OrgServiceAccountPermissions returns the permissions for the organization-service-account system role, which can vary based on the organization's workspace sharing settings.
(org OrgSettings)
| 1098 | // organization-service-account system role, which can vary based on |
| 1099 | // the organization's workspace sharing settings. |
| 1100 | func OrgServiceAccountPermissions(org OrgSettings) OrgRolePermissions { |
| 1101 | // Organization-level permissions that all org service accounts get. |
| 1102 | orgPermMap := map[string][]policy.Action{ |
| 1103 | // All users can see provisioner daemons for workspace creation. |
| 1104 | ResourceProvisionerDaemon.Type: {policy.ActionRead}, |
| 1105 | // All org members can read the organization. |
| 1106 | ResourceOrganization.Type: {policy.ActionRead}, |
| 1107 | // Can read available roles. |
| 1108 | ResourceAssignOrgRole.Type: {policy.ActionRead}, |
| 1109 | } |
| 1110 | |
| 1111 | // When workspace sharing is enabled, service accounts need to see |
| 1112 | // other org members and groups to share workspaces with them. |
| 1113 | if org.ShareableWorkspaceOwners != ShareableWorkspaceOwnersNone { |
| 1114 | orgPermMap[ResourceOrganizationMember.Type] = []policy.Action{policy.ActionRead} |
| 1115 | orgPermMap[ResourceGroup.Type] = []policy.Action{policy.ActionRead} |
| 1116 | } |
| 1117 | |
| 1118 | orgPerms := Permissions(orgPermMap) |
| 1119 | |
| 1120 | if org.ShareableWorkspaceOwners == ShareableWorkspaceOwnersNone { |
| 1121 | // Org-level negation blocks sharing on ANY workspace in the |
| 1122 | // org. If a service account has any other roles assigned, |
| 1123 | // this negation will override any positive perms in them, too. |
| 1124 | orgPerms = append(orgPerms, Permission{ |
| 1125 | Negate: true, |
| 1126 | ResourceType: ResourceWorkspace.Type, |
| 1127 | Action: policy.ActionShare, |
| 1128 | }) |
| 1129 | } |
| 1130 | |
| 1131 | // service account-scoped permissions (resources owned by the |
| 1132 | // service account). Uses allPermsExcept to automatically include |
| 1133 | // permissions for new resources. |
| 1134 | memberPerms := append( |
| 1135 | allPermsExcept( |
| 1136 | ResourceWorkspaceDormant, |
| 1137 | ResourcePrebuiltWorkspace, |
| 1138 | ResourceUser, |
| 1139 | ResourceOrganizationMember, |
| 1140 | ResourceAibridgeInterception, |
| 1141 | // Chat access requires the agents-access role. |
| 1142 | ResourceChat, |
| 1143 | ), |
| 1144 | |
| 1145 | Permissions(map[string][]policy.Action{ |
| 1146 | // Reduced permission set on dormant workspaces. No build, |
| 1147 | // ssh, or exec. |
| 1148 | ResourceWorkspaceDormant.Type: { |
| 1149 | policy.ActionRead, |
| 1150 | policy.ActionDelete, |
| 1151 | policy.ActionCreate, |
| 1152 | policy.ActionUpdate, |
| 1153 | policy.ActionWorkspaceStop, |
| 1154 | policy.ActionCreateAgent, |
| 1155 | policy.ActionDeleteAgent, |
| 1156 | policy.ActionUpdateAgent, |
| 1157 | }, |
nothing calls this directly
no test coverage detected