Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc071985

Browse files
committed
chore: add built in organization roles to match site
Added org user admin, org template admin, and org auditor
1 parent91cbe67 commitc071985

File tree

2 files changed

+246
-123
lines changed

2 files changed

+246
-123
lines changed

‎coderd/rbac/roles.go

Lines changed: 93 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -27,8 +27,11 @@ const (
2727
customSiteRolestring="custom-site-role"
2828
customOrganizationRolestring="custom-organization-role"
2929

30-
orgAdminstring="organization-admin"
31-
orgMemberstring="organization-member"
30+
orgAdminstring="organization-admin"
31+
orgMemberstring="organization-member"
32+
orgAuditorstring="organization-auditor"
33+
orgUserAdminstring="organization-user-admin"
34+
orgTemplateAdminstring="organization-template-admin"
3235
)
3336

3437
funcinit() {
@@ -144,18 +147,38 @@ func RoleOrgMember() string {
144147
returnorgMember
145148
}
146149

150+
funcRoleOrgAuditor()string {
151+
returnorgAuditor
152+
}
153+
154+
funcRoleOrgUserAdmin()string {
155+
returnorgUserAdmin
156+
}
157+
158+
funcRoleOrgTemplateAdmin()string {
159+
returnorgTemplateAdmin
160+
}
161+
147162
// ScopedRoleOrgAdmin is the org role with the organization ID
148-
// Deprecated This was used before organization scope was included as a
149-
// field in all user facing APIs. Usage of 'ScopedRoleOrgAdmin()' is preferred.
150163
funcScopedRoleOrgAdmin(organizationID uuid.UUID)RoleIdentifier {
151-
returnRoleIdentifier{Name:orgAdmin,OrganizationID:organizationID}
164+
returnRoleIdentifier{Name:RoleOrgAdmin(),OrganizationID:organizationID}
152165
}
153166

154167
// ScopedRoleOrgMember is the org role with the organization ID
155-
// Deprecated This was used before organization scope was included as a
156-
// field in all user facing APIs. Usage of 'ScopedRoleOrgMember()' is preferred.
157168
funcScopedRoleOrgMember(organizationID uuid.UUID)RoleIdentifier {
158-
returnRoleIdentifier{Name:orgMember,OrganizationID:organizationID}
169+
returnRoleIdentifier{Name:RoleOrgMember(),OrganizationID:organizationID}
170+
}
171+
172+
funcScopedRoleOrgAuditor(organizationID uuid.UUID)RoleIdentifier {
173+
returnRoleIdentifier{Name:RoleOrgAuditor(),OrganizationID:organizationID}
174+
}
175+
176+
funcScopedRoleOrgUserAdmin(organizationID uuid.UUID)RoleIdentifier {
177+
returnRoleIdentifier{Name:RoleOrgUserAdmin(),OrganizationID:organizationID}
178+
}
179+
180+
funcScopedRoleOrgTemplateAdmin(organizationID uuid.UUID)RoleIdentifier {
181+
returnRoleIdentifier{Name:RoleOrgTemplateAdmin(),OrganizationID:organizationID}
159182
}
160183

161184
funcallPermsExcept(excepts...Objecter) []Permission {
@@ -377,8 +400,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
377400
}
378401
},
379402

380-
// orgMember has an empty set of permissions, this just implies their membership
381-
// in an organization.
403+
// orgMember is an implied role to any member in an organization.
382404
orgMember:func(organizationID uuid.UUID)Role {
383405
returnRole{
384406
Identifier:RoleIdentifier{Name:orgMember,OrganizationID:organizationID},
@@ -406,6 +428,55 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
406428
},
407429
}
408430
},
431+
orgAuditor:func(organizationID uuid.UUID)Role {
432+
returnRole{
433+
Identifier:RoleIdentifier{Name:orgAuditor,OrganizationID:organizationID},
434+
DisplayName:"Organization Auditor",
435+
Site: []Permission{},
436+
Org:map[string][]Permission{
437+
organizationID.String():Permissions(map[string][]policy.Action{
438+
ResourceAuditLog.Type: {policy.ActionRead},
439+
}),
440+
},
441+
User: []Permission{},
442+
}
443+
},
444+
orgUserAdmin:func(organizationID uuid.UUID)Role {
445+
// Manages organization members and groups.
446+
returnRole{
447+
Identifier:RoleIdentifier{Name:orgUserAdmin,OrganizationID:organizationID},
448+
DisplayName:"Organization User Admin",
449+
Site: []Permission{},
450+
Org:map[string][]Permission{
451+
organizationID.String():Permissions(map[string][]policy.Action{
452+
// Assign, remove, and read roles in the organization.
453+
ResourceAssignOrgRole.Type: {policy.ActionAssign,policy.ActionDelete,policy.ActionRead},
454+
ResourceOrganizationMember.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
455+
ResourceGroup.Type:ResourceGroup.AvailableActions(),
456+
}),
457+
},
458+
User: []Permission{},
459+
}
460+
},
461+
orgTemplateAdmin:func(organizationID uuid.UUID)Role {
462+
// Manages organization members and groups.
463+
returnRole{
464+
Identifier:RoleIdentifier{Name:orgTemplateAdmin,OrganizationID:organizationID},
465+
DisplayName:"Organization Template Admin",
466+
Site: []Permission{},
467+
Org:map[string][]Permission{
468+
organizationID.String():Permissions(map[string][]policy.Action{
469+
ResourceTemplate.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete,policy.ActionViewInsights},
470+
ResourceFile.Type: {policy.ActionCreate,policy.ActionRead},
471+
ResourceWorkspace.Type: {policy.ActionRead},
472+
// Assigning template perms requires this permission.
473+
ResourceOrganizationMember.Type: {policy.ActionRead},
474+
ResourceGroup.Type: {policy.ActionRead},
475+
}),
476+
},
477+
User: []Permission{},
478+
}
479+
},
409480
}
410481
}
411482

@@ -421,6 +492,9 @@ var assignRoles = map[string]map[string]bool{
421492
member:true,
422493
orgAdmin:true,
423494
orgMember:true,
495+
orgAuditor:true,
496+
orgUserAdmin:true,
497+
orgTemplateAdmin:true,
424498
templateAdmin:true,
425499
userAdmin:true,
426500
customSiteRole:true,
@@ -432,6 +506,9 @@ var assignRoles = map[string]map[string]bool{
432506
member:true,
433507
orgAdmin:true,
434508
orgMember:true,
509+
orgAuditor:true,
510+
orgUserAdmin:true,
511+
orgTemplateAdmin:true,
435512
templateAdmin:true,
436513
userAdmin:true,
437514
customSiteRole:true,
@@ -444,8 +521,14 @@ var assignRoles = map[string]map[string]bool{
444521
orgAdmin: {
445522
orgAdmin:true,
446523
orgMember:true,
524+
orgAuditor:true,
525+
orgUserAdmin:true,
526+
orgTemplateAdmin:true,
447527
customOrganizationRole:true,
448528
},
529+
orgUserAdmin: {
530+
orgMember:true,
531+
},
449532
}
450533

451534
// ExpandableRoles is any type that can be expanded into a []Role. This is implemented

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp