OrgMemberPermissions returns the permissions for the organization-member system role, which can vary based on the organization's workspace sharing settings.
(org OrgSettings)
| 1008 | // system role, which can vary based on the organization's workspace sharing |
| 1009 | // settings. |
| 1010 | func OrgMemberPermissions(org OrgSettings) OrgRolePermissions { |
| 1011 | // Organization-level permissions that all org members get. |
| 1012 | orgPermMap := map[string][]policy.Action{ |
| 1013 | // All users can see provisioner daemons for workspace creation. |
| 1014 | ResourceProvisionerDaemon.Type: {policy.ActionRead}, |
| 1015 | // All org members can read the organization. |
| 1016 | ResourceOrganization.Type: {policy.ActionRead}, |
| 1017 | // Can read available roles. |
| 1018 | ResourceAssignOrgRole.Type: {policy.ActionRead}, |
| 1019 | } |
| 1020 | |
| 1021 | // In all modes of workspace sharing but `none`, members need to |
| 1022 | // see other org members (including service accounts) to either |
| 1023 | // share with them or get access to their shared workspaces, |
| 1024 | // resolved through GET /users/{user}/workspace/{workspace} |
| 1025 | if org.ShareableWorkspaceOwners != ShareableWorkspaceOwnersNone { |
| 1026 | orgPermMap[ResourceOrganizationMember.Type] = []policy.Action{policy.ActionRead} |
| 1027 | } |
| 1028 | |
| 1029 | // When workspace sharing is open to members, they also need to |
| 1030 | // see org groups to share with them. |
| 1031 | if org.ShareableWorkspaceOwners == ShareableWorkspaceOwnersEveryone { |
| 1032 | orgPermMap[ResourceGroup.Type] = []policy.Action{policy.ActionRead} |
| 1033 | } |
| 1034 | |
| 1035 | orgPerms := Permissions(orgPermMap) |
| 1036 | |
| 1037 | if org.ShareableWorkspaceOwners == ShareableWorkspaceOwnersNone { |
| 1038 | // Org-level negation blocks sharing on ANY workspace in the |
| 1039 | // org. This overrides any positive permission from other |
| 1040 | // roles, including org-admin. |
| 1041 | orgPerms = append(orgPerms, Permission{ |
| 1042 | Negate: true, |
| 1043 | ResourceType: ResourceWorkspace.Type, |
| 1044 | Action: policy.ActionShare, |
| 1045 | }) |
| 1046 | } |
| 1047 | |
| 1048 | // Uses allPermsExcept to automatically include permissions for new resources. |
| 1049 | memberPerms := append( |
| 1050 | allPermsExcept( |
| 1051 | ResourceWorkspaceDormant, |
| 1052 | ResourcePrebuiltWorkspace, |
| 1053 | ResourceUser, |
| 1054 | ResourceOrganizationMember, |
| 1055 | ResourceAibridgeInterception, |
| 1056 | // Chat access requires the agents-access role. |
| 1057 | ResourceChat, |
| 1058 | ), |
| 1059 | |
| 1060 | Permissions(map[string][]policy.Action{ |
| 1061 | // Reduced permission set on dormant workspaces. No build, |
| 1062 | // ssh, or exec. |
| 1063 | ResourceWorkspaceDormant.Type: { |
| 1064 | policy.ActionRead, |
| 1065 | policy.ActionDelete, |
| 1066 | policy.ActionCreate, |
| 1067 | policy.ActionUpdate, |