feat: Add template-admin + user-admin role for managing templates + users (#3490)

Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
2025-07-15 22:20:27 +00:00 · 2022-08-12 17:27:48 -05:00
parent c41261cf6e
commit 40e68cb80b
16 changed files with 219 additions and 59 deletions
--- a/coderd/rbac/builtin.go
+++ b/coderd/rbac/builtin.go
@ -9,9 +9,11 @@ import (
 )

 const (
-	admin   string = "admin"
-	member  string = "member"
-	auditor string = "auditor"
+	admin         string = "admin"
+	member        string = "member"
+	templateAdmin string = "template-admin"
+	userAdmin     string = "user-admin"
+	auditor       string = "auditor"

 	orgAdmin  string = "organization-admin"
 	orgMember string = "organization-member"
@ -26,6 +28,14 @@ func RoleAdmin() string {
 	return roleName(admin, "")
 }

+func RoleTemplateAdmin() string {
+	return roleName(templateAdmin, "")
+}
+
+func RoleUserAdmin() string {
+	return roleName(userAdmin, "")
+}
+
 func RoleMember() string {
 	return roleName(member, "")
 }
@ -93,6 +103,31 @@ var (
 			}
 		},

+		templateAdmin: func(_ string) Role {
+			return Role{
+				Name:        templateAdmin,
+				DisplayName: "Template Admin",
+				Site: permissions(map[Object][]Action{
+					ResourceTemplate: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					// CRUD all files, even those they did not upload.
+					ResourceFile:      {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					ResourceWorkspace: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					// CRUD to provisioner daemons for now.
+					ResourceProvisionerDaemon: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+				}),
+			}
+		},
+
+		userAdmin: func(_ string) Role {
+			return Role{
+				Name:        userAdmin,
+				DisplayName: "User Admin",
+				Site: permissions(map[Object][]Action{
+					ResourceUser: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+				}),
+			}
+		},
+
 		// orgAdmin returns a role with all actions allows in a given
 		// organization scope.
 		orgAdmin: func(organizationID string) Role {
@ -153,11 +188,13 @@ var (
 	//	map[actor_role][assign_role]<can_assign>
 	assignRoles = map[string]map[string]bool{
 		admin: {
-			admin:     true,
-			auditor:   true,
-			member:    true,
-			orgAdmin:  true,
-			orgMember: true,
+			admin:         true,
+			auditor:       true,
+			member:        true,
+			orgAdmin:      true,
+			orgMember:     true,
+			templateAdmin: true,
+			userAdmin:     true,
 		},
 		orgAdmin: {
 			orgAdmin:  true,