coder
diff --git a/‎coderd/apidoc/docs.go
+8 b/‎coderd/apidoc/docs.go
+8
diff --git a/‎coderd/apidoc/swagger.json
+8 b/‎coderd/apidoc/swagger.json
+8
diff --git a/‎coderd/database/db2sdk/db2sdk.go
+7-2 b/‎coderd/database/db2sdk/db2sdk.go
+7-2
diff --git a/‎coderd/database/models.go
+1-1 b/‎coderd/database/models.go
+1-1
diff --git a/‎coderd/database/querier.go
+1-1 b/‎coderd/database/querier.go
+1-1
diff --git a/‎coderd/database/queries.sql.go
+10-4 b/‎coderd/database/queries.sql.go
+10-4
diff --git a/‎coderd/database/queries/roles.sql
+5 b/‎coderd/database/queries/roles.sql
+5
diff --git a/‎coderd/rbac/roles.go
+18-18 b/‎coderd/rbac/roles.go
+18-18
diff --git a/‎coderd/rbac/rolestore/rolestore.go
+23-2 b/‎coderd/rbac/rolestore/rolestore.go
+23-2
diff --git a/‎coderd/roles.go
+17 b/‎coderd/roles.go
+17
diff --git a/‎codersdk/roles.go
+1 b/‎codersdk/roles.go
+1
@@ -527,8 +527,13 @@ func ProvisionerDaemon(dbDaemon database.ProvisionerDaemon) codersdk.Provisioner
 }
 
 func Role(role rbac.Role) codersdk.Role {
+	roleName, orgIDStr, err := rbac.RoleSplit(role.Name)
+	if err != nil {
+		roleName = role.Name
+	}
 	return codersdk.Role{
-		Name:                    role.Name,
+		Name:                    roleName,
+		OrganizationID:          orgIDStr,
 		DisplayName:             role.DisplayName,
 		SitePermissions:         List(role.Site, Permission),
 		OrganizationPermissions: Map(role.Org, ListLazy(Permission)),
@@ -546,7 +551,7 @@ func Permission(permission rbac.Permission) codersdk.Permission {
 
 func RoleToRBAC(role codersdk.Role) rbac.Role {
 	return rbac.Role{
-		Name:        role.Name,
+		Name:        rbac.RoleName(role.Name, role.OrganizationID),
 		DisplayName: role.DisplayName,
 		Site:        List(role.SitePermissions, PermissionToRBAC),
 		Org:         Map(role.OrganizationPermissions, ListLazy(PermissionToRBAC)),
 
@@ -16,6 +16,11 @@ WHERE
 	organization_id IS null
 	ELSE true
   END
+  -- Org scoping filter, to only fetch site wide roles
+  AND CASE WHEN @organization_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid  THEN
+      organization_id = @organization_id
+    ELSE true
+  END
 ;
 
 -- name: UpsertCustomRole :one
 
@@ -53,29 +53,29 @@ func (names RoleNames) Names() []string {
 // site and orgs, and these functions can be removed.
 
 func RoleOwner() string {
-	return roleName(owner, "")
+	return RoleName(owner, "")
 }
 
-func CustomSiteRole() string { return roleName(customSiteRole, "") }
+func CustomSiteRole() string { return RoleName(customSiteRole, "") }
 
 func RoleTemplateAdmin() string {
-	return roleName(templateAdmin, "")
+	return RoleName(templateAdmin, "")
 }
 
 func RoleUserAdmin() string {
-	return roleName(userAdmin, "")
+	return RoleName(userAdmin, "")
 }
 
 func RoleMember() string {
-	return roleName(member, "")
+	return RoleName(member, "")
 }
 
 func RoleOrgAdmin(organizationID uuid.UUID) string {
-	return roleName(orgAdmin, organizationID.String())
+	return RoleName(orgAdmin, organizationID.String())
 }
 
 func RoleOrgMember(organizationID uuid.UUID) string {
-	return roleName(orgMember, organizationID.String())
+	return RoleName(orgMember, organizationID.String())
 }
 
 func allPermsExcept(excepts ...Objecter) []Permission {
@@ -273,7 +273,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		// organization scope.
 		orgAdmin: func(organizationID string) Role {
 			return Role{
-				Name:        roleName(orgAdmin, organizationID),
+				Name:        RoleName(orgAdmin, organizationID),
 				DisplayName: "Organization Admin",
 				Site:        []Permission{},
 				Org: map[string][]Permission{
@@ -291,7 +291,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		// in an organization.
 		orgMember: func(organizationID string) Role {
 			return Role{
-				Name:        roleName(orgMember, organizationID),
+				Name:        RoleName(orgMember, organizationID),
 				DisplayName: "",
 				Site:        []Permission{},
 				Org: map[string][]Permission{
@@ -475,13 +475,13 @@ func CanAssignRole(expandable ExpandableRoles, assignedRole string) bool {
 	// For CanAssignRole, we only care about the names of the roles.
 	roles := expandable.Names()
 
-	assigned, assignedOrg, err := roleSplit(assignedRole)
+	assigned, assignedOrg, err := RoleSplit(assignedRole)
 	if err != nil {
 		return false
 	}
 
 	for _, longRole := range roles {
-		role, orgID, err := roleSplit(longRole)
+		role, orgID, err := RoleSplit(longRole)
 		if err != nil {
 			continue
 		}
@@ -510,7 +510,7 @@ func CanAssignRole(expandable ExpandableRoles, assignedRole string) bool {
 // api. We should maybe make an exported function that returns just the
 // human-readable content of the Role struct (name + display name).
 func RoleByName(name string) (Role, error) {
-	roleName, orgID, err := roleSplit(name)
+	roleName, orgID, err := RoleSplit(name)
 	if err != nil {
 		return Role{}, xerrors.Errorf("parse role name: %w", err)
 	}
@@ -544,7 +544,7 @@ func rolesByNames(roleNames []string) ([]Role, error) {
 }
 
 func IsOrgRole(roleName string) (string, bool) {
-	_, orgID, err := roleSplit(roleName)
+	_, orgID, err := RoleSplit(roleName)
 	if err == nil && orgID != "" {
 		return orgID, true
 	}
@@ -561,7 +561,7 @@ func OrganizationRoles(organizationID uuid.UUID) []Role {
 	var roles []Role
 	for _, roleF := range builtInRoles {
 		role := roleF(organizationID.String())
-		_, scope, err := roleSplit(role.Name)
+		_, scope, err := RoleSplit(role.Name)
 		if err != nil {
 			// This should never happen
 			continue
@@ -582,7 +582,7 @@ func SiteRoles() []Role {
 	var roles []Role
 	for _, roleF := range builtInRoles {
 		role := roleF("random")
-		_, scope, err := roleSplit(role.Name)
+		_, scope, err := RoleSplit(role.Name)
 		if err != nil {
 			// This should never happen
 			continue
@@ -625,19 +625,19 @@ func ChangeRoleSet(from []string, to []string) (added []string, removed []string
 	return added, removed
 }
 
-// roleName is a quick helper function to return
+// RoleName is a quick helper function to return
 //
 //	role_name:scopeID
 //
 // If no scopeID is required, only 'role_name' is returned
-func roleName(name string, orgID string) string {
+func RoleName(name string, orgID string) string {
 	if orgID == "" {
 		return name
 	}
 	return name + ":" + orgID
 }
 
-func roleSplit(role string) (name string, orgID string, err error) {
+func RoleSplit(role string) (name string, orgID string, err error) {
 	arr := strings.Split(role, ":")
 	if len(arr) > 2 {
 		return "", "", xerrors.Errorf("too many colons in role name")
 
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"net/http"
 
+	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/v2/coderd/database"
@@ -95,8 +96,12 @@ func Expand(ctx context.Context, db database.Store, names []string) (rbac.Roles,
 }
 
 func ConvertDBRole(dbRole database.CustomRole) (rbac.Role, error) {
+	name := dbRole.Name
+	if dbRole.OrganizationID.Valid {
+		name = rbac.RoleName(dbRole.Name, dbRole.OrganizationID.UUID.String())
+	}
 	role := rbac.Role{
-		Name:        dbRole.Name,
+		Name:        name,
 		DisplayName: dbRole.DisplayName,
 		Site:        nil,
 		Org:         nil,
@@ -122,11 +127,27 @@ func ConvertDBRole(dbRole database.CustomRole) (rbac.Role, error) {
 }
 
 func ConvertRoleToDB(role rbac.Role) (database.CustomRole, error) {
+	roleName, orgIDStr, err := rbac.RoleSplit(role.Name)
+	if err != nil {
+		return database.CustomRole{}, xerrors.Errorf("split role %q: %w", role.Name, err)
+	}
+
 	dbRole := database.CustomRole{
-		Name:        role.Name,
+		Name:        roleName,
 		DisplayName: role.DisplayName,
 	}
 
+	if orgIDStr != "" {
+		orgID, err := uuid.Parse(orgIDStr)
+		if err != nil {
+			return database.CustomRole{}, xerrors.Errorf("parse org id %q: %w", orgIDStr, err)
+		}
+		dbRole.OrganizationID = uuid.NullUUID{
+			UUID:  orgID,
+			Valid: true,
+		}
+	}
+
 	siteData, err := json.Marshal(role.Site)
 	if err != nil {
 		return dbRole, xerrors.Errorf("marshal site permissions: %w", err)
 
@@ -129,6 +129,23 @@ func (api *API) assignableOrgRoles(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	roles := rbac.OrganizationRoles(organization.ID)
+	dbCustomRoles, err := api.Database.CustomRoles(ctx, database.CustomRolesParams{
+		LookupRoles:     nil,
+		ExcludeOrgRoles: false,
+		OrganizationID:  organization.ID,
+	})
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	customRoles := make([]rbac.Role, 0, len(dbCustomRoles))
+	for _, customRole := range dbCustomRoles {
+		rbacRole, err := rolestore.ConvertDBRole(customRole)
+		if err == nil {
+			customRoles = append(customRoles, rbacRole)
+		}
+	}
 	httpapi.Write(ctx, rw, http.StatusOK, assignableRoles(actorRoles.Roles, roles, []rbac.Role{}))
 }
 
 
@@ -36,6 +36,7 @@ type Permission struct {
 // Role is a longer form of SlimRole used to edit custom roles.
 type Role struct {
 	Name            string       `json:"name" table:"name,default_sort" validate:"username"`
+	OrganizationID  string       `json:"organization_id" table:"organization_id" format:"uuid"`
 	DisplayName     string       `json:"display_name" table:"display_name"`
 	SitePermissions []Permission `json:"site_permissions" table:"site_permissions"`
 	// map[<org_id>] -> Permissions