chore: clean up built-in role permissions (#16645)

aslilac · web-flow · commit a85a22081602 · 2025-02-21T14:33:34.000-07:00
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -283,10 +283,11 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			Permissions(map[string][]policy.Action{
 				// Reduced permission set on dormant workspaces. No build, ssh, or exec
 				ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop},
-
 				// Users cannot do create/update/delete on themselves, but they
 				// can read their own details.
 				ResourceUser.Type: {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
+				// Can read their own organization member record
+				ResourceOrganizationMember.Type: {policy.ActionRead},
 				// Users can create provisioner daemons scoped to themselves.
 				ResourceProvisionerDaemon.Type: {policy.ActionRead, policy.ActionCreate, policy.ActionRead, policy.ActionUpdate},
 			})...,
@@ -423,12 +424,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 						ResourceAssignOrgRole.Type: {policy.ActionRead},
 					}),
 				},
-				User: []Permission{
-					{
-						ResourceType: ResourceOrganizationMember.Type,
-						Action:       policy.ActionRead,
-					},
-				},
+				User: []Permission{},
 			}
 		},
 		orgAuditor: func(organizationID uuid.UUID) Role {
@@ -439,6 +435,12 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				Org: map[string][]Permission{
 					organizationID.String(): Permissions(map[string][]policy.Action{
 						ResourceAuditLog.Type: {policy.ActionRead},
+						// Allow auditors to see the resources that audit logs reflect.
+						ResourceTemplate.Type:           {policy.ActionRead, policy.ActionViewInsights},
+						ResourceGroup.Type:              {policy.ActionRead},
+						ResourceGroupMember.Type:        {policy.ActionRead},
+						ResourceOrganization.Type:       {policy.ActionRead},
+						ResourceOrganizationMember.Type: {policy.ActionRead},
 					}),
 				},
 				User: []Permission{},
@@ -458,6 +460,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 					organizationID.String(): Permissions(map[string][]policy.Action{
 						// Assign, remove, and read roles in the organization.
 						ResourceAssignOrgRole.Type:      {policy.ActionAssign, policy.ActionDelete, policy.ActionRead},
+						ResourceOrganization.Type:       {policy.ActionRead},
 						ResourceOrganizationMember.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 						ResourceGroup.Type:              ResourceGroup.AvailableActions(),
 						ResourceGroupMember.Type:        ResourceGroupMember.AvailableActions(),
@@ -479,10 +482,15 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 						ResourceFile.Type:      {policy.ActionCreate, policy.ActionRead},
 						ResourceWorkspace.Type: {policy.ActionRead},
 						// Assigning template perms requires this permission.
+						ResourceOrganization.Type:       {policy.ActionRead},
 						ResourceOrganizationMember.Type: {policy.ActionRead},
 						ResourceGroup.Type:              {policy.ActionRead},
 						ResourceGroupMember.Type:        {policy.ActionRead},
-						ResourceProvisionerJobs.Type:    {policy.ActionRead},
+						// Since templates have to correlate with provisioners,
+						// the ability to create templates and provisioners has
+						// a lot of overlap.
+						ResourceProvisionerDaemon.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+						ResourceProvisionerJobs.Type:   {policy.ActionRead},
 					}),
 				},
 				User: []Permission{},
diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
@@ -217,20 +217,20 @@ func TestRolePermissions(t *testing.T) {
 		},
 		{
 			Name:     "Templates",
-			Actions:  []policy.Action{policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete, policy.ActionViewInsights},
+			Actions:  []policy.Action{policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
 			Resource: rbac.ResourceTemplate.WithID(templateID).InOrg(orgID),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
 				true:  {owner, orgAdmin, templateAdmin, orgTemplateAdmin},
-				false: {setOtherOrg, orgAuditor, orgUserAdmin, memberMe, orgMemberMe, userAdmin},
+				false: {setOtherOrg, orgUserAdmin, orgAuditor, memberMe, orgMemberMe, userAdmin},
 			},
 		},
 		{
 			Name:     "ReadTemplates",
-			Actions:  []policy.Action{policy.ActionRead},
+			Actions:  []policy.Action{policy.ActionRead, policy.ActionViewInsights},
 			Resource: rbac.ResourceTemplate.InOrg(orgID),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true:  {owner, orgAdmin, templateAdmin, orgTemplateAdmin},
-				false: {setOtherOrg, orgAuditor, orgUserAdmin, memberMe, userAdmin, orgMemberMe},
+				true:  {owner, orgAuditor, orgAdmin, templateAdmin, orgTemplateAdmin},
+				false: {setOtherOrg, orgUserAdmin, memberMe, userAdmin, orgMemberMe},
 			},
 		},
 		{
@@ -377,8 +377,8 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []policy.Action{policy.ActionRead},
 			Resource: rbac.ResourceOrganizationMember.WithID(currentUser).InOrg(orgID).WithOwner(currentUser.String()),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true:  {owner, orgAdmin, userAdmin, orgMemberMe, templateAdmin, orgUserAdmin, orgTemplateAdmin},
-				false: {memberMe, setOtherOrg, orgAuditor},
+				true:  {owner, orgAuditor, orgAdmin, userAdmin, orgMemberMe, templateAdmin, orgUserAdmin, orgTemplateAdmin},
+				false: {memberMe, setOtherOrg},
 			},
 		},
 		{
@@ -404,7 +404,7 @@ func TestRolePermissions(t *testing.T) {
 			}),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
 				true:  {owner, orgAdmin, userAdmin, orgUserAdmin},
-				false: {setOtherOrg, memberMe, orgMemberMe, templateAdmin, orgTemplateAdmin, orgAuditor, groupMemberMe},
+				false: {setOtherOrg, memberMe, orgMemberMe, templateAdmin, orgTemplateAdmin, groupMemberMe, orgAuditor},
 			},
 		},
 		{
@@ -416,26 +416,26 @@ func TestRolePermissions(t *testing.T) {
 				},
 			}),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true:  {owner, orgAdmin, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, groupMemberMe},
-				false: {setOtherOrg, memberMe, orgMemberMe, orgAuditor},
+				true:  {owner, orgAdmin, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, groupMemberMe, orgAuditor},
+				false: {setOtherOrg, memberMe, orgMemberMe},
 			},
 		},
 		{
 			Name:     "GroupMemberMeRead",
 			Actions:  []policy.Action{policy.ActionRead},
 			Resource: rbac.ResourceGroupMember.WithID(currentUser).InOrg(orgID).WithOwner(currentUser.String()),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true:  {owner, orgAdmin, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, orgMemberMe, groupMemberMe},
-				false: {setOtherOrg, memberMe, orgAuditor},
+				true:  {owner, orgAuditor, orgAdmin, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, orgMemberMe, groupMemberMe},
+				false: {setOtherOrg, memberMe},
 			},
 		},
 		{
 			Name:     "GroupMemberOtherRead",
 			Actions:  []policy.Action{policy.ActionRead},
 			Resource: rbac.ResourceGroupMember.WithID(adminID).InOrg(orgID).WithOwner(adminID.String()),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true:  {owner, orgAdmin, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin},
-				false: {setOtherOrg, memberMe, orgAuditor, orgMemberMe, groupMemberMe},
+				true:  {owner, orgAuditor, orgAdmin, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin},
+				false: {setOtherOrg, memberMe, orgMemberMe, groupMemberMe},
 			},
 		},
 		{
@@ -534,8 +534,8 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []policy.Action{policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
 			Resource: rbac.ResourceProvisionerDaemon.InOrg(orgID),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true:  {owner, templateAdmin, orgAdmin},
-				false: {setOtherOrg, orgTemplateAdmin, orgUserAdmin, memberMe, orgMemberMe, userAdmin, orgAuditor},
+				true:  {owner, templateAdmin, orgAdmin, orgTemplateAdmin},
+				false: {setOtherOrg, orgAuditor, orgUserAdmin, memberMe, orgMemberMe, userAdmin},
 			},
 		},
 		{
@@ -552,8 +552,8 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []policy.Action{policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
 			Resource: rbac.ResourceProvisionerDaemon.WithOwner(currentUser.String()).InOrg(orgID),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true:  {owner, templateAdmin, orgMemberMe, orgAdmin},
-				false: {setOtherOrg, memberMe, userAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor},
+				true:  {owner, templateAdmin, orgTemplateAdmin, orgMemberMe, orgAdmin},
+				false: {setOtherOrg, memberMe, userAdmin, orgUserAdmin, orgAuditor},
 			},
 		},
 		{
diff --git a/site/src/modules/management/OrganizationSidebarView.tsx b/site/src/modules/management/OrganizationSidebarView.tsx
@@ -167,11 +167,9 @@ const OrganizationSettingsNavigation: FC<
 	return (
 		<>
 			<div className="flex flex-col gap-1 my-2">
-				{orgPermissions.viewMembers && (
-					<SettingsSidebarNavItem end href={urlForSubpage(organization.name)}>
-						Members
-					</SettingsSidebarNavItem>
-				)}
+				<SettingsSidebarNavItem end href={urlForSubpage(organization.name)}>
+					Members
+				</SettingsSidebarNavItem>
 				{orgPermissions.viewGroups && (
 					<SettingsSidebarNavItem
 						href={urlForSubpage(organization.name, "groups")}
diff --git a/site/src/modules/management/organizationPermissions.tsx b/site/src/modules/management/organizationPermissions.tsx
@@ -114,7 +114,6 @@ export const canViewOrganization = (
 		permissions !== undefined &&
 		(permissions.viewMembers ||
 			permissions.viewGroups ||
-			permissions.viewOrgRoles ||
 			permissions.viewProvisioners ||
 			permissions.viewIdpSyncSettings)
 	);
