coder
diff --git a/‎coderd/authz/README.md
+2-2 b/‎coderd/authz/README.md
+2-2
diff --git a/‎coderd/authz/action.go
-4 b/‎coderd/authz/action.go
-4
diff --git a/‎coderd/authz/authz.go
+4-1 b/‎coderd/authz/authz.go
+4-1
@@ -43,8 +43,8 @@ This can be represented by the following truth table, where Y represents *positi
 
 **Permissions** are represented in string format as `<sign>?<level>.<object>.<id>.<action>`, where:
 
-- `sign` can be either `+` or `-`. If it is omitted, sign is assumed to be `+`.
-- `level` is either `*`, `site`, `org`, or `user`.
+- `negated` can be either `+` or `-`. If it is omitted, sign is assumed to be `+`.
+- `level` is either `site`, `org`, or `user`.
 - `object` is any valid resource type.
 - `id` is any valid UUID v4.
 - `action` is `create`, `read`, `modify`, or `delete`.
 
@@ -1,9 +1,5 @@
 package authz
 
-func AllActions() []Action {
-	return []Action{ActionCreate, ActionRead, ActionUpdate, ActionDelete}
-}
-
 // Action represents the allowed actions to be done on an object.
 type Action string
 
 
@@ -4,7 +4,7 @@ import "golang.org/x/xerrors"
 
 var ErrUnauthorized = xerrors.New("unauthorized")
 
-// TODO: Implement Authorize
+// TODO: Implement Authorize. This will be implmented in mainly rego.
 func Authorize(subj Subject, obj Resource, action Action) error {
 	// TODO: Expand subject roles into their permissions as appropriate. Apply scopes.
 	var _, _, _ = subj, obj, action
@@ -22,6 +22,9 @@ func Authorize(subj Subject, obj Resource, action Action) error {
 	//		1 by 1.
 	var merged Role
 	for _, r := range roles {
+		// Site, Org, and User permissions exist on every role. Pull out only the permissions that
+		// are relevant to the object.
+
 		merged.Site = append(merged.Site, r.Site...)
 		// Only grab user roles if the resource is owned by a user.
 		// These roles only apply if the subject is said owner.