@@ -282,8 +282,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
282282// Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions.
283283ResourcePrebuiltWorkspace .Type : {policy .ActionUpdate ,policy .ActionDelete },
284284})... ),
285- Org :map [string ][]Permission {},
286- User : []Permission {},
285+ Org :map [string ][]Permission {},
286+ User : []Permission {},
287+ OrgMember :map [string ][]Permission {},
287288}.withCachedRegoValue ()
288289
289290memberRole := Role {
@@ -296,19 +297,14 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
296297ResourceWorkspaceProxy .Type : {policy .ActionRead },
297298}),
298299Org :map [string ][]Permission {},
299- User :append (allPermsExcept (ResourceWorkspaceDormant ,ResourcePrebuiltWorkspace ,ResourceUser ,ResourceOrganizationMember ),
300+ User :append (allPermsExcept (ResourceWorkspace , ResourceWorkspaceDormant ,ResourcePrebuiltWorkspace ,ResourceUser ,ResourceOrganizationMember ),
300301Permissions (map [string ][]policy.Action {
301- // Reduced permission set on dormant workspaces. No build, ssh, or exec
302- ResourceWorkspaceDormant .Type : {policy .ActionRead ,policy .ActionDelete ,policy .ActionCreate ,policy .ActionUpdate ,policy .ActionWorkspaceStop ,policy .ActionCreateAgent ,policy .ActionDeleteAgent },
303302// Users cannot do create/update/delete on themselves, but they
304303// can read their own details.
305304ResourceUser .Type : {policy .ActionRead ,policy .ActionReadPersonal ,policy .ActionUpdatePersonal },
306- // Can read their own organization member record
307- ResourceOrganizationMember .Type : {policy .ActionRead },
308- // Users can create provisioner daemons scoped to themselves.
309- ResourceProvisionerDaemon .Type : {policy .ActionRead ,policy .ActionCreate ,policy .ActionRead ,policy .ActionUpdate },
310305})... ,
311306),
307+ OrgMember :map [string ][]Permission {},
312308}.withCachedRegoValue ()
313309
314310auditorRole := Role {
@@ -331,8 +327,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
331327// Allow auditors to query aibridge interceptions.
332328ResourceAibridgeInterception .Type : {policy .ActionRead },
333329}),
334- Org :map [string ][]Permission {},
335- User : []Permission {},
330+ Org :map [string ][]Permission {},
331+ User : []Permission {},
332+ OrgMember :map [string ][]Permission {},
336333}.withCachedRegoValue ()
337334
338335templateAdminRole := Role {
@@ -354,8 +351,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
354351ResourceOrganization .Type : {policy .ActionRead },
355352ResourceOrganizationMember .Type : {policy .ActionRead },
356353}),
357- Org :map [string ][]Permission {},
358- User : []Permission {},
354+ Org :map [string ][]Permission {},
355+ User : []Permission {},
356+ OrgMember :map [string ][]Permission {},
359357}.withCachedRegoValue ()
360358
361359userAdminRole := Role {
@@ -378,8 +376,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
378376// Manage org membership based on OIDC claims
379377ResourceIdpsyncSettings .Type : {policy .ActionRead ,policy .ActionUpdate },
380378}),
381- Org :map [string ][]Permission {},
382- User : []Permission {},
379+ Org :map [string ][]Permission {},
380+ User : []Permission {},
381+ OrgMember :map [string ][]Permission {},
383382}.withCachedRegoValue ()
384383
385384builtInRoles = map [string ]func (orgID uuid.UUID )Role {
@@ -430,7 +429,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
430429ResourcePrebuiltWorkspace .Type : {policy .ActionUpdate ,policy .ActionDelete },
431430})... ),
432431},
433- User : []Permission {},
432+ User : []Permission {},
433+ OrgMember :map [string ][]Permission {},
434434}
435435},
436436
@@ -452,6 +452,21 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
452452}),
453453},
454454User : []Permission {},
455+ OrgMember :map [string ][]Permission {
456+ organizationID .String ():Permissions (map [string ][]policy.Action {
457+ // Users can create provisioner daemons scoped to themselves.
458+ // All provisioners still need an organization relation as well.
459+ ResourceProvisionerDaemon .Type :ResourceProvisionerDaemon .AvailableActions (),
460+ // All group members can read their own group membership
461+ ResourceGroupMember .Type : {policy .ActionRead },
462+ ResourceInboxNotification .Type : {policy .ActionCreate ,policy .ActionRead ,policy .ActionUpdate },
463+ ResourceWorkspace .Type :ResourceWorkspace .AvailableActions (),
464+ // Reduced permission set on dormant workspaces. No build, ssh, or exec
465+ ResourceWorkspaceDormant .Type : {policy .ActionRead ,policy .ActionDelete ,policy .ActionCreate ,policy .ActionUpdate ,policy .ActionWorkspaceStop ,policy .ActionCreateAgent ,policy .ActionDeleteAgent },
466+ // Can read their own organization member record
467+ ResourceOrganizationMember .Type : {policy .ActionRead },
468+ }),
469+ },
455470}
456471},
457472orgAuditor :func (organizationID uuid.UUID )Role {
@@ -471,7 +486,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
471486ResourceOrganizationMember .Type : {policy .ActionRead },
472487}),
473488},
474- User : []Permission {},
489+ User : []Permission {},
490+ OrgMember :map [string ][]Permission {},
475491}
476492},
477493orgUserAdmin :func (organizationID uuid.UUID )Role {
@@ -495,7 +511,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
495511ResourceIdpsyncSettings .Type : {policy .ActionRead ,policy .ActionUpdate },
496512}),
497513},
498- User : []Permission {},
514+ User : []Permission {},
515+ OrgMember :map [string ][]Permission {},
499516}
500517},
501518orgTemplateAdmin :func (organizationID uuid.UUID )Role {
@@ -522,7 +539,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
522539ResourceProvisionerJobs .Type : {policy .ActionRead ,policy .ActionUpdate ,policy .ActionCreate },
523540}),
524541},
525- User : []Permission {},
542+ User : []Permission {},
543+ OrgMember :map [string ][]Permission {},
526544}
527545},
528546// orgWorkspaceCreationBan prevents creating & deleting workspaces. This
@@ -557,7 +575,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
557575},
558576},
559577},
560- User : []Permission {},
578+ User : []Permission {},
579+ OrgMember :map [string ][]Permission {},
561580}
562581},
563582}
@@ -678,19 +697,22 @@ type Role struct {
678697Identifier RoleIdentifier `json:"name"`
679698// DisplayName is used for UI purposes. If the role has no display name,
680699// that means the UI should never display it.
681- DisplayName string `json:"display_name"`
682- Site []Permission `json:"site"`
683- // Org is a map of orgid to permissions. We represent orgid as a string.
684- // We scope the organizations in the role so we can easily combine all the
685- // roles.
686- Org map [string ][]Permission `json:"org"`
687- User []Permission `json:"user"`
700+ DisplayName string `json:"display_name"`
701+ Site []Permission `json:"site"`
702+ User []Permission `json:"user"`
703+ ByOrgID map [string ]RolePermissionsByOrgID `json:"by_org_id"`
688704
689705// cachedRegoValue can be used to cache the rego value for this role.
690706// This is helpful for static roles that never change.
691707cachedRegoValue ast.Value
692708}
693709
710+ type RolePermissionsByOrgID struct {
711+ // Org is a map of organization IDs to permissions. Grouping by organization
712+ // makes roles easy to combine.
713+ Org []Permission `json:"org"`
714+ }
715+
694716// Valid will check all it's permissions and ensure they are all correct
695717// according to the policy. This verifies every action specified make sense
696718// for the given resource.