diff --git a/bento_lib/auth/resources.py b/bento_lib/auth/resources.py
new file mode 100644
index 0000000..1173f1e
--- /dev/null
+++ b/bento_lib/auth/resources.py
@@ -0,0 +1,22 @@
+__all__ = [
+    "RESOURCE_EVERYTHING",
+    "build_resource",
+]
+
+# TODO: port Pydantic models from authz instead (when we get pydantic 2)
+
+
+RESOURCE_EVERYTHING = {"everything": True}
+
+
+def build_resource(project: str | None = None, dataset: str | None = None, data_type: str | None = None) -> dict:
+    if project is None:
+        return RESOURCE_EVERYTHING
+
+    res = {"project": project}
+    if dataset:
+        res["dataset"] = dataset
+    if data_type:
+        res["data_type"] = data_type
+
+    return res
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 7664182..d5a707d 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -1,3 +1,5 @@
+import json
+
 import pytest
 from bento_lib.auth.permissions import (
     Permission,
@@ -7,6 +9,7 @@
     P_QUERY_DATA,
     P_DELETE_DATA,
 )
+from bento_lib.auth.resources import RESOURCE_EVERYTHING, build_resource
 
 
 def test_recreate_permission_error():
@@ -14,7 +17,7 @@ def test_recreate_permission_error():
         Permission(QUERY_VERB, DATA)  # already exists
 
 
-def test_equality():
+def test_permissions_equality():
     assert P_QUERY_DATA == P_QUERY_DATA
     assert P_QUERY_DATA == "query:data"
     assert P_QUERY_DATA != P_DELETE_DATA
@@ -22,9 +25,20 @@ def test_equality():
     assert P_QUERY_DATA != 5
 
 
-def test_repr():
+def test_permissions_repr():
     assert repr(P_QUERY_DATA) == "Permission(query:data)"
 
 
-def test_hash():
+def test_permissions_hash():
     assert len({P_QUERY_DATA, P_QUERY_DATA, P_DELETE_DATA}) == 2
+
+
+def test_build_resource():
+    assert build_resource() == RESOURCE_EVERYTHING
+    assert json.dumps(build_resource(project="a")) == json.dumps({"project": "a"})
+    assert json.dumps(build_resource(project="a", data_type="z"), sort_keys=True) == json.dumps(
+        {"data_type": "z", "project": "a"}, sort_keys=True)
+    assert json.dumps(build_resource(project="a", dataset="z"), sort_keys=True) == json.dumps(
+        {"dataset": "z", "project": "a"}, sort_keys=True)
+    assert json.dumps(build_resource(project="a", dataset="z", data_type="t"), sort_keys=True) == json.dumps(
+        {"data_type": "t", "dataset": "z", "project": "a"}, sort_keys=True)