feat: Option to remove WorkspaceExec from owner role (#7050)

* chore: Add AllResources option for listing all RBAC objects * Owners cannot do workspace exec site wide * Fix FE authchecks to valid RBAC resources
2025-07-03 16:13:58 +00:00 · 2023-04-11 08:57:23 -05:00
parent ad2353c3d8
commit 9d39371ee0
28 changed files with 700 additions and 169 deletions
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@ -171,6 +171,12 @@ func New(options *Options) *API {
 		options = &Options{}
 	}

+	if options.DeploymentValues.DisableOwnerWorkspaceExec {
+		rbac.ReloadBuiltinRoles(&rbac.RoleOptions{
+			NoOwnerWorkspaceExec: true,
+		})
+	}
+
 	if options.Authorizer == nil {
 		options.Authorizer = rbac.NewCachingAuthorizer(options.PrometheusRegistry)
 	}