diff --git a/codefresh/cfclient/permission.go b/codefresh/cfclient/permission.go
index aaeea94..52aa64e 100644
--- a/codefresh/cfclient/permission.go
+++ b/codefresh/cfclient/permission.go
@@ -12,6 +12,7 @@ type Permission struct {
 	RelatedResource string   `json:"relatedResource,omitempty"`
 	Action          string   `json:"action,omitempty"`
 	Account         string   `json:"account,omitempty"`
+	RuleType        string   `json:"ruleType,omitempty"`
 	Tags            []string `json:"attributes,omitempty"`
 }
 
@@ -23,6 +24,7 @@ type NewPermission struct {
 	RelatedResource string   `json:"relatedResource,omitempty"`
 	Action          string   `json:"action,omitempty"`
 	Account         string   `json:"account,omitempty"`
+	RuleType        string   `json:"ruleType,omitempty"`
 	Tags            []string `json:"tags,omitempty"`
 }
 
@@ -93,6 +95,7 @@ func (client *Client) CreatePermission(permission *Permission) (*Permission, err
 		RelatedResource: permission.RelatedResource,
 		Action:          permission.Action,
 		Account:         permission.Account,
+		RuleType:        permission.RuleType,
 		Tags:            permission.Tags,
 	}
 
diff --git a/codefresh/resource_permission.go b/codefresh/resource_permission.go
index b6b4c49..0a88e02 100644
--- a/codefresh/resource_permission.go
+++ b/codefresh/resource_permission.go
@@ -84,6 +84,13 @@ Action to be allowed. Possible values:
 					"debug",
 				}, false),
 			},
+			"rule_type": {
+				Description: "Rule type - can be either `all` or `any`. If all is specified the rule will apply on resources that have all the tags. If any is specified the rule will apply on resources that have any of the tags. If not specified, deafult behavior is `any`.",
+				Type:        schema.TypeString,
+				Optional:    true,
+				//Default:      "any",
+				ValidateFunc: validation.StringInSlice([]string{"all", "any"}, false),
+			},
 			"tags": {
 				Description: `
 The tags for which to apply the permission. Supports two custom tags:
@@ -163,7 +170,7 @@ func resourcePermissionUpdate(d *schema.ResourceData, meta interface{}) error {
 	permission := *mapResourceToPermission(d)
 
 	// In case team, action or relatedResource or resource have changed - a new permission needs to be created (but without recreating the terraform resource as destruction of resources is alarming for end users)
-	if d.HasChanges("team", "action", "related_resource", "resource") {
+	if d.HasChanges("team", "action", "related_resource", "resource", "rule_type") {
 		deleteErr := resourcePermissionDelete(d, meta)
 
 		if deleteErr != nil {
@@ -231,6 +238,11 @@ func mapPermissionToResource(permission *cfclient.Permission, d *schema.Resource
 		return err
 	}
 
+	err = d.Set("rule_type", permission.RuleType)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -249,6 +261,7 @@ func mapResourceToPermission(d *schema.ResourceData) *cfclient.Permission {
 		Action:          d.Get("action").(string),
 		Resource:        d.Get("resource").(string),
 		RelatedResource: d.Get("related_resource").(string),
+		RuleType:        d.Get("rule_type").(string),
 		Tags:            tags,
 	}
 
diff --git a/codefresh/resource_permission_test.go b/codefresh/resource_permission_test.go
index 0b4ec91..57e20c1 100644
--- a/codefresh/resource_permission_test.go
+++ b/codefresh/resource_permission_test.go
@@ -21,18 +21,19 @@ func TestAccCodefreshPermissionConfig(t *testing.T) {
 		CheckDestroy: testAccCheckCodefreshContextDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccCodefreshPermissionConfig("create", "pipeline", "null", []string{"production", "*"}),
+				Config: testAccCodefreshPermissionConfig("create", "pipeline", "null", []string{"production", "test"}, "all"),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCodefreshPermissionExists(resourceName),
 					resource.TestCheckResourceAttr(resourceName, "action", "create"),
 					resource.TestCheckResourceAttr(resourceName, "resource", "pipeline"),
-					resource.TestCheckResourceAttr(resourceName, "tags.0", "*"),
+					resource.TestCheckResourceAttr(resourceName, "tags.0", "production"),
 					resource.TestCheckResourceAttr(resourceName, "related_resource", ""),
-					resource.TestCheckResourceAttr(resourceName, "tags.1", "production"),
+					resource.TestCheckResourceAttr(resourceName, "tags.1", "test"),
+					resource.TestCheckResourceAttr(resourceName, "rule_type", "all"),
 				),
 			},
 			{
-				Config: testAccCodefreshPermissionConfig("create", "pipeline", "project", []string{"production", "*"}),
+				Config: testAccCodefreshPermissionConfig("create", "pipeline", "project", []string{"production", "*"}, "any"),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCodefreshPermissionExists(resourceName),
 					resource.TestCheckResourceAttr(resourceName, "action", "create"),
@@ -40,6 +41,7 @@ func TestAccCodefreshPermissionConfig(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "related_resource", "project"),
 					resource.TestCheckResourceAttr(resourceName, "tags.0", "*"),
 					resource.TestCheckResourceAttr(resourceName, "tags.1", "production"),
+					resource.TestCheckResourceAttr(resourceName, "rule_type", "any"),
 				),
 			},
 			{
@@ -73,7 +75,7 @@ func testAccCheckCodefreshPermissionExists(resource string) resource.TestCheckFu
 }
 
 // CONFIGS
-func testAccCodefreshPermissionConfig(action, resource, relatedResource string, tags []string) string {
+func testAccCodefreshPermissionConfig(action, resource, relatedResource string, tags []string, ruleType string) string {
 	escapeString := func(str string) string {
 		if str == "null" {
 			return str // null means Terraform should ignore this field
@@ -93,6 +95,7 @@ func testAccCodefreshPermissionConfig(action, resource, relatedResource string,
 		resource         = %s
 		related_resource = %s
 		tags             = [%s]
+		rule_type        = %s
 	}
-`, escapeString(action), escapeString(resource), escapeString(relatedResource), strings.Join(tagsEscaped[:], ","))
+`, escapeString(action), escapeString(resource), escapeString(relatedResource), strings.Join(tagsEscaped[:], ","), escapeString(ruleType))
 }
diff --git a/docs/resources/permission.md b/docs/resources/permission.md
index 66fc786..6b6aea7 100644
--- a/docs/resources/permission.md
+++ b/docs/resources/permission.md
@@ -59,6 +59,7 @@ resource "codefresh_permission" "developers" {
 - `_id` (String) The permission ID.
 - `related_resource` (String) Specifies the resource to use when evaluating the tags. Possible values:
 	* project
+- `rule_type` (String) Rule type - can be either `all` or `any`. If all is specified the rule will apply on resources that have all the tags. If any is specified the rule will apply on resources that have any of the tags. If not specified, deafult behavior is `any`.
 - `tags` (Set of String) The tags for which to apply the permission. Supports two custom tags:
 	* untagged:  Apply to all resources without tags
   * (asterisk): Apply to all resources with any tag