@@ -281,8 +281,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
281281// Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions.
282282ResourcePrebuiltWorkspace .Type : {policy .ActionUpdate ,policy .ActionDelete },
283283})... ),
284- Org :map [string ][]Permission {},
285- User : []Permission {},
284+ Org :map [string ][]Permission {},
285+ User : []Permission {},
286+ OrgMember :map [string ][]Permission {},
286287}.withCachedRegoValue ()
287288
288289memberRole := Role {
@@ -308,6 +309,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
308309ResourceProvisionerDaemon .Type : {policy .ActionRead ,policy .ActionCreate ,policy .ActionRead ,policy .ActionUpdate },
309310})... ,
310311),
312+ OrgMember :map [string ][]Permission {},
311313}.withCachedRegoValue ()
312314
313315auditorRole := Role {
@@ -328,8 +330,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
328330ResourceDeploymentStats .Type : {policy .ActionRead },
329331ResourceDeploymentConfig .Type : {policy .ActionRead },
330332}),
331- Org :map [string ][]Permission {},
332- User : []Permission {},
333+ Org :map [string ][]Permission {},
334+ User : []Permission {},
335+ OrgMember :map [string ][]Permission {},
333336}.withCachedRegoValue ()
334337
335338templateAdminRole := Role {
@@ -351,8 +354,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
351354ResourceOrganization .Type : {policy .ActionRead },
352355ResourceOrganizationMember .Type : {policy .ActionRead },
353356}),
354- Org :map [string ][]Permission {},
355- User : []Permission {},
357+ Org :map [string ][]Permission {},
358+ User : []Permission {},
359+ OrgMember :map [string ][]Permission {},
356360}.withCachedRegoValue ()
357361
358362userAdminRole := Role {
@@ -375,8 +379,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
375379// Manage org membership based on OIDC claims
376380ResourceIdpsyncSettings .Type : {policy .ActionRead ,policy .ActionUpdate },
377381}),
378- Org :map [string ][]Permission {},
379- User : []Permission {},
382+ Org :map [string ][]Permission {},
383+ User : []Permission {},
384+ OrgMember :map [string ][]Permission {},
380385}.withCachedRegoValue ()
381386
382387builtInRoles = map [string ]func (orgID uuid.UUID )Role {
@@ -427,7 +432,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
427432ResourcePrebuiltWorkspace .Type : {policy .ActionUpdate ,policy .ActionDelete },
428433})... ),
429434},
430- User : []Permission {},
435+ User : []Permission {},
436+ OrgMember :map [string ][]Permission {},
431437}
432438},
433439
@@ -448,7 +454,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
448454ResourceAssignOrgRole .Type : {policy .ActionRead },
449455}),
450456},
451- User : []Permission {},
457+ User : []Permission {},
458+ OrgMember :map [string ][]Permission {},
452459}
453460},
454461orgAuditor :func (organizationID uuid.UUID )Role {
@@ -468,7 +475,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
468475ResourceOrganizationMember .Type : {policy .ActionRead },
469476}),
470477},
471- User : []Permission {},
478+ User : []Permission {},
479+ OrgMember :map [string ][]Permission {},
472480}
473481},
474482orgUserAdmin :func (organizationID uuid.UUID )Role {
@@ -492,7 +500,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
492500ResourceIdpsyncSettings .Type : {policy .ActionRead ,policy .ActionUpdate },
493501}),
494502},
495- User : []Permission {},
503+ User : []Permission {},
504+ OrgMember :map [string ][]Permission {},
496505}
497506},
498507orgTemplateAdmin :func (organizationID uuid.UUID )Role {
@@ -519,7 +528,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
519528ResourceProvisionerJobs .Type : {policy .ActionRead ,policy .ActionUpdate ,policy .ActionCreate },
520529}),
521530},
522- User : []Permission {},
531+ User : []Permission {},
532+ OrgMember :map [string ][]Permission {},
523533}
524534},
525535// orgWorkspaceCreationBan prevents creating & deleting workspaces. This
@@ -554,7 +564,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
554564},
555565},
556566},
557- User : []Permission {},
567+ User : []Permission {},
568+ OrgMember :map [string ][]Permission {},
558569}
559570},
560571}
@@ -665,9 +676,10 @@ func (perm Permission) Valid() error {
665676}
666677
667678// Role is a set of permissions at multiple levels:
668- // - Site level permissions apply EVERYWHERE
669- // - Org level permissions apply to EVERYTHING in a given ORG
670- // - User level permissions are the lowest
679+ // - Site permissions apply EVERYWHERE
680+ // - Org permissions apply to EVERYTHING in a given ORG
681+ // - User permissions apply to all resources the user owns
682+ // - OrgMember permissions apply to resources in the given org that the user owns
671683// This is the type passed into the rego as a json payload.
672684// Users of this package should instead **only** use the role names, and
673685// this package will expand the role names into their json payloads.
@@ -677,11 +689,13 @@ type Role struct {
677689// that means the UI should never display it.
678690DisplayName string `json:"display_name"`
679691Site []Permission `json:"site"`
680- // Org is a map of orgid to permissions. We represent orgid as a string.
681- // We scope the organizations in the role so we can easily combine all the
682- // roles.
692+ // Org is a map of organization IDs to permissions. Grouping by organization
693+ // makes roles easy to combine.
683694Org map [string ][]Permission `json:"org"`
684695User []Permission `json:"user"`
696+ // OrgMember is a map of organization IDs to permissions. Grouping by
697+ // organization makes roles easy to combine.
698+ OrgMember map [string ][]Permission `json:"org_member"`
685699
686700// cachedRegoValue can be used to cache the rego value for this role.
687701// This is helpful for static roles that never change.