coder
diff --git a/‎coderd/rbac/object.go
+21-21 b/‎coderd/rbac/object.go
+21-21
diff --git a/‎coderd/rbac/object_gen.go
+73-28 b/‎coderd/rbac/object_gen.go
+73-28
diff --git a/‎coderd/rbac/policy/policy.go
+131 b/‎coderd/rbac/policy/policy.go
+131
@@ -18,17 +18,17 @@ type Objecter interface {
 var (
 	// ResourceWildcard represents all resource types
 	// Try to avoid using this where possible.
-	ResourceWildcard = Object{
-		Type: WildcardSymbol,
-	}
+	//ResourceWildcard = Object{
+	//	Type: WildcardSymbol,
+	//}
 
 	// ResourceWorkspace CRUD. Org + User owner
 	//	create/delete = make or delete workspaces
 	// 	read = access workspace
 	//	update = edit workspace variables
-	ResourceWorkspace = Object{
-		Type: "workspace",
-	}
+	//ResourceWorkspace = Object{
+	//	Type: "workspace",
+	//}
 
 	// ResourceWorkspaceBuild refers to permissions necessary to
 	// insert a workspace build job.
@@ -49,9 +49,9 @@ var (
 	//	create/delete = make or delete proxies
 	// 	read = read proxy urls
 	//	update = edit workspace proxy fields
-	ResourceWorkspaceProxy = Object{
-		Type: "workspace_proxy",
-	}
+	//ResourceWorkspaceProxy = Object{
+	//	Type: "workspace_proxy",
+	//}
 
 	// ResourceWorkspaceExecution CRUD. Org + User owner
 	//	create = workspace remote execution
@@ -73,9 +73,9 @@ var (
 
 	// ResourceAuditLog
 	// read = access audit log
-	ResourceAuditLog = Object{
-		Type: "audit_log",
-	}
+	//ResourceAuditLog = Object{
+	//	Type: "audit_log",
+	//}
 
 	// ResourceTemplate CRUD. Org owner only.
 	//	create/delete = Make or delete a new template
@@ -170,22 +170,22 @@ var (
 	// 	create/delete = add or remove license from site.
 	// 	read = view license claims
 	// 	update = not applicable; licenses are immutable
-	ResourceLicense = Object{
-		Type: "license",
-	}
+	//ResourceLicense = Object{
+	//	Type: "license",
+	//}
 
 	// ResourceDeploymentValues
 	ResourceDeploymentValues = Object{
 		Type: "deployment_config",
 	}
 
-	ResourceDeploymentStats = Object{
-		Type: "deployment_stats",
-	}
+	//ResourceDeploymentStats = Object{
+	//	Type: "deployment_stats",
+	//}
 
-	ResourceReplicas = Object{
-		Type: "replicas",
-	}
+	//ResourceReplicas = Object{
+	//	Type: "replicas",
+	//}
 
 	// ResourceDebugInfo controls access to the debug routes `/api/v2/debug/*`.
 	ResourceDebugInfo = Object{
 
@@ -1,5 +1,11 @@
 package policy
 
+import "strings"
+
+const WildcardSymbol = "*"
+
+type actionFields uint32
+
 // Action represents the allowed actions to be done on an object.
 type Action string
 
@@ -8,4 +14,129 @@ const (
 	ActionRead   Action = "read"
 	ActionUpdate Action = "update"
 	ActionDelete Action = "delete"
+
+	ActionUse                Action = "use"
+	ActionSSH                Action = "ssh"
+	ActionApplicationConnect        = "application_connect"
 )
+
+const (
+	fieldOwner actionFields = 1 << iota
+	fieldOrg
+	fieldACL
+)
+
+type PermissionDefinition struct {
+	// name is optional. Used to override "Type" for function naming.
+	name string
+	// Type should be a unique string to identify the
+	Type string
+	// Actions are a map of actions to some description of what the action
+	// should represent. The key in the actions map is the verb to use
+	// in the rbac policy.
+	Actions map[Action]ActionDefinition
+}
+
+func (p PermissionDefinition) Name() string {
+	if p.name != "" {
+		return p.name
+	}
+	return p.Type
+}
+
+type ActionDefinition struct {
+	// Human friendly description to explain the action.
+	Description string
+
+	// These booleans enforce these fields are p
+	Fields actionFields
+}
+
+func actDef(fields actionFields, description string) ActionDefinition {
+	return ActionDefinition{
+		Description: description,
+		Fields:      fields,
+	}
+}
+
+func (a ActionDefinition) Requires() string {
+	fields := make([]string, 0)
+	if a.Fields&fieldOwner != 0 {
+		fields = append(fields, "owner")
+	}
+	if a.Fields&fieldOrg != 0 {
+		fields = append(fields, "org")
+	}
+	if a.Fields&fieldACL != 0 {
+		fields = append(fields, "acl")
+	}
+
+	return strings.Join(fields, ",")
+}
+
+var RBACPermissions = []PermissionDefinition{
+	{
+		name: "Wildcard",
+		Type: WildcardSymbol,
+		Actions: map[Action]ActionDefinition{
+			WildcardSymbol: {
+				Description: "Wildcard gives admin level access to all resources and all actions.",
+				Fields:      0,
+			},
+		},
+	},
+	{
+		Type: "workspace",
+		Actions: map[Action]ActionDefinition{
+			ActionCreate: actDef(fieldOwner|fieldOrg, "create a workspace"),
+			ActionRead:   actDef(fieldOwner|fieldOrg|fieldACL, "read workspace data"),
+			// TODO: Make updates more granular
+			ActionUpdate:             actDef(fieldOwner|fieldOrg|fieldACL, "update a workspace"),
+			ActionDelete:             actDef(fieldOwner|fieldOrg|fieldACL, "delete a workspace"),
+			ActionSSH:                actDef(fieldOwner|fieldOrg|fieldACL, "ssh into a given workspace"),
+			ActionApplicationConnect: actDef(fieldOwner|fieldOrg|fieldACL, "connect to workspace apps via browser"),
+		},
+	},
+	{
+		Type: "workspace_proxy",
+		Actions: map[Action]ActionDefinition{
+			ActionCreate: actDef(0, "create a workspace proxy"),
+			ActionDelete: actDef(0, "delete a workspace proxy"),
+			ActionUpdate: actDef(0, "update a workspace proxy"),
+			ActionRead:   actDef(0, "read and use a workspace proxy"),
+		},
+	},
+	{
+		Type: "license",
+		Actions: map[Action]ActionDefinition{
+			ActionCreate: actDef(0, "create a license"),
+			ActionRead:   actDef(0, "read licenses"),
+			ActionDelete: actDef(0, "delete license"),
+			// Licenses are immutable, so update makes no sense
+		},
+	},
+	{
+		Type: "audit_log",
+		Actions: map[Action]ActionDefinition{
+			ActionRead: actDef(0, "read audit logs"),
+		},
+	},
+	{
+		Type: "deployment_config",
+		Actions: map[Action]ActionDefinition{
+			ActionRead: actDef(0, "read deployment config"),
+		},
+	},
+	{
+		Type: "deployment_stats",
+		Actions: map[Action]ActionDefinition{
+			ActionRead: actDef(0, "read deployment stats"),
+		},
+	},
+	{
+		Type: "replicas",
+		Actions: map[Action]ActionDefinition{
+			ActionRead: actDef(0, "read replicas"),
+		},
+	},
+}