@@ -301,8 +301,6 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
301301// Users cannot do create/update/delete on themselves, but they
302302// can read their own details.
303303ResourceUser .Type : {policy .ActionRead ,policy .ActionReadPersonal ,policy .ActionUpdatePersonal },
304- // Users can create provisioner daemons scoped to themselves.
305- ResourceProvisionerDaemon .Type : {policy .ActionRead ,policy .ActionCreate ,policy .ActionRead ,policy .ActionUpdate },
306304})... ,
307305),
308306OrgMember :map [string ][]Permission {},
@@ -453,7 +451,13 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
453451User : []Permission {},
454452OrgMember :map [string ][]Permission {
455453organizationID .String ():Permissions (map [string ][]policy.Action {
456- ResourceWorkspace .Type :ResourceWorkspace .AvailableActions (),
454+ // Users can create provisioner daemons scoped to themselves.
455+ // All provisioners still need an organization relation as well.
456+ ResourceProvisionerDaemon .Type :ResourceProvisionerDaemon .AvailableActions (),
457+ // All group members can read their own group membership
458+ ResourceGroupMember .Type : {policy .ActionRead },
459+ ResourceInboxNotification .Type : {policy .ActionCreate ,policy .ActionRead ,policy .ActionUpdate },
460+ ResourceWorkspace .Type :ResourceWorkspace .AvailableActions (),
457461// Reduced permission set on dormant workspaces. No build, ssh, or exec
458462ResourceWorkspaceDormant .Type : {policy .ActionRead ,policy .ActionDelete ,policy .ActionCreate ,policy .ActionUpdate ,policy .ActionWorkspaceStop ,policy .ActionCreateAgent ,policy .ActionDeleteAgent },
459463// Can read their own organization member record