From 33988fedcd3ccd3b674242914fc45b11ced707cf Mon Sep 17 00:00:00 2001
From: Steven Masley <Emyrk@users.noreply.github.com>
Date: Fri, 27 Sep 2024 14:07:15 -0500
Subject: [PATCH] chore: allow user admins to configure idp sync (#14861)

---
 coderd/rbac/roles.go      | 1 +
 coderd/rbac/roles_test.go | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
index 7e0cf0c757..1470050026 100644
--- a/coderd/rbac/roles.go
+++ b/coderd/rbac/roles.go
@@ -460,6 +460,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 						ResourceOrganizationMember.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 						ResourceGroup.Type:              ResourceGroup.AvailableActions(),
 						ResourceGroupMember.Type:        ResourceGroupMember.AvailableActions(),
+						ResourceIdpsyncSettings.Type:    {policy.ActionRead, policy.ActionUpdate},
 					}),
 				},
 				User: []Permission{},
diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
index bf537f815c..c5a759f4d1 100644
--- a/coderd/rbac/roles_test.go
+++ b/coderd/rbac/roles_test.go
@@ -718,11 +718,11 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []policy.Action{policy.ActionRead, policy.ActionUpdate},
 			Resource: rbac.ResourceIdpsyncSettings.InOrg(orgID),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true: {owner, orgAdmin},
+				true: {owner, orgAdmin, orgUserAdmin},
 				false: {
 					orgMemberMe, otherOrgAdmin,
 					memberMe, userAdmin, templateAdmin,
-					orgAuditor, orgUserAdmin, orgTemplateAdmin,
+					orgAuditor, orgTemplateAdmin,
 					otherOrgMember, otherOrgAuditor, otherOrgUserAdmin, otherOrgTemplateAdmin,
 				},
 			},