MCPcopy Index your code
hub / github.com/coder/coder / OrgServiceAccountPermissions

Function OrgServiceAccountPermissions

coderd/rbac/roles.go:1100–1172  ·  view source on GitHub ↗

OrgServiceAccountPermissions returns the permissions for the organization-service-account system role, which can vary based on the organization's workspace sharing settings.

(org OrgSettings)

Source from the content-addressed store, hash-verified

1098// organization-service-account system role, which can vary based on
1099// the organization's workspace sharing settings.
1100func OrgServiceAccountPermissions(org OrgSettings) OrgRolePermissions {
1101 // Organization-level permissions that all org service accounts get.
1102 orgPermMap := map[string][]policy.Action{
1103 // All users can see provisioner daemons for workspace creation.
1104 ResourceProvisionerDaemon.Type: {policy.ActionRead},
1105 // All org members can read the organization.
1106 ResourceOrganization.Type: {policy.ActionRead},
1107 // Can read available roles.
1108 ResourceAssignOrgRole.Type: {policy.ActionRead},
1109 }
1110
1111 // When workspace sharing is enabled, service accounts need to see
1112 // other org members and groups to share workspaces with them.
1113 if org.ShareableWorkspaceOwners != ShareableWorkspaceOwnersNone {
1114 orgPermMap[ResourceOrganizationMember.Type] = []policy.Action{policy.ActionRead}
1115 orgPermMap[ResourceGroup.Type] = []policy.Action{policy.ActionRead}
1116 }
1117
1118 orgPerms := Permissions(orgPermMap)
1119
1120 if org.ShareableWorkspaceOwners == ShareableWorkspaceOwnersNone {
1121 // Org-level negation blocks sharing on ANY workspace in the
1122 // org. If a service account has any other roles assigned,
1123 // this negation will override any positive perms in them, too.
1124 orgPerms = append(orgPerms, Permission{
1125 Negate: true,
1126 ResourceType: ResourceWorkspace.Type,
1127 Action: policy.ActionShare,
1128 })
1129 }
1130
1131 // service account-scoped permissions (resources owned by the
1132 // service account). Uses allPermsExcept to automatically include
1133 // permissions for new resources.
1134 memberPerms := append(
1135 allPermsExcept(
1136 ResourceWorkspaceDormant,
1137 ResourcePrebuiltWorkspace,
1138 ResourceUser,
1139 ResourceOrganizationMember,
1140 ResourceAibridgeInterception,
1141 // Chat access requires the agents-access role.
1142 ResourceChat,
1143 ),
1144
1145 Permissions(map[string][]policy.Action{
1146 // Reduced permission set on dormant workspaces. No build,
1147 // ssh, or exec.
1148 ResourceWorkspaceDormant.Type: {
1149 policy.ActionRead,
1150 policy.ActionDelete,
1151 policy.ActionCreate,
1152 policy.ActionUpdate,
1153 policy.ActionWorkspaceStop,
1154 policy.ActionCreateAgent,
1155 policy.ActionDeleteAgent,
1156 policy.ActionUpdateAgent,
1157 },

Callers

nothing calls this directly

Calls 2

PermissionsFunction · 0.85
allPermsExceptFunction · 0.85

Tested by

no test coverage detected