coder
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 15 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 15 additions & 0 deletions
diff --git a/‎coderd/rbac/roles.go
Lines changed: 5 additions & 0 deletions b/‎coderd/rbac/roles.go
Lines changed: 5 additions & 0 deletions
@@ -412,6 +412,21 @@ var (
 						policy.ActionCreate, policy.ActionDelete, policy.ActionRead, policy.ActionUpdate,
 						policy.ActionWorkspaceStart, policy.ActionWorkspaceStop,
 					},
+					// Should be able to add the prebuilds system user as a member to any organization that needs prebuilds.
+					rbac.ResourceOrganizationMember.Type: {
+						policy.ActionCreate,
+					},
+					// Needs to be able to assign roles to the system user in order to make it a member of an organization.
+					rbac.ResourceAssignOrgRole.Type: {
+						policy.ActionAssign,
+					},
+					// Needs to be able to read users to determine which organizations the prebuild system user is a member of.
+					rbac.ResourceUser.Type: {
+						policy.ActionRead,
+					},
+					rbac.ResourceOrganization.Type: {
+						policy.ActionRead,
+					},
 				}),
 			},
 		}),
 
@@ -33,6 +33,8 @@ const (
 	orgUserAdmin            string = "organization-user-admin"
 	orgTemplateAdmin        string = "organization-template-admin"
 	orgWorkspaceCreationBan string = "organization-workspace-creation-ban"
+
+	prebuildsOrchestrator string = "prebuilds-orchestrator"
 )
 
 func init() {
@@ -599,6 +601,9 @@ var assignRoles = map[string]map[string]bool{
 	orgUserAdmin: {
 		orgMember: true,
 	},
+	prebuildsOrchestrator: {
+		orgMember: true,
+	},
 }
 
 // ExpandableRoles is any type that can be expanded into a []Role. This is implemented