diff --git a/bolt/onboarding.go b/bolt/onboarding.go
index 737e0c88e94..cb5d2e0d8bd 100644
--- a/bolt/onboarding.go
+++ b/bolt/onboarding.go
@@ -120,6 +120,15 @@ func (c *Client) Generate(ctx context.Context, req *platform.OnboardingRequest)
 
 	perms := platform.OperPermissions()
 	perms = append(perms, platform.OrgAdminPermissions(o.ID)...)
+	writeBucketPerm, err := platform.NewPermissionAtID(bucket.ID, platform.WriteAction, platform.BucketsResource)
+	if err != nil {
+		return nil, err
+	}
+	readBucketPerm, err := platform.NewPermissionAtID(bucket.ID, platform.ReadAction, platform.BucketsResource)
+	if err != nil {
+		return nil, err
+	}
+	perms = append(perms, *writeBucketPerm, *readBucketPerm)
 
 	auth := &platform.Authorization{
 		UserID:      u.ID,
diff --git a/bolt/onboarding_test.go b/bolt/onboarding_test.go
index 9bcc21a9b08..0142c9a6b13 100644
--- a/bolt/onboarding_test.go
+++ b/bolt/onboarding_test.go
@@ -28,6 +28,6 @@ func initOnboardingService(f platformtesting.OnboardingFields, t *testing.T) (pl
 	}
 }
 
-func TestGenerate(t *testing.T) {
+func TestOnboardingService_Generate(t *testing.T) {
 	platformtesting.Generate(initOnboardingService, t)
 }
diff --git a/inmem/onboarding.go b/inmem/onboarding.go
index aebcea745ff..c174f57e36a 100644
--- a/inmem/onboarding.go
+++ b/inmem/onboarding.go
@@ -92,11 +92,24 @@ func (s *Service) Generate(ctx context.Context, req *platform.OnboardingRequest)
 	if err = s.CreateBucket(ctx, bucket); err != nil {
 		return nil, err
 	}
+
+	perms := platform.OperPermissions()
+	perms = append(perms, platform.OrgAdminPermissions(o.ID)...)
+	writeBucketPerm, err := platform.NewPermissionAtID(bucket.ID, platform.WriteAction, platform.BucketsResource)
+	if err != nil {
+		return nil, err
+	}
+	readBucketPerm, err := platform.NewPermissionAtID(bucket.ID, platform.ReadAction, platform.BucketsResource)
+	if err != nil {
+		return nil, err
+	}
+	perms = append(perms, *writeBucketPerm, *readBucketPerm)
+
 	auth := &platform.Authorization{
 		UserID:      u.ID,
 		Description: fmt.Sprintf("%s's Token", u.Name),
 		OrgID:       o.ID,
-		Permissions: platform.OperPermissions(),
+		Permissions: perms,
 	}
 	if err = s.CreateAuthorization(ctx, auth); err != nil {
 		return nil, err
diff --git a/testing/onboarding.go b/testing/onboarding.go
index fa6942fb551..a9f0cc802fb 100644
--- a/testing/onboarding.go
+++ b/testing/onboarding.go
@@ -170,7 +170,7 @@ func Generate(
 						UserID:      MustIDBase16(oneID),
 						Description: "admin's Token",
 						OrgID:       MustIDBase16(twoID),
-						Permissions: platform.OperPermissions(),
+						Permissions: mustGeneratePermissions(MustIDBase16(twoID), MustIDBase16(threeID)),
 					},
 				},
 			},
@@ -203,6 +203,22 @@ func Generate(
 
 }
 
+func mustGeneratePermissions(orgID, bucketID platform.ID) []platform.Permission {
+	perms := platform.OperPermissions()
+	perms = append(perms, platform.OrgAdminPermissions(orgID)...)
+	writeBucketPerm, err := platform.NewPermissionAtID(bucketID, platform.WriteAction, platform.BucketsResource)
+	if err != nil {
+		panic(err)
+	}
+	readBucketPerm, err := platform.NewPermissionAtID(bucketID, platform.ReadAction, platform.BucketsResource)
+	if err != nil {
+		panic(err)
+	}
+	perms = append(perms, *writeBucketPerm, *readBucketPerm)
+
+	return perms
+}
+
 const (
 	oneID    = "020f755c3c082000"
 	twoID    = "020f755c3c082001"