diff --git a/api/install.go b/api/install.go
index b98c02d4b2..b049b2cdec 100644
--- a/api/install.go
+++ b/api/install.go
@@ -26,7 +26,7 @@ import (
 //   201: Host added
 //   401: Unauthorized
 func installHostAdd(w http.ResponseWriter, r *http.Request, t auth.Token) (err error) {
-	allowed := permission.Check(t, permission.PermInstallUpdate)
+	allowed := permission.Check(t, permission.PermInstallManage)
 	if !allowed {
 		return permission.ErrUnauthorized
 	}
@@ -44,10 +44,10 @@ func installHostAdd(w http.ResponseWriter, r *http.Request, t auth.Token) (err e
 	}
 	evt, err := event.New(&event.Opts{
 		Target:     event.Target{Type: event.TargetTypeInstallHost, Value: host.Name},
-		Kind:       permission.PermInstallUpdate,
+		Kind:       permission.PermInstallManage,
 		Owner:      t,
 		CustomData: event.FormToCustomData(r.Form),
-		Allowed:    event.Allowed(permission.PermInstallRead),
+		Allowed:    event.Allowed(permission.PermInstallManage),
 	})
 	if err != nil {
 		return err
@@ -76,7 +76,7 @@ func installHostAdd(w http.ResponseWriter, r *http.Request, t auth.Token) (err e
 //   401: Unauthorized
 //   404: Not Found
 func installHostInfo(w http.ResponseWriter, r *http.Request, t auth.Token) error {
-	allowed := permission.Check(t, permission.PermInstallRead)
+	allowed := permission.Check(t, permission.PermInstallManage)
 	if !allowed {
 		return permission.ErrUnauthorized
 	}
@@ -99,7 +99,7 @@ func installHostInfo(w http.ResponseWriter, r *http.Request, t auth.Token) error
 //   200: OK
 //   401: Unauthorized
 func installHostList(w http.ResponseWriter, r *http.Request, t auth.Token) error {
-	allowed := permission.Check(t, permission.PermInstallRead)
+	allowed := permission.Check(t, permission.PermInstallManage)
 	if !allowed {
 		return permission.ErrUnauthorized
 	}
diff --git a/api/install_test.go b/api/install_test.go
index 2ce3bd6b3c..7e59913d09 100644
--- a/api/install_test.go
+++ b/api/install_test.go
@@ -18,7 +18,7 @@ import (
 
 func (s *S) TestInstallHostAdd(c *check.C) {
 	token := userWithPermission(c, permission.Permission{
-		Scheme:  permission.PermInstallUpdate,
+		Scheme:  permission.PermInstallManage,
 		Context: permission.Context(permission.CtxGlobal, ""),
 	})
 	recorder := httptest.NewRecorder()
@@ -60,7 +60,7 @@ func (s *S) TestInstallHostReturnsForbiddenIfNoPermissions(c *check.C) {
 
 func (s *S) TestInstallHostInfo(c *check.C) {
 	token := userWithPermission(c, permission.Permission{
-		Scheme:  permission.PermInstallRead,
+		Scheme:  permission.PermInstallManage,
 		Context: permission.Context(permission.CtxGlobal, ""),
 	})
 	expectedHost := &install.Host{Name: "my-host", DriverName: "amazonec2", Driver: make(map[string]interface{})}
@@ -97,7 +97,7 @@ func (s *S) TestInstallHostInfoReturnsForbiddenIfNoPermissions(c *check.C) {
 
 func (s *S) TestInstallHostInfoReturnsNotFoundWhenHostDoesNotExist(c *check.C) {
 	token := userWithPermission(c, permission.Permission{
-		Scheme:  permission.PermInstallRead,
+		Scheme:  permission.PermInstallManage,
 		Context: permission.Context(permission.CtxGlobal, ""),
 	})
 	recorder := httptest.NewRecorder()
@@ -113,7 +113,7 @@ func (s *S) TestInstallHostInfoReturnsNotFoundWhenHostDoesNotExist(c *check.C) {
 
 func (s *S) TestInstallHostList(c *check.C) {
 	token := userWithPermission(c, permission.Permission{
-		Scheme:  permission.PermInstallRead,
+		Scheme:  permission.PermInstallManage,
 		Context: permission.Context(permission.CtxGlobal, ""),
 	})
 	host1 := &install.Host{Name: "my-host-1", DriverName: "amazonec2", Driver: make(map[string]interface{})}
diff --git a/permission/permitems.go b/permission/permitems.go
index 6344db6191..41075e57bd 100644
--- a/permission/permitems.go
+++ b/permission/permitems.go
@@ -64,8 +64,7 @@ var (
 	PermHealingRead                      = PermissionRegistry.get("healing.read")                        // [global pool]
 	PermHealingUpdate                    = PermissionRegistry.get("healing.update")                      // [global pool]
 	PermInstall                          = PermissionRegistry.get("install")                             // [global]
-	PermInstallRead                      = PermissionRegistry.get("install.read")                        // [global]
-	PermInstallUpdate                    = PermissionRegistry.get("install.update")                      // [global]
+	PermInstallManage                    = PermissionRegistry.get("install.manage")                      // [global]
 	PermMachine                          = PermissionRegistry.get("machine")                             // [global iaas]
 	PermMachineCreate                    = PermissionRegistry.get("machine.create")                      // [global iaas]
 	PermMachineDelete                    = PermissionRegistry.get("machine.delete")                      // [global iaas]
diff --git a/permission/permlist.go b/permission/permlist.go
index f740a93206..a63d8fb1ac 100644
--- a/permission/permlist.go
+++ b/permission/permlist.go
@@ -175,6 +175,5 @@ var PermissionRegistry = (&registry{}).addWithCtx(
 	"nodecontainer.update.upgrade",
 	"nodecontainer.delete",
 ).add(
-	"install.update",
-	"install.read",
+	"install.manage",
 )