chore: clean up built-in role permissions

aslilac · aslilac · commit 19a26b3113b4 · 2025-02-20T21:07:41.000Z
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -283,10 +283,11 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			Permissions(map[string][]policy.Action{
 				// Reduced permission set on dormant workspaces. No build, ssh, or exec
 				ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop},
-
 				// Users cannot do create/update/delete on themselves, but they
 				// can read their own details.
 				ResourceUser.Type: {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
+				// Can read their own organization member record
+				ResourceOrganizationMember.Type: {policy.ActionRead},
 				// Users can create provisioner daemons scoped to themselves.
 				ResourceProvisionerDaemon.Type: {policy.ActionRead, policy.ActionCreate, policy.ActionRead, policy.ActionUpdate},
 			})...,
@@ -423,12 +424,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 						ResourceAssignOrgRole.Type: {policy.ActionRead},
 					}),
 				},
-				User: []Permission{
-					{
-						ResourceType: ResourceOrganizationMember.Type,
-						Action:       policy.ActionRead,
-					},
-				},
+				User: []Permission{},
 			}
 		},
 		orgAuditor: func(organizationID uuid.UUID) Role {
@@ -439,6 +435,12 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				Org: map[string][]Permission{
 					organizationID.String(): Permissions(map[string][]policy.Action{
 						ResourceAuditLog.Type: {policy.ActionRead},
+						// Allow auditors to see the resources that audit logs reflect.
+						ResourceTemplate.Type:           {policy.ActionRead, policy.ActionViewInsights},
+						ResourceGroup.Type:              {policy.ActionRead},
+						ResourceGroupMember.Type:        {policy.ActionRead},
+						ResourceOrganization.Type:       {policy.ActionRead},
+						ResourceOrganizationMember.Type: {policy.ActionRead},
 					}),
 				},
 				User: []Permission{},
@@ -458,6 +460,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 					organizationID.String(): Permissions(map[string][]policy.Action{
 						// Assign, remove, and read roles in the organization.
 						ResourceAssignOrgRole.Type:      {policy.ActionAssign, policy.ActionDelete, policy.ActionRead},
+						ResourceOrganization.Type:       {policy.ActionRead},
 						ResourceOrganizationMember.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 						ResourceGroup.Type:              ResourceGroup.AvailableActions(),
 						ResourceGroupMember.Type:        ResourceGroupMember.AvailableActions(),
@@ -479,9 +482,11 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 						ResourceFile.Type:      {policy.ActionCreate, policy.ActionRead},
 						ResourceWorkspace.Type: {policy.ActionRead},
 						// Assigning template perms requires this permission.
+						ResourceOrganization.Type:       {policy.ActionRead},
 						ResourceOrganizationMember.Type: {policy.ActionRead},
 						ResourceGroup.Type:              {policy.ActionRead},
 						ResourceGroupMember.Type:        {policy.ActionRead},
+						ResourceProvisionerDaemon.Type:  {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 						ResourceProvisionerJobs.Type:    {policy.ActionRead},
 					}),
 				},
diff --git a/site/src/modules/management/OrganizationSidebarView.tsx b/site/src/modules/management/OrganizationSidebarView.tsx
@@ -167,11 +167,9 @@ const OrganizationSettingsNavigation: FC<
 	return (
 		<>
 			<div className="flex flex-col gap-1 my-2">
-				{orgPermissions.viewMembers && (
-					<SettingsSidebarNavItem end href={urlForSubpage(organization.name)}>
-						Members
-					</SettingsSidebarNavItem>
-				)}
+				<SettingsSidebarNavItem end href={urlForSubpage(organization.name)}>
+					Members
+				</SettingsSidebarNavItem>
 				{orgPermissions.viewGroups && (
 					<SettingsSidebarNavItem
 						href={urlForSubpage(organization.name, "groups")}
diff --git a/site/src/modules/management/organizationPermissions.tsx b/site/src/modules/management/organizationPermissions.tsx
@@ -114,7 +114,6 @@ export const canViewOrganization = (
 		permissions !== undefined &&
 		(permissions.viewMembers ||
 			permissions.viewGroups ||
-			permissions.viewOrgRoles ||
 			permissions.viewProvisioners ||
 			permissions.viewIdpSyncSettings)
 	);
