fix: allow user admins to manage groups (#4498)

sreya · web-flow · commit 47805643f74b · 2022-10-12T14:33:03.000-05:00
diff --git a/coderd/rbac/builtin.go b/coderd/rbac/builtin.go
@@ -127,6 +127,7 @@ var (
 					ResourceUser.Type:           {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 					// Full perms to manage org members
 					ResourceOrganizationMember.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					ResourceGroup.Type:              {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 				}),
 			}
 		},
diff --git a/coderd/rbac/builtin_test.go b/coderd/rbac/builtin_test.go
@@ -369,6 +369,15 @@ func TestRolePermissions(t *testing.T) {
 				false: {memberMe, otherOrgAdmin, otherOrgMember, userAdmin},
 			},
 		},
+		{
+			Name:     "Groups",
+			Actions:  []rbac.Action{rbac.ActionRead},
+			Resource: rbac.ResourceGroup.InOrg(orgID),
+			AuthorizeMap: map[bool][]authSubject{
+				true:  {owner, orgAdmin, userAdmin, orgMemberMe},
+				false: {memberMe, otherOrgAdmin, otherOrgMember, templateAdmin},
+			},
+		},
 	}
 
 	for _, c := range testCases {
diff --git a/docs/admin/users.md b/docs/admin/users.md
@@ -9,7 +9,7 @@ Coder offers these user roles in the community edition:
 |                                            | User Admin | Template Admin | Owner |
 | ------------------------------------------ | ---------- | -------------- | ----- |
 | Add and remove Users                       | ✅         |                | ✅    |
-| Manage groups (enterprise)                 |            |                |       |
+| Manage groups (enterprise)                 | ✅         |                | ✅    |
 | Change User roles                          |            |                | ✅    |
 | Manage **ALL** Templates                   |            | ✅             | ✅    |
 | View, update and delete **ALL** Workspaces |            | ✅             | ✅    |

Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,7 @@ var (`
`127`	`127`	`ResourceUser.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},`
`128`	`128`	`// Full perms to manage org members`
`129`	`129`	`ResourceOrganizationMember.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},`
	`130`	`+ ResourceGroup.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},`
`130`	`131`	`}),`
`131`	`132`	`}`
`132`	`133`	`},`