Grants permission issue with target/host-set

Hi all,
Please advise, I have a target with some host-set, which contains some hosts. I want to limit users to see only specific targets. For test I’m using a test role with grants: ids=*;type=target;actions=read,list,authorize-session. And all is good, the users see just targets, but they cannot see hosts within.

Once user click connect it starts to connect to target with a set of hosts without prompting the host list.

But if I log into boundary desktop as Admin with full grants, I can see the hosts as a list once I push connect into a target:
Снимок экрана 2024-04-29 в 11.20.52

I’ve tried to add:
ids=*;type=host-set;actions=read,list,authorize-session But no luck.

Seems that I got it: along with the permission for target and host-set, I needed also to add host permission: ids=*;type=host;actions=read,list,authorize-session, and it worked.