Description

Users with theTemplateAdmin role currently cannot delete prebuild workspaces. These workspaces are created and owned by a specific system user and often need to be cleaned up when they become outdated or stuck in a failed state.

Users with theTemplateAdmin role are responsible for managing templates and, consequently, should be responsible for managing associated prebuilds. As a result, this role should be able to delete prebuilt workspaces for maintenance reasons.

The current API supports deleting workspaces via thePOST /workspaces/{workspace}/builds endpoint. To perform a deletion, the user must meet one of the following conditions:

• Be the owner of the workspace
• Have theworkspace.delete permission (note that this permission does not distinguish between normal and prebuilt workspaces)

Objective

Update the current RBAC policy to support deletion of prebuild workspaces by users with theTemplateAdmin role, without granting broader permissions to delete regular user workspaces:

• Update RBAC policy to support scoped delete access for prebuild workspaces
  • TemplateAdmins should be allowed to delete only workspaces owned by the prebuild system user, not workspaces owned by any other user.
• Grant the appropriate permission to theTemplateAdmin role
• Add test coverage for the new permission
• Update documentation if needed