chore: allow user admins to configure idp sync (#14861)

2025-07-15 22:20:27 +00:00 · 2024-09-27 14:07:15 -05:00
parent 2c8b264d78
commit 33988fedcd
2 changed files with 3 additions and 2 deletions
--- a/coderd/rbac/roles.go
+++ b/coderd/rbac/roles.go
@ -460,6 +460,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 						ResourceOrganizationMember.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 						ResourceGroup.Type:              ResourceGroup.AvailableActions(),
 						ResourceGroupMember.Type:        ResourceGroupMember.AvailableActions(),
+						ResourceIdpsyncSettings.Type:    {policy.ActionRead, policy.ActionUpdate},
 					}),
 				},
 				User: []Permission{},
--- a/coderd/rbac/roles_test.go
+++ b/coderd/rbac/roles_test.go
@ -718,11 +718,11 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []policy.Action{policy.ActionRead, policy.ActionUpdate},
 			Resource: rbac.ResourceIdpsyncSettings.InOrg(orgID),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true: {owner, orgAdmin},
+				true: {owner, orgAdmin, orgUserAdmin},
 				false: {
 					orgMemberMe, otherOrgAdmin,
 					memberMe, userAdmin, templateAdmin,
-					orgAuditor, orgUserAdmin, orgTemplateAdmin,
+					orgAuditor, orgTemplateAdmin,
 					otherOrgMember, otherOrgAuditor, otherOrgUserAdmin, otherOrgTemplateAdmin,
 				},
 			},