46, 0xad, 0x23, 0xec, 0x73, 0x72, 0xf6,
-	0x54, 0xa6, 0x1f, 0x3b, 0x6c, 0xe8, 0x31, 0x8a, 0xa9, 0xe0, 0x56, 0x94, 0xae, 0xe6, 0xfa, 0x9e,
-	0x63, 0x05, 0xeb, 0x4e, 0xcd, 0xc5, 0xb4, 0xe6, 0xb1, 0x01, 0x71, 0x8e, 0xa7, 0x24, 0x9b, 0x25,
-	0x02, 0x41, 0xc3, 0x4b, 0x22, 0xac, 0x5c, 0x56, 0xee, 0xe1, 0x08, 0xfb, 0xc7, 0x96, 0x87, 0x7c,
-	0x34, 0xc4, 0x02, 0xfb, 0xca, 0xd6, 0xfc, 0x5e, 0x03, 0x85, 0x36, 0xf6, 0x8f, 0x88, 0x83, 0xb9,
-	0x8d, 0x0f, 0xe1, 0x22, 0xc8, 0xf4, 0xc8, 0x40, 0x60, 0xdf, 0xd0, 0xaa, 0xa9, 0xe5, 0xbc, 0xad,
-	0x24, 0xf8, 0x29, 0x00, 0x1e, 0x72, 0x09, 0x0d, 0x12, 0x19, 0x7a, 0x55, 0x5b, 0x2e, 0xac, 0xad,
-	0xd4, 0x2f, 0x76, 0x35, 0xcc, 0x56, 0x0f, 0xb2, 0xd5, 0xf7, 0x26, 0x1e, 0x76, 0xcc, 0x1b, 0x6e,
-	0x82, 0x2c, 0x67, 0xbe, 0x20, 0xd4, 0x35, 0x52, 0x41, 0xa0, 0xb7, 0xaf, 0x0a, 0xd4, 0x0e, 0xcd,
-	0xed, 0xc8, 0xcf, 0xfc, 0x55, 0x03, 0x37, 0xa3, 0xb2, 0xef, 0x1f, 0xb7, 0x1b, 0xb2, 0xf4, 0x65,
-	0x50, 0xe6, 0xa1, 0xaa, 0xe3, 0xfa, 0x6c, 0xe4, 0x75, 0x48, 0xd7, 0xd0, 0xaa, 0xda, 0x72, 0xda,
-	0x9e, 0x57, 0xfa, 0x86, 0x54, 0x37, 0xbb, 0xff, 0x31, 0x30, 0xb2, 0xe7, 0x7d, 0x8c, 0x06, 0xa2,
-	0x6f, 0xcc, 0x55, 0x35, 0xd9, 0xf3, 0x50, 0x32, 0x7f, 0xba, 0x00, 0x92, 0xc3, 0x05, 0x90, 0x0e,
-	0xc0, 0x05, 0xc8, 0xf2, 0x76, 0x28, 0xc0, 0x2d, 0x90, 0x53, 0x10, 0xb9, 0xa1, 0x57, 0x53, 0x53,
-	0xaa, 0x48, 0x9c, 0x0b, 0x15, 0xd8, 0x9e, 0x38, 0xc2, 0x7d, 0xb0, 0x18, 0xbd, 0x77, 0xc2, 0x0a,
-	0x3a, 0x0e, 0x1b, 0x51, 0xc1, 0x15, 0xb0, 0xd5, 0xab, 0x42, 0x7e, 0x12, 0x38, 0x6d, 0x05, 0x3e,
-	0xf6, 0x42, 0x14, 0x2b, 0xae, 0x35, 0xed, 0x38, 0xdb, 0x78, 0xa2, 0x6e, 0xed, 0x25, 0xeb, 0x36,
-	0xff, 0xd2, 0x41, 0x56, 0x69, 0xe1, 0x5d, 0x50, 0xe2, 0x23, 0x4f, 0x0a, 0x9c, 0xf9, 0x11, 0x01,
-	0xf2, 0x76, 0xf1, 0x4c, 0xd9, 0xec, 0x42, 0x03, 0x64, 0x7d, 0x3c, 0xc0, 0x88, 0xe3, 0x60, 0xef,
-	0xf3, 0x76, 0x24, 0x9e, 0x75, 0x37, 0x15, 0xef, 0xee, 0x2e, 0x28, 0x46, 0xfd, 0xe8, 0x63, 0xe7,
-	0x20, 0xd8, 0xa5, 0xf9, 0xeb, 0xb6, 0xa3, 0x2d, 0x90, 0x18, 0x71, 0xbb, 0x10, 0x46, 0xd8, 0x92,
-	0x01, 0xe0, 0x03, 0x90, 0xe1, 0x81, 0xda, 0x48, 0x07, 0xa1, 0x6a, 0xd7, 0x04, 0xad, 0x62, 0x29,
-	0x67, 0x58, 0x05, 0x85, 0x98, 0x95, 0x91, 0x09, 0x6a, 0x8e, 0xab, 0xa4, 0x05, 0xa6, 0x47, 0xc4,
-	0x67, 0x74, 0x88, 0xa9, 0x30, 0xb2, 0xa1, 0x45, 0x4c, 0x05, 0x21, 0x98, 0xeb, 0x1d, 0x76, 0xa9,
-	0x91, 0x0b, 0x96, 0x82, 0x77, 0xd9, 0x1f, 0xa7, 0x8f, 0x28, 0xc5, 0x03, 0x23, 0x1f, 0xf6, 0x47,
-	0x89, 0xd2, 0x9a, 0x13, 0x81, 0x8d, 0x5b, 0xa1, 0xb5, 0x7c, 0x37, 0xef, 0x80, 0xa5, 0x76, 0xec,
-	0x78, 0x25, 0xf6, 0xdb, 0xc6, 0x87, 0xe6, 0x0f, 0x1a, 0x28, 0x27, 0x0c, 0xfe, 0x47, 0x63, 0xe6,
-	0x77, 0x1d, 0x14, 0xe3, 0xb5, 0xcb, 0x06, 0x50, 0x34, 0xc4, 0x8a, 0x56, 0xc1, 0xfb, 0x0b, 0xe8,
-	0xb4, 0x3d, 0xd9, 0xe7, 0xd4, 0x4b, 0x50, 0x26, 0xda, 0xe6, 0x7b, 0xe0, 0x96, 0xa2, 0x9f, 0x87,
-	0x7d, 0x07, 0x53, 0x81, 0x5c, 0x1c, 0x70, 0x30, 0x6d, 0x97, 0xc3, 0x85, 0xbd, 0x89, 0xfe, 0x05,
-	0x87, 0x38, 0xfd, 0x6f, 0x1d, 0x62, 0x38, 0x0f, 0x74, 0xd2, 0x55, 0x74, 0xd3, 0x49, 0xf7, 0x3c,
-	0x0f, 0xb3, 0x57, 0xf2, 0x30, 0x77, 0x81, 0x87, 0xe6, 0x37, 0x1a, 0x28, 0x26, 0x92, 0x2c, 0x80,
-	0xb4, 0x60, 0x02, 0x0d, 0xd4, 0x08, 0x0f, 0x05, 0x99, 0x9a, 0x1d, 0x04, 0x6d, 0x4e, 0xdb, 0x3a,
-	0x3b, 0x90, 0xbd, 0x7f, 0x86, 0x7c, 0x1a, 0xed, 0x71, 0xda, 0x8e, 0x44, 0x58, 0x01, 0x39, 0xc7,
-	0x27, 0x82, 0x38, 0x68, 0xa0, 0x9a, 0x35, 0x91, 0xa5, 0xd7, 0x88, 0x1e, 0x50, 0xf6, 0x8c, 0x06,
-	0x5d, 0x49, 0xdb, 0x91, 0x68, 0x52, 0x50, 0xdc, 0x43, 0xce, 0x01, 0x72, 0x71, 0xb3, 0x2b, 0x8f,
-	0xc7, 0x22, 0xc8, 0x30, 0x9f, 0xb8, 0x84, 0xaa, 0x1d, 0x57, 0xd2, 0x84, 0x07, 0x7a, 0x92, 0x07,
-	0xea, 0x2e, 0xa0, 0xc6, 0x47, 0x24, 0xc6, 0x19, 0x32, 0x97, 0x60, 0x88, 0xd9, 0x05, 0xa5, 0xc4,
-	0xd9, 0x80, 0x6d, 0x30, 0x9f, 0xf8, 0x88, 0x45, 0x73, 0x71, 0xf5, 0x9a, 0x23, 0x22, 0x08, 0x63,
-	0x97, 0xe2, 0x1f, 0x3c, 0xbe, 0xd2, 0x98, 0x64, 0x09, 0xa9, 0x05, 0x0b, 0x20, 0x6b, 0x3f, 0x6e,
-	0xb5, 0x9a, 0xad, 0x46, 0xf9, 0x06, 0x2c, 0x83, 0x62, 0xb3, 0xd5, 0x7c, 0xd4, 0xdc, 0xdc, 0x69,
-	0x3e, 0x95, 0x1a, 0x0d, 0x96, 0x40, 0x7e, 0xfb, 0xc1, 0xde, 0xce, 0xee, 0xe7, 0x52, 0xd4, 0x61,
-	0x0e, 0xcc, 0x6d, 0xef, 0x3e, 0x69, 0x95, 0x53, 0x2b, 0x1f, 0x45, 0x9b, 0xa4, 0xe2, 0x64, 0x80,
-	0xbe, 0xfb, 0xb0, 0x7c, 0x43, 0xc6, 0x7b, 0xb2, 0x69, 0xb7, 0x42, 0xef, 0x22, 0xc8, 0x6d, 0xd9,
-	0xcd, 0x47, 0xcd, 0xad, 0xcd, 0x9d, 0xb2, 0x2e, 0x97, 0x1e, 0xb7, 0x1e, 0xb6, 0x02, 0xff, 0xb5,
-	0xef, 0xf2, 0xe0, 0xb5, 0xcd, 0x58, 0xd5, 0xd1, 0xd8, 0xfe, 0x59, 0x03, 0xe5, 0x06, 0x16, 0xc9,
-	0x56, 0xbc, 0x3b, 0x0b, 0x64, 0x39, 0x55, 0x2a, 0xb5, 0x99, 0x3c, 0xcc, 0x2f, 0x4e, 0xc6, 0x46,
-	0x09, 0xa4, 0x29, 0xeb, 0x62, 0x0e, 0xe7, 0x06, 0x84, 0x8b, 0xd3, 0xb1, 0xf1, 0x26, 0x28, 0x10,
-	0xda, 0xf3, 0xd1, 0x46, 0xa8, 0x2e, 0xc7, 0x84, 0x0d, 0x69, 0x72, 0xf2, 0xcb, 0x6f, 0xdf, 0xea,
-	0x77, 0xe1, 0x5b, 0xd6, 0x3e, 0x16, 0x28, 0x79, 0xef, 0x54, 0x4d, 0xaf, 0x85, 0x1b, 0x07, 0xff,
-	0xd6, 0xc0, 0xd2, 0x79, 0x50, 0x09, 0x8a, 0x7f, 0x38, 0x53, 0xb9, 0xe7, 0xe6, 0x6a, 0x65, 0xa6,
-	0x93, 0x6c, 0xf2, 0x93, 0xb1, 0x91, 0x55, 0x58, 0x4f, 0xc6, 0x46, 0x66, 0x82, 0xb7, 0x94, 0xc0,
-	0x7b, 0x3a, 0x36, 0xe0, 0x14, 0xcc, 0xef, 0x41, 0x6b, 0x3a, 0x66, 0x45, 0xd6, 0xe4, 0xc8, 0x81,
-	0x3f, 0x6a, 0xa0, 0x70, 0xd6, 0x01, 0x0e, 0xef, 0x5d, 0x13, 0x70, 0x80, 0x6f, 0x06, 0x63, 0x6e,
-	0x76, 0x5e, 0x19, 0xde, 0x1b, 0xf0, 0xf6, 0x74, 0x78, 0x1c, 0xfe, 0xa1, 0x81, 0x9b, 0x31, 0x28,
-	0xf2, 0x3a, 0x06, 0xad, 0xeb, 0x56, 0xa8, 0x6e, 0xa8, 0x95, 0x19, 0x1d, 0xb8, 0xf9, 0xfc, 0x95,
-	0x61, 0x7d, 0x00, 0xd7, 0xaf, 0x64, 0xaa, 0xf5, 0xe5, 0xf9, 0x7b, 0xf3, 0x57, 0xf0, 0x4f, 0x0d,
-	0x80, 0x06, 0x16, 0x9f, 0xa9, 0x09, 0xb6, 0x3e, 0xfd, 0xd3, 0x19, 0xfd, 0xff, 0x28, 0xd3, 0x26,
-	0xed, 0x31, 0x1b, 0x1f, 0x8e, 0x30, 0x17, 0x97, 0x9e, 0xc7, 0xe9, 0x5e, 0xe6, 0xd7, 0xda, 0xc9,
-	0xd8, 0x58, 0x04, 0xd1, 0x47, 0xa7, 0x43, 0x68, 0x8f, 0x6d, 0x28, 0xc3, 0x10, 0xbd, 0x8f, 0x51,
-	0xf7, 0x74, 0x6c, 0x18, 0x60, 0x91, 0x1f, 0x73, 0x81, 0x87, 0x1b, 0xca, 0x34, 0xb2, 0x3a, 0x1d,
-	0x1b, 0xb7, 0xe1, 0xeb, 0xc9, 0x35, 0x95, 0x61, 0xc3, 0xc5, 0x61, 0x47, 0x96, 0x60, 0xe5, 0x92,
-	0x8e, 0xa8, 0x00, 0xf7, 0xd7, 0x9f, 0xae, 0xb9, 0x44, 0xf4, 0x47, 0xfb, 0xb2, 0x50, 0x4b, 0x96,
-	0x3f, 0xf9, 0x09, 0xb3, 0xa6, 0xfe, 0x71, 0xee, 0x67, 0x82, 0x9f, 0xa9, 0xf7, 0xff, 0x09, 0x00,
-	0x00, 0xff, 0xff, 0x4a, 0x48, 0xf4, 0xd7, 0x95, 0x0e, 0x00, 0x00,
+	0x14, 0xef, 0xae, 0xe3, 0x7f, 0x63, 0x27, 0x75, 0x87, 0x2a, 0x5a, 0xdc, 0x50, 0xdc, 0xed, 0x81,
+	0x90, 0xc6, 0x5e, 0x08, 0x11, 0x87, 0x08, 0x10, 0x69, 0x52, 0x19, 0xd3, 0xc8, 0x89, 0xd6, 0x2d,
+	0x15, 0xbd, 0x44, 0x93, 0xf5, 0x64, 0xbd, 0x8a, 0x3d, 0xb3, 0xd9, 0x19, 0xa7, 0x44, 0x88, 0x03,
+	0x51, 0xc5, 0x21, 0x57, 0xc4, 0x85, 0x0b, 0x47, 0xbe, 0x00, 0x3e, 0x70, 0xe2, 0x2b, 0x20, 0xf1,
+	0x0d, 0x10, 0x12, 0x57, 0x2e, 0x5c, 0x10, 0x07, 0x34, 0xb3, 0xb3, 0xce, 0xae, 0x13, 0x27, 0x76,
+	0x85, 0x2a, 0x38, 0xed, 0xbe, 0x37, 0xef, 0xfd, 0xde, 0x7b, 0xbf, 0x79, 0xf3, 0x76, 0x16, 0x2c,
+	0x23, 0xdf, 0xb3, 0xf0, 0x67, 0x1c, 0x07, 0x04, 0x75, 0x2d, 0xe4, 0xfb, 0x5d, 0xcf, 0x41, 0xdc,
+	0xa3, 0x84, 0x25, 0x84, 0x9a, 0x1f, 0x50, 0x4e, 0xe1, 0x6d, 0xa7, 0x83, 0xf7, 0x6b, 0xa8, 0xcf,
+	0x69, 0x0f, 0x71, 0x5c, 0x43, 0xbe, 0x57, 0x8b, 0x5b, 0x95, 0x17, 0x5c, 0x4a, 0xdd, 0x2e, 0xb6,
+	0x04, 0x28, 0x22, 0x84, 0xf2, 0xb8, 0x77, 0xf9, 0xcd, 0x44, 0x2c, 0x87, 0xf6, 0x7a, 0x94, 0x58,
+	0x47, 0x38, 0x60, 0xde, 0xd9, 0x53, 0x99, 0x7e, 0xe8, 0xd0, 0x9e, 0x4f, 0x09, 0x26, 0x9c, 0x59,
+	0x51, 0xb8, 0xaa, 0x1b, 0xf8, 0x8e, 0x25, 0xd7, 0x9d, 0xaa, 0x8b, 0x49, 0xd5, 0xa7, 0x5d, 0xcf,
+	0x39, 0x1e, 0x13, 0x6c, 0x1a, 0x04, 0x0f, 0xf5, 0x2e, 0x40, 0x58, 0xba, 0x28, 0xdd, 0xc3, 0x3e,
+	0x0e, 0x8e, 0x2d, 0x1f, 0x05, 0xa8, 0x87, 0x39, 0x0e, 0x94, 0xad, 0xf9, 0x83, 0x06, 0x0a, 0x2d,
+	0x1c, 0x1c, 0x79, 0x0e, 0x66, 0x36, 0x3e, 0x84, 0xf3, 0x20, 0xb3, 0xef, 0x75, 0x39, 0x0e, 0x0c,
+	0xad, 0x92, 0x5a, 0xcc, 0xdb, 0x4a, 0x82, 0x1f, 0x03, 0xe0, 0x23, 0xd7, 0x23, 0x32, 0x90, 0xa1,
+	0x57, 0xb4, 0xc5, 0xc2, 0xca, 0x52, 0xed, 0x3c, 0xab, 0x61, 0xb4, 0x9a, 0x8c, 0x56, 0xdb, 0x19,
+	0x7a, 0xd8, 0x31, 0x6f, 0xb8, 0x0e, 0xb2, 0x8c, 0x06, 0xdc, 0x23, 0xae, 0x91, 0x92, 0x40, 0x6f,
+	0x5c, 0x05, 0xd4, 0x0a, 0xcd, 0xed, 0xc8, 0xcf, 0xfc, 0x55, 0x03, 0xd7, 0xa3, 0xb4, 0xef, 0x1f,
+	0xb7, 0xea, 0x22, 0xf5, 0x45, 0x50, 0x62, 0xa1, 0x6a, 0xd7, 0x0d, 0x68, 0xdf, 0xdf, 0xf5, 0xda,
+	0x86, 0x56, 0xd1, 0x16, 0xd3, 0xf6, 0x9c, 0xd2, 0xd7, 0x85, 0xba, 0xd1, 0xfe, 0x8f, 0x15, 0x23,
+	0x38, 0xef, 0x60, 0xd4, 0xe5, 0x1d, 0x63, 0xa6, 0xa2, 0x09, 0xce, 0x43, 0xc9, 0xfc, 0xf9, 0x5c,
+	0x91, 0x0c, 0xde, 0x04, 0x69, 0x59, 0x9c, 0xac, 0x2c, 0x6f, 0x87, 0x02, 0xdc, 0x00, 0x39, 0x55,
+	0x22, 0x33, 0xf4, 0x4a, 0x6a, 0x4c, 0x16, 0x89, 0x73, 0xa1, 0x80, 0xed, 0xa1, 0x23, 0xdc, 0x03,
+	0xf3, 0xd1, 0xfb, 0x6e, 0x98, 0xc1, 0xae, 0x43, 0xfb, 0x84, 0x33, 0x55, 0xd8, 0xf2, 0x55, 0x90,
+	0x1f, 0x49, 0xa7, 0x0d, 0xe9, 0x63, 0xdf, 0x8c, 0xb0, 0xe2, 0x5a, 0xd3, 0x8e, 0x77, 0x1b, 0x4b,
+	0xe4, 0xad, 0xbd, 0x60, 0xde, 0xe6, 0xdf, 0x3a, 0xc8, 0x2a, 0x2d, 0xbc, 0x0b, 0x66, 0x59, 0xdf,
+	0x17, 0x02, 0xa3, 0x41, 0xd4, 0x00, 0x79, 0xbb, 0x78, 0xa6, 0x6c, 0xb4, 0xa1, 0x01, 0xb2, 0x01,
+	0xee, 0x62, 0xc4, 0xb0, 0xdc, 0xfb, 0xbc, 0x1d, 0x89, 0x67, 0xec, 0xa6, 0xe2, 0xec, 0x6e, 0x83,
+	0x62, 0xc4, 0x47, 0x07, 0x3b, 0x07, 0x72, 0x97, 0xe6, 0x26, 0xa5, 0xa3, 0xc5, 0x11, 0xef, 0x33,
+	0xbb, 0x10, 0x22, 0x6c, 0x08, 0x00, 0xf8, 0x00, 0x64, 0x98, 0x54, 0x1b, 0x69, 0x09, 0x55, 0x9d,
+	0xb0, 0x68, 0x85, 0xa5, 0x9c, 0x61, 0x05, 0x14, 0x62, 0x56, 0x46, 0x46, 0xe6, 0x1c, 0x57, 0x09,
+	0x0b, 0x4c, 0x8e, 0xbc, 0x80, 0x92, 0x1e, 0x26, 0xdc, 0xc8, 0x86, 0x16, 0x31, 0x15, 0x84, 0x60,
+	0x66, 0xff, 0xb0, 0x4d, 0x8c, 0x9c, 0x5c, 0x92, 0xef, 0x82, 0x1f, 0xa7, 0x83, 0x08, 0xc1, 0x5d,
+	0x23, 0x1f, 0xf2, 0xa3, 0x44, 0x61, 0xcd, 0x3c, 0x8e, 0x8d, 0x1b, 0xa1, 0xb5, 0x78, 0x37, 0x6f,
+	0x83, 0x85, 0x56, 0xec, 0x78, 0x25, 0xf6, 0xdb, 0xc6, 0x87, 0xe6, 0x8f, 0x1a, 0x28, 0x25, 0x0c,
+	0xfe, 0x47, 0x63, 0xe6, 0x77, 0x1d, 0x14, 0xe3, 0xb9, 0x0b, 0x02, 0x08, 0xea, 0x61, 0xd5, 0x56,
+	0xf2, 0xfd, 0x92, 0x76, 0xda, 0x1c, 0xee, 0x73, 0xea, 0x05, 0x5a, 0x26, 0xda, 0xe6, 0x7b, 0xe0,
+	0x86, 0x6a, 0x3f, 0x1f, 0x07, 0x0e, 0x26, 0x1c, 0xb9, 0x58, 0xf6, 0x60, 0xda, 0x2e, 0x85, 0x0b,
+	0x3b, 0x43, 0xfd, 0x25, 0x87, 0x38, 0xfd, 0x6f, 0x1d, 0x62, 0x38, 0x07, 0x74, 0xaf, 0xad, 0xda,
+	0x4d, 0xf7, 0xda, 0xa3, 0x7d, 0x98, 0xbd, 0xb2, 0x0f, 0x73, 0xe7, 0xfa, 0xd0, 0x7c, 0xae, 0x81,
+	0x62, 0x22, 0xc8, 0x4d, 0x90, 0xe6, 0x94, 0xa3, 0xae, 0x1a, 0xe1, 0xa1, 0x20, 0x42, 0xd3, 0x03,
+	0x49, 0x73, 0xda, 0xd6, 0xe9, 0x81, 0xe0, 0xfe, 0x19, 0x0a, 0x48, 0xb4, 0xc7, 0x69, 0x3b, 0x12,
+	0x61, 0x19, 0xe4, 0x9c, 0xc0, 0xe3, 0x9e, 0x83, 0xba, 0x8a, 0xac, 0xa1, 0x2c, 0xbc, 0xfa, 0xe4,
+	0x80, 0xd0, 0x67, 0x44, 0xb2, 0x92, 0xb6, 0x23, 0xd1, 0x24, 0xa0, 0xb8, 0x83, 0x9c, 0x03, 0xe4,
+	0xe2, 0x46, 0x5b, 0x1c, 0x8f, 0x79, 0x90, 0xa1, 0x81, 0xe7, 0x7a, 0x44, 0xed, 0xb8, 0x92, 0x86,
+	0x7d, 0xa0, 0x27, 0xfb, 0x40, 0xdd, 0x05, 0xd4, 0xf8, 0x88, 0xc4, 0x78, 0x87, 0xcc, 0x24, 0x3a,
+	0xc4, 0x6c, 0x83, 0xd9, 0xc4, 0xd9, 0x80, 0x2d, 0x30, 0x97, 0xf8, 0x88, 0x45, 0x73, 0x71, 0x79,
+	0xc2, 0x11, 0x21, 0x61, 0xec, 0xd9, 0xf8, 0x07, 0x8f, 0x2d, 0xd5, 0x87, 0x51, 0xc2, 0xd6, 0x82,
+	0x05, 0x90, 0xb5, 0x1f, 0x37, 0x9b, 0x8d, 0x66, 0xbd, 0x74, 0x0d, 0x96, 0x40, 0xb1, 0xd1, 0x6c,
+	0x3c, 0x6a, 0xac, 0x6f, 0x35, 0x9e, 0x0a, 0x8d, 0x06, 0x67, 0x41, 0x7e, 0xf3, 0xc1, 0xce, 0xd6,
+	0xf6, 0xa7, 0x42, 0xd4, 0x61, 0x0e, 0xcc, 0x6c, 0x6e, 0x3f, 0x69, 0x96, 0x52, 0x4b, 0x1f, 0x44,
+	0x9b, 0xa4, 0x70, 0x32, 0x40, 0xdf, 0x7e, 0x58, 0xba, 0x26, 0xf0, 0x9e, 0xac, 0xdb, 0xcd, 0xd0,
+	0xbb, 0x08, 0x72, 0x1b, 0x76, 0xe3, 0x51, 0x63, 0x63, 0x7d, 0xab, 0xa4, 0x8b, 0xa5, 0xc7, 0xcd,
+	0x87, 0x4d, 0xe9, 0xbf, 0xf2, 0x13, 0x00, 0xaf, 0xac, 0xc7, 0xb2, 0x8e, 0xc6, 0xf6, 0x5f, 0x1a,
+	0x28, 0xd5, 0x31, 0x4f, 0x52, 0xf1, 0xd6, 0x34, 0x25, 0x8b, 0xa9, 0x52, 0xae, 0x4e, 0xe5, 0x61,
+	0x3e, 0xd7, 0x4e, 0x06, 0xc6, 0xfc, 0x28, 0xe1, 0x70, 0xa6, 0xeb, 0x31, 0x7e, 0x3a, 0x30, 0xde,
+	0x07, 0xe5, 0xb8, 0xf3, 0x5a, 0x82, 0x53, 0xf8, 0xfa, 0xf8, 0xb5, 0x35, 0x01, 0x70, 0xf2, 0xcb,
+	0x6f, 0x5f, 0xeb, 0x77, 0xe1, 0x1d, 0x6b, 0x0f, 0x73, 0x94, 0xbc, 0x9f, 0x2a, 0xe3, 0xaa, 0x8a,
+	0xf7, 0xbd, 0x0e, 0x16, 0x46, 0x8b, 0x4f, 0x1c, 0x85, 0xf7, 0xa6, 0x2a, 0x6b, 0x64, 0xfe, 0x96,
+	0xa7, 0x3a, 0xf1, 0xe6, 0xb7, 0x82, 0x93, 0xd2, 0x28, 0x27, 0x27, 0x03, 0x23, 0x33, 0xe4, 0x65,
+	0xe1, 0x32, 0x5e, 0x4e, 0x07, 0xc6, 0x9d, 0xc9, 0xb8, 0x79, 0x1b, 0x5a, 0xe3, 0xb9, 0x51, 0x71,
+	0x93, 0x23, 0x0c, 0xfe, 0xa1, 0x81, 0xc2, 0x19, 0x53, 0x0c, 0xde, 0x9b, 0x90, 0x18, 0xc9, 0xc3,
+	0x14, 0xc6, 0xcc, 0xfc, 0xea, 0xa5, 0xd1, 0xf0, 0x1a, 0xbc, 0x35, 0x9e, 0x06, 0x06, 0xbf, 0xd1,
+	0xc1, 0xf5, 0x58, 0xc9, 0xe2, 0x1a, 0x08, 0xad, 0x49, 0x2b, 0x51, 0x37, 0xe3, 0xf2, 0x94, 0x0e,
+	0xcc, 0xfc, 0xee, 0xa5, 0x95, 0xff, 0x2e, 0x5c, 0xbd, 0xf2, 0x84, 0x58, 0x9f, 0x8f, 0xde, 0xeb,
+	0xbf, 0x80, 0x7f, 0x6a, 0x00, 0xd4, 0x31, 0xff, 0x44, 0x4d, 0xd8, 0xd5, 0xf1, 0x9f, 0xf6, 0xe8,
+	0xff, 0x4c, 0x99, 0x36, 0xc8, 0x3e, 0xb5, 0xf1, 0x61, 0x1f, 0x33, 0x7e, 0xe1, 0xbc, 0x18, 0xef,
+	0x65, 0x7e, 0x19, 0xce, 0x8b, 0xe8, 0xa3, 0xb8, 0xeb, 0x91, 0x7d, 0xba, 0xa6, 0x0c, 0x43, 0x6e,
+	0x02, 0x8c, 0xda, 0xa7, 0x03, 0xc3, 0x00, 0xf3, 0xec, 0x98, 0x71, 0xdc, 0x8b, 0xaa, 0x8e, 0xac,
+	0x4e, 0x07, 0xc6, 0x2d, 0xf8, 0x6a, 0x72, 0x4d, 0x45, 0x58, 0x73, 0x71, 0xc8, 0xc8, 0x02, 0x2c,
+	0x5f, 0xc0, 0x88, 0x02, 0xb8, 0xbf, 0xfa, 0x74, 0xc5, 0xf5, 0x78, 0xa7, 0xbf, 0x27, 0x12, 0xb5,
+	0x44, 0xfa, 0xc3, 0x9f, 0x44, 0x6b, 0xec, 0x1f, 0xf1, 0x5e, 0x46, 0xfe, 0xec, 0xbd, 0xf3, 0x4f,
+	0x00, 0x00, 0x00, 0xff, 0xff, 0x7c, 0x73, 0xf2, 0x73, 0x35, 0x0f, 0x00, 0x00,
 }
diff --git a/api/external/applications/applications.pb.policy-v1.go b/api/external/applications/applications.pb.policy-v1.go
index 86e8547ca1a..c57bd40169e 100644
--- a/api/external/applications/applications.pb.policy-v1.go
+++ b/api/external/applications/applications.pb.policy-v1.go
@@ -6,16 +6,16 @@ package applications
 import policy "github.com/chef/automate/components/automate-gateway/api/authz/policy"
 
 func init() {
-	policy.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServiceGroups", "nodes", "list", "GET", "/beta/applications/service-groups", func(unexpandedResource string, input interface{}) string {
+	policy.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServiceGroups", "service_groups", "list", "GET", "/beta/applications/service-groups", func(unexpandedResource string, input interface{}) string {
 		return unexpandedResource
 	})
-	policy.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServiceGroupsHealthCounts", "nodes", "list", "GET", "/beta/applications/service_groups_health_counts", func(unexpandedResource string, input interface{}) string {
+	policy.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServiceGroupsHealthCounts", "service_groups", "list", "GET", "/beta/applications/service_groups_health_counts", func(unexpandedResource string, input interface{}) string {
 		return unexpandedResource
 	})
-	policy.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServices", "nodes", "list", "GET", "/beta/applications/services", func(unexpandedResource string, input interface{}) string {
+	policy.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServices", "service_groups", "list", "GET", "/beta/applications/services", func(unexpandedResource string, input interface{}) string {
 		return unexpandedResource
 	})
-	policy.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServicesBySG", "nodes", "list", "GET", "/beta/applications/service-groups/{service_group_id}", func(unexpandedResource string, input interface{}) string {
+	policy.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServicesBySG", "service_groups", "list", "GET", "/beta/applications/service-groups/{service_group_id}", func(unexpandedResource string, input interface{}) string {
 		if m, ok := input.(*ServicesBySGReq); ok {
 			return policy.ExpandParameterizedResource(unexpandedResource, func(want string) string {
 				switch want {
diff --git a/api/external/applications/applications.pb.policy-v2.go b/api/external/applications/applications.pb.policy-v2.go
index 1cfb4a87174..34223f01512 100644
--- a/api/external/applications/applications.pb.policy-v2.go
+++ b/api/external/applications/applications.pb.policy-v2.go
@@ -6,16 +6,16 @@ package applications
 import policyv2 "github.com/chef/automate/components/automate-gateway/authz/policy_v2"
 
 func init() {
-	policyv2.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServiceGroups", "infra:nodes", "infra:nodes:list", "GET", "/beta/applications/service-groups", func(unexpandedResource string, input interface{}) string {
+	policyv2.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServiceGroups", "applications:serviceGroups", "applications:serviceGroups:list", "GET", "/beta/applications/service-groups", func(unexpandedResource string, input interface{}) string {
 		return unexpandedResource
 	})
-	policyv2.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServiceGroupsHealthCounts", "infra:nodes", "infra:nodes:list", "GET", "/beta/applications/service_groups_health_counts", func(unexpandedResource string, input interface{}) string {
+	policyv2.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServiceGroupsHealthCounts", "applications:serviceGroups", "applications:serviceGroups:list", "GET", "/beta/applications/service_groups_health_counts", func(unexpandedResource string, input interface{}) string {
 		return unexpandedResource
 	})
-	policyv2.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServices", "infra:nodes", "infra:nodes:list", "GET", "/beta/applications/services", func(unexpandedResource string, input interface{}) string {
+	policyv2.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServices", "applications:serviceGroups", "applications:serviceGroups:list", "GET", "/beta/applications/services", func(unexpandedResource string, input interface{}) string {
 		return unexpandedResource
 	})
-	policyv2.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServicesBySG", "infra:nodes", "infra:nodes:list", "GET", "/beta/applications/service-groups/{service_group_id}", func(unexpandedResource string, input interface{}) string {
+	policyv2.MapMethodTo("/chef.automate.api.applications.ApplicationsService/GetServicesBySG", "applications:serviceGroups", "applications:serviceGroups:list", "GET", "/beta/applications/service-groups/{service_group_id}", func(unexpandedResource string, input interface{}) string {
 		if m, ok := input.(*ServicesBySGReq); ok {
 			return policyv2.ExpandParameterizedResource(unexpandedResource, func(want string) string {
 				switch want {
diff --git a/api/external/applications/applications.proto b/api/external/applications/applications.proto
index 12b9068764f..55c836f26ac 100644
--- a/api/external/applications/applications.proto
+++ b/api/external/applications/applications.proto
@@ -18,44 +18,42 @@ import "api/external/common/query/parameters.proto";
 service ApplicationsService {
   rpc GetServiceGroups(ServiceGroupsReq) returns (ServiceGroups) {
     option (google.api.http).get = "/beta/applications/service-groups";
-    // TODO (dan, 2/2019): need to replace this once we have resources and such
-    // created in the auth system
     option (chef.automate.api.policy) = {
-      resource: "nodes"
+      resource: "service_groups"
       action: "list"
     };
     option (chef.automate.api.iam.policy) = {
-      resource: "infra:nodes"
-      action: "infra:nodes:list"
+      resource: "applications:serviceGroups"
+      action: "applications:serviceGroups:list"
     };
   };
   rpc GetServiceGroupsHealthCounts(ServiceGroupsHealthCountsReq) returns (HealthCounts) {
     // TODO (afiune, 3/2019): need to replace this once we have resources and such
     // created in the auth system
     option (google.api.http).get = "/beta/applications/service_groups_health_counts";
-    option (chef.automate.api.policy).resource = "nodes";
+    option (chef.automate.api.policy).resource = "service_groups";
     option (chef.automate.api.policy).action = "list";
-    option (chef.automate.api.iam.policy).resource = "infra:nodes";
-    option (chef.automate.api.iam.policy).action = "infra:nodes:list";
+    option (chef.automate.api.iam.policy).resource = "applications:serviceGroups";
+    option (chef.automate.api.iam.policy).action = "applications:serviceGroups:list";
   };
   rpc GetServices(ServicesReq) returns (ServicesRes) {
     // TODO (afiune, 4/2019): need to replace this once we have resources and such
     // created in the auth system
     option (google.api.http).get = "/beta/applications/services";
-    option (chef.automate.api.policy).resource = "nodes";
+    option (chef.automate.api.policy).resource = "service_groups";
     option (chef.automate.api.policy).action = "list";
-    option (chef.automate.api.iam.policy).resource = "infra:nodes";
-    option (chef.automate.api.iam.policy).action = "infra:nodes:list";
+    option (chef.automate.api.iam.policy).resource = "applications:serviceGroups";
+    option (chef.automate.api.iam.policy).action = "applications:serviceGroups:list";
   };
 
   rpc GetServicesBySG(ServicesBySGReq) returns (ServicesBySGRes) {
     // TODO (afiune, 4/2019): need to replace this once we have resources and such
     // created in the auth system
     option (google.api.http).get = "/beta/applications/service-groups/{service_group_id}";
-    option (chef.automate.api.policy).resource = "nodes";
+    option (chef.automate.api.policy).resource = "service_groups";
     option (chef.automate.api.policy).action = "list";
-    option (chef.automate.api.iam.policy).resource = "infra:nodes";
-    option (chef.automate.api.iam.policy).action = "infra:nodes:list";
+    option (chef.automate.api.iam.policy).resource = "applications:serviceGroups";
+    option (chef.automate.api.iam.policy).action = "applications:serviceGroups:list";
   };
   rpc GetVersion (common.version.VersionInfoRequest) returns (common.version.VersionInfo) {
     option (google.api.http).get = "/beta/applications/version";
diff --git a/components/authz-service/constants/v1/constants.go b/components/authz-service/constants/v1/constants.go
index 4c64e1dde3e..3f5ff07730c 100644
--- a/components/authz-service/constants/v1/constants.go
+++ b/components/authz-service/constants/v1/constants.go
@@ -107,6 +107,9 @@ const (
 	// data collector endpoint and have them proxied to A2's data collector without
 	// the need of a legacy data collector token
 	CSNginxComplianceDataCollectorPolicyID = "6e792df9-e51f-4474-9539-40ca2a2b308c"
+
+	// ApplicationsServiceGroupsPolicyID correlates to the policy applications:serviceGroups
+	ApplicationsServiceGroupsPolicyID = "aee14d59-da0b-4974-ba6d-1a018b024874"
 )
 
 // These are only used for testing and memstore purposes.
@@ -135,6 +138,7 @@ var (
 		ComplianceTokenSearchProfilesPolicyID,
 		ReadOwnUserProfilePolicyID,
 		LocalUserSelfPolicyID,
+		ApplicationsServiceGroupsPolicyID,
 	}
 
 	// NonDeletablePolicyIDs is an array of non-deletable policy IDs.
diff --git a/components/authz-service/storage/postgres/datamigration/sql/07_update_v2_roles.up.sql b/components/authz-service/storage/postgres/datamigration/sql/07_update_v2_roles.up.sql
new file mode 100644
index 00000000000..475b804e680
--- /dev/null
+++ b/components/authz-service/storage/postgres/datamigration/sql/07_update_v2_roles.up.sql
@@ -0,0 +1,15 @@
+BEGIN;
+
+UPDATE iam_roles
+    SET
+        actions = actions || '{applications:*:list, applications:*:get}'
+    WHERE
+        id = 'viewer';
+
+UPDATE iam_roles
+    SET
+        actions = actions || '{applications:*}'
+    WHERE
+        id = 'editor';
+
+COMMIT;
diff --git a/components/authz-service/storage/postgres/migration/sql/45_add_application_policies.up.sql b/components/authz-service/storage/postgres/migration/sql/45_add_application_policies.up.sql
new file mode 100644
index 00000000000..8a7aac3892a
--- /dev/null
+++ b/components/authz-service/storage/postgres/migration/sql/45_add_application_policies.up.sql
@@ -0,0 +1,13 @@
+BEGIN;
+
+INSERT INTO policies
+    VALUES ('aee14d59-da0b-4974-ba6d-1a018b024874',
+            '{"action": "*", "effect": "allow", "resource": "service_groups", "subjects": ["user:*"]}',
+            CURRENT_TIMESTAMP,
+            1,
+            TRUE)
+    ON CONFLICT (id) DO UPDATE
+    SET policy_data='{"action": "*", "effect": "allow", "resource": "service_groups", "subjects": ["user:*"]}',
+        deletable=TRUE;
+
+COMMIT;
diff --git a/components/authz-service/storage/v1/storage.go b/components/authz-service/storage/v1/storage.go
index f61ef74cfa4..d84d083171f 100644
--- a/components/authz-service/storage/v1/storage.go
+++ b/components/authz-service/storage/v1/storage.go
@@ -300,6 +300,14 @@ func DefaultPolicies() (map[string]*Policy, error) {
 			Effect:   "allow",
 			Version:  1,
 		},
+		constants.ApplicationsServiceGroupsPolicyID: {
+			ID:       ids[constants.ApplicationsServiceGroupsPolicyID],
+			Subjects: []string{"user:*"},
+			Resource: "service_groups",
+			Action:   "*",
+			Effect:   "allow",
+			Version:  1,
+		},
 	}
 	return defaultPolicies, nil
 }
diff --git a/components/automate-chef-io/content/docs/default-policies.md b/components/automate-chef-io/content/docs/default-policies.md
index 50f483fba35..4a2a5671425 100644
--- a/components/automate-chef-io/content/docs/default-policies.md
+++ b/components/automate-chef-io/content/docs/default-policies.md
@@ -144,6 +144,40 @@ EventFeed | GetEventTypeCounts | /event_type_counts | GET | events:types | count
 EventFeed | GetEventTaskCounts | /event_task_counts | GET | events:tasks | count
 EventFeed | GetEventStringBuckets | /eventstrings | GET | events:strings | read
 
+## Applications (BETA)
+
+### Applications page
+
+> These default policies allow all users to perform any action on application page resources
+
+```bash
+  {
+      "action": "*",
+      "resource": "service_groups",
+      "subjects": [
+          "user:*"
+      ]
+  },
+  {
+      "action": "*",
+      "resource": "service_groups:*",
+      "subjects": [
+          "user:*"
+      ]
+  }
+```
+
+### Applications Page
+
+> Corresponds to "Application tab (`/applications`)
+
+Service | Method | HTTP Endpoint | HTTP Method | Resource | Action
+---|---|---|---|---|---
+Applications | GetServiceGroups | /beta/applications/service-groups | GET | service_groups | list
+Applications | GetServiceGroupsHealthCounts | /beta/applications/service_groups_health_counts | GET | service_groups | list
+Applications | GetServices | /beta/applications/services | GET | service_groups| list
+Applications | GetServicesBySG | /beta/applications/service-groups/{service_group_id} | GET | service_groups | list
+
 ## Telemetry
 
 ### TelemetryPolicies
diff --git a/components/automate-chef-io/content/docs/iam-v2-api-reference.md b/components/automate-chef-io/content/docs/iam-v2-api-reference.md
index 03a510c5b73..ee30ae22399 100644
--- a/components/automate-chef-io/content/docs/iam-v2-api-reference.md
+++ b/components/automate-chef-io/content/docs/iam-v2-api-reference.md
@@ -209,8 +209,8 @@ Roles you create are Custom roles.
 Chef-managed Role Name | ID| Actions
 -----------------------|-----|--------
 Owner       | owner       | `*`
-Viewer      | viewer      | `infra:*:get`, `infra:*:list`, `compliance:*:get`, `compliance:*:list`, `system:*:get`, `system:*:list`, `event:*:get`, `event:*:list`, `ingest:*:get`, `ingest:*:list`
-Editor      | editor      | `infra:*`, `compliance:*`, `system:*`, `event:*`, `ingest:*`, `secrets:*`, `telemetry:*`
+Viewer      | viewer      | `infra:*:get`, `infra:*:list`, `compliance:*:get`, `compliance:*:list`, `system:*:get`, `system:*:list`, `event:*:get`, `event:*:list`, `ingest:*:get`, `ingest:*:list`, `applications:*:list`, `applications:*:get`
+Editor      | editor      | `infra:*`, `compliance:*`, `system:*`, `event:*`, `ingest:*`, `secrets:*`, `telemetry:*`, `applications:*`
 Ingest      | ingest      | `infra:ingest:*`, `compliance:profiles:get`, `compliance:profiles:list`
 
 ### Listing Roles