diff --git a/bundle/config/validate/folder_permissions.go b/bundle/config/validate/folder_permissions.go
index 054156303..acd0283b3 100644
--- a/bundle/config/validate/folder_permissions.go
+++ b/bundle/config/validate/folder_permissions.go
@@ -34,24 +34,15 @@ func (f *folderPermissions) Apply(ctx context.Context, b bundle.ReadOnlyBundle)
 		rootPath += "/"
 	}
 
-	if !strings.HasPrefix(b.Config().Workspace.ArtifactPath, rootPath) &&
-		!libraries.IsVolumesPath(b.Config().Workspace.ArtifactPath) {
-		paths = append(paths, b.Config().Workspace.ArtifactPath)
-	}
-
-	if !strings.HasPrefix(b.Config().Workspace.FilePath, rootPath) &&
-		!libraries.IsVolumesPath(b.Config().Workspace.FilePath) {
-		paths = append(paths, b.Config().Workspace.FilePath)
-	}
-
-	if !strings.HasPrefix(b.Config().Workspace.StatePath, rootPath) &&
-		!libraries.IsVolumesPath(b.Config().Workspace.StatePath) {
-		paths = append(paths, b.Config().Workspace.StatePath)
-	}
-
-	if !strings.HasPrefix(b.Config().Workspace.ResourcePath, rootPath) &&
-		!libraries.IsVolumesPath(b.Config().Workspace.ResourcePath) {
-		paths = append(paths, b.Config().Workspace.ResourcePath)
+	for _, p := range []string{
+		b.Config().Workspace.ArtifactPath,
+		b.Config().Workspace.FilePath,
+		b.Config().Workspace.StatePath,
+		b.Config().Workspace.ResourcePath,
+	} {
+		if !strings.HasPrefix(p, rootPath) && !libraries.IsVolumesPath(p) {
+			paths = append(paths, p)
+		}
 	}
 
 	var diags diag.Diagnostics
diff --git a/bundle/config/validate/folder_permissions_test.go b/bundle/config/validate/folder_permissions_test.go
index f98ea66a1..8e68c9fbf 100644
--- a/bundle/config/validate/folder_permissions_test.go
+++ b/bundle/config/validate/folder_permissions_test.go
@@ -122,7 +122,7 @@ func TestValidateFolderPermissionsFailsOnMissingBundlePermission(t *testing.T) {
 
 	diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())
 	require.Len(t, diags, 1)
-	require.Equal(t, "permissions missing", diags[0].Summary)
+	require.Equal(t, "untracked permissions apply to target workspace path", diags[0].Summary)
 	require.Equal(t, diag.Warning, diags[0].Severity)
 	require.Equal(t, "The following permissions apply to the workspace folder at \"/Workspace/Users/foo@bar.com\" but are not configured in the bundle:\n- level: CAN_MANAGE, user_name: foo2@bar.com\n", diags[0].Detail)
 }
@@ -167,12 +167,9 @@ func TestValidateFolderPermissionsFailsOnPermissionMismatch(t *testing.T) {
 	rb := bundle.ReadOnly(b)
 
 	diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())
-	require.Len(t, diags, 2)
-	require.Equal(t, "permissions missing", diags[0].Summary)
+	require.Len(t, diags, 1)
+	require.Equal(t, "untracked permissions apply to target workspace path", diags[0].Summary)
 	require.Equal(t, diag.Warning, diags[0].Severity)
-
-	require.Equal(t, "permissions missing", diags[1].Summary)
-	require.Equal(t, diag.Warning, diags[1].Severity)
 }
 
 func TestValidateFolderPermissionsFailsOnNoRootFolder(t *testing.T) {
diff --git a/bundle/permissions/check.go b/bundle/permissions/workspace_path_permissions.go
similarity index 82%
rename from bundle/permissions/check.go
rename to bundle/permissions/workspace_path_permissions.go
index f37c956c3..a3b4424c1 100644
--- a/bundle/permissions/check.go
+++ b/bundle/permissions/workspace_path_permissions.go
@@ -18,7 +18,7 @@ func ObjectAclToResourcePermissions(path string, acl []workspace.WorkspaceObject
 	permissions := make([]resources.Permission, 0)
 	for _, a := range acl {
 		// Skip the admin group because it's added to all resources by default.
-		if a.GroupName == "admin" {
+		if a.GroupName == "admins" {
 			continue
 		}
 
@@ -38,22 +38,12 @@ func ObjectAclToResourcePermissions(path string, acl []workspace.WorkspaceObject
 func (p WorkspacePathPermissions) Compare(perms []resources.Permission) diag.Diagnostics {
 	var diags diag.Diagnostics
 
-	// Check the permissions in the bundle and see if they are all set in the workspace.
-	ok, missing := containsAll(perms, p.Permissions)
-	if !ok {
-		diags = diags.Append(diag.Diagnostic{
-			Severity: diag.Warning,
-			Summary:  "permissions missing",
-			Detail:   fmt.Sprintf("The following permissions are configured in the bundle but are do not (yet) apply to the workspace folder at %q:\n%s", p.Path, toString(missing)),
-		})
-	}
-
 	// Check the permissions in the workspace and see if they are all set in the bundle.
-	ok, missing = containsAll(p.Permissions, perms)
+	ok, missing := containsAll(p.Permissions, perms)
 	if !ok {
 		diags = diags.Append(diag.Diagnostic{
 			Severity: diag.Warning,
-			Summary:  "permissions missing",
+			Summary:  "untracked permissions apply to target workspace path",
 			Detail:   fmt.Sprintf("The following permissions apply to the workspace folder at %q but are not configured in the bundle:\n%s", p.Path, toString(missing)),
 		})
 	}
diff --git a/bundle/permissions/check_test.go b/bundle/permissions/workspace_path_permissions_test.go
similarity index 81%
rename from bundle/permissions/check_test.go
rename to bundle/permissions/workspace_path_permissions_test.go
index 1c55e1f68..0bb00474c 100644
--- a/bundle/permissions/check_test.go
+++ b/bundle/permissions/workspace_path_permissions_test.go
@@ -41,7 +41,7 @@ func TestWorkspacePathPermissionsCompare(t *testing.T) {
 					},
 				},
 				{
-					GroupName: "admin",
+					GroupName: "admins",
 					AllPermissions: []workspace.WorkspaceObjectPermission{
 						{PermissionLevel: "CAN_MANAGE"},
 					},
@@ -62,13 +62,7 @@ func TestWorkspacePathPermissionsCompare(t *testing.T) {
 					},
 				},
 			},
-			expected: diag.Diagnostics{
-				{
-					Severity: diag.Warning,
-					Summary:  "permissions missing",
-					Detail:   "The following permissions are configured in the bundle but are do not (yet) apply to the workspace folder at \"path\":\n- level: CAN_MANAGE, service_principal_name: sp.com\n",
-				},
-			},
+			expected: nil,
 		},
 		{
 			perms: []resources.Permission{
@@ -91,7 +85,7 @@ func TestWorkspacePathPermissionsCompare(t *testing.T) {
 			expected: diag.Diagnostics{
 				{
 					Severity: diag.Warning,
-					Summary:  "permissions missing",
+					Summary:  "untracked permissions apply to target workspace path",
 					Detail:   "The following permissions apply to the workspace folder at \"path\" but are not configured in the bundle:\n- level: CAN_MANAGE, group_name: foo\n",
 				},
 			},
@@ -111,12 +105,7 @@ func TestWorkspacePathPermissionsCompare(t *testing.T) {
 			expected: diag.Diagnostics{
 				{
 					Severity: diag.Warning,
-					Summary:  "permissions missing",
-					Detail:   "The following permissions are configured in the bundle but are do not (yet) apply to the workspace folder at \"path\":\n- level: CAN_MANAGE, user_name: foo@bar.com\n",
-				},
-				{
-					Severity: diag.Warning,
-					Summary:  "permissions missing",
+					Summary:  "untracked permissions apply to target workspace path",
 					Detail:   "The following permissions apply to the workspace folder at \"path\" but are not configured in the bundle:\n- level: CAN_MANAGE, user_name: foo2@bar.com\n",
 				},
 			},