coder
diff --git a/‎Makefile
+7-2 b/‎Makefile
+7-2
diff --git a/‎cli/testdata/coder_server_--help.golden
+6 b/‎cli/testdata/coder_server_--help.golden
+6
diff --git a/‎cli/testdata/server-config.yaml.golden
+6 b/‎cli/testdata/server-config.yaml.golden
+6
diff --git a/‎coderd/apidoc/docs.go
+59-1 b/‎coderd/apidoc/docs.go
+59-1
diff --git a/‎coderd/apidoc/swagger.json
+59-1 b/‎coderd/apidoc/swagger.json
+59-1
diff --git a/‎coderd/authorize.go
+2-2 b/‎coderd/authorize.go
+2-2
diff --git a/‎coderd/authorize_test.go
+7-7 b/‎coderd/authorize_test.go
+7-7
diff --git a/‎coderd/coderd.go
+6 b/‎coderd/coderd.go
+6
diff --git a/‎coderd/coderdtest/coderdtest.go
+2 b/‎coderd/coderdtest/coderdtest.go
+2
diff --git a/‎coderd/rbac/object.go
+6-5 b/‎coderd/rbac/object.go
+6-5
diff --git a/‎coderd/rbac/object_gen.go
+30 b/‎coderd/rbac/object_gen.go
+30
@@ -423,6 +423,7 @@ gen: \
 	provisionersdk/proto/provisioner.pb.go \
 	provisionerd/proto/provisionerd.pb.go \
 	site/src/api/typesGenerated.ts \
+	coderd/rbac/object_gen.go \
 	docs/admin/prometheus.md \
 	docs/cli.md \
 	docs/admin/audit-logs.md \
@@ -443,6 +444,7 @@ gen/mark-fresh:
 		provisionersdk/proto/provisioner.pb.go \
 		provisionerd/proto/provisionerd.pb.go \
 		site/src/api/typesGenerated.ts \
+		coderd/rbac/object_gen.go \
 		docs/admin/prometheus.md \
 		docs/cli.md \
 		docs/admin/audit-logs.md \
@@ -495,6 +497,9 @@ site/src/api/typesGenerated.ts: scripts/apitypings/main.go $(shell find ./coders
 	cd site
 	yarn run format:types
 
+coderd/rbac/object_gen.go: scripts/rbacgen/main.go coderd/rbac/object.go
+	go run scripts/rbacgen/main.go ./coderd/rbac > coderd/rbac/object_gen.go
+
 docs/admin/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
 	go run scripts/metricsdocgen/main.go
 	cd site
@@ -505,12 +510,12 @@ docs/cli.md: scripts/clidocgen/main.go $(GO_SRC_FILES) docs/manifest.json
 	cd site
 	yarn run format:write:only ../docs/cli.md ../docs/cli/*.md ../docs/manifest.json
 
-docs/admin/audit-logs.md: scripts/auditdocgen/main.go enterprise/audit/table.go
+docs/admin/audit-logs.md: scripts/auditdocgen/main.go enterprise/audit/table.go coderd/rbac/object_gen.go
 	go run scripts/auditdocgen/main.go
 	cd site
 	yarn run format:write:only ../docs/admin/audit-logs.md
 
-coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) .swaggo docs/manifest.json
+coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) .swaggo docs/manifest.json coderd/rbac/object_gen.go
 	./scripts/apidocgen/generate.sh
 	yarn run --cwd=site format:write:only ../docs/api ../docs/manifest.json ../coderd/apidoc/swagger.json
 
 
@@ -16,6 +16,12 @@ Start a Coder server
           $CACHE_DIRECTORY is set, it will be used for compatibility with
           systemd.
 
+      --disable-owner-workspace-access bool, $CODER_DISABLE_OWNER_WORKSPACE_ACCESS
+          Remove the permission for the 'owner' role to have workspace execution
+          on all workspaces. This prevents the 'owner' from ssh, apps, and
+          terminal access based on the 'owner' role. They still have their user
+          permissions to access their own workspaces.
+
       --disable-path-apps bool, $CODER_DISABLE_PATH_APPS
           Disable workspace apps that are not served from subdomains. Path-based
           apps can make requests to the Coder API and pose a security risk when
 
@@ -315,6 +315,12 @@ agentFallbackTroubleshootingURL: https://coder.com/docs/coder-oss/latest/templat
 # --wildcard-access-url is configured.
 # (default: <unset>, type: bool)
 disablePathApps: false
+# Remove the permission for the 'owner' role to have workspace execution on all
+# workspaces. This prevents the 'owner' from ssh, apps, and terminal access based
+# on the 'owner' role. They still have their user permissions to access their own
+# workspaces.
+# (default: <unset>, type: bool)
+disableOwnerWorkspaceAccess: false
 # These options change the behavior of how clients interact with the Coder.
 # Clients include the coder cli, vs code extension, and the web UI.
 client:
 
@@ -168,7 +168,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 		obj := rbac.Object{
 			Owner: v.Object.OwnerID,
 			OrgID: v.Object.OrganizationID,
-			Type:  v.Object.ResourceType,
+			Type:  v.Object.ResourceType.String(),
 		}
 		if obj.Owner == "me" {
 			obj.Owner = auth.Actor.ID
@@ -188,7 +188,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 			var dbObj rbac.Objecter
 			var dbErr error
 			// Only support referencing some resources by ID.
-			switch v.Object.ResourceType {
+			switch v.Object.ResourceType.String() {
 			case rbac.ResourceWorkspaceExecution.Type:
 				wrkSpace, err := api.Database.GetWorkspaceByID(ctx, id)
 				if err == nil {
 
@@ -46,34 +46,34 @@ func TestCheckPermissions(t *testing.T) {
 	params := map[string]codersdk.AuthorizationCheck{
 		readAllUsers: {
 			Object: codersdk.AuthorizationObject{
-				ResourceType: "users",
+				ResourceType: codersdk.ResourceUser,
 			},
 			Action: "read",
 		},
 		readMyself: {
 			Object: codersdk.AuthorizationObject{
-				ResourceType: "users",
+				ResourceType: codersdk.ResourceUser,
 				OwnerID:      "me",
 			},
 			Action: "read",
 		},
 		readOwnWorkspaces: {
 			Object: codersdk.AuthorizationObject{
-				ResourceType: "workspaces",
+				ResourceType: codersdk.ResourceWorkspace,
 				OwnerID:      "me",
 			},
 			Action: "read",
 		},
 		readOrgWorkspaces: {
 			Object: codersdk.AuthorizationObject{
-				ResourceType:   "workspaces",
+				ResourceType:   codersdk.ResourceWorkspace,
 				OrganizationID: adminUser.OrganizationID.String(),
 			},
 			Action: "read",
 		},
 		updateSpecificTemplate: {
 			Object: codersdk.AuthorizationObject{
-				ResourceType: rbac.ResourceTemplate.Type,
+				ResourceType: codersdk.ResourceTemplate,
 				ResourceID:   template.ID.String(),
 			},
 			Action: "update",
@@ -103,7 +103,7 @@ func TestCheckPermissions(t *testing.T) {
 			Client: orgAdminClient,
 			UserID: orgAdminUser.ID,
 			Check: map[string]bool{
-				readAllUsers:           false,
+				readAllUsers:           true,
 				readMyself:             true,
 				readOwnWorkspaces:      true,
 				readOrgWorkspaces:      true,
@@ -115,7 +115,7 @@ func TestCheckPermissions(t *testing.T) {
 			Client: memberClient,
 			UserID: memberUser.ID,
 			Check: map[string]bool{
-				readAllUsers:           false,
+				readAllUsers:           true,
 				readMyself:             true,
 				readOwnWorkspaces:      true,
 				readOrgWorkspaces:      false,
 
@@ -171,6 +171,12 @@ func New(options *Options) *API {
 		options = &Options{}
 	}
 
+	if options.DeploymentValues.DisableOwnerWorkspaceExec {
+		rbac.ReloadBuiltinRoles(&rbac.RoleOptions{
+			NoOwnerWorkspaceExec: true,
+		})
+	}
+
 	if options.Authorizer == nil {
 		options.Authorizer = rbac.NewCachingAuthorizer(options.PrometheusRegistry)
 	}
 
@@ -203,6 +203,8 @@ func NewOptions(t *testing.T, options *Options) (func(http.Handler), context.Can
 	if options.DeploymentValues == nil {
 		options.DeploymentValues = DeploymentValues(t)
 	}
+	// This value is not safe to run in parallel. Force it to be false.
+	options.DeploymentValues.DisableOwnerWorkspaceExec = false
 
 	// If no ratelimits are set, disable all rate limiting for tests.
 	if options.APIRateLimit == 0 {
 
@@ -14,6 +14,12 @@ type Objecter interface {
 // Resources are just typed objects. Making resources this way allows directly
 // passing them into an Authorize function and use the chaining api.
 var (
+	// ResourceWildcard represents all resource types
+	// Try to avoid using this where possible.
+	ResourceWildcard = Object{
+		Type: WildcardSymbol,
+	}
+
 	// ResourceWorkspace CRUD. Org + User owner
 	//	create/delete = make or delete workspaces
 	// 	read = access workspace
@@ -136,11 +142,6 @@ var (
 		Type: "organization_member",
 	}
 
-	// ResourceWildcard represents all resource types
-	ResourceWildcard = Object{
-		Type: WildcardSymbol,
-	}
-
 	// ResourceLicense is the license in the 'licenses' table.
 	// ResourceLicense is site wide.
 	// 	create/delete = add or remove license from site.
Original file line number	Diff line number	Diff line change
`@@ -171,6 +171,12 @@ func New(options Options) API {`
`171`	`171`	`options = &Options{}`
`172`	`172`	`}`
`173`	`173`
	`174`	`+ if options.DeploymentValues.DisableOwnerWorkspaceExec {`
	`175`	`+ rbac.ReloadBuiltinRoles(&rbac.RoleOptions{`
	`176`	`+ NoOwnerWorkspaceExec: true,`
	`177`	`+ })`
	`178`	`+ }`
	`179`	`+`
`174`	`180`	`if options.Authorizer == nil {`
`175`	`181`	`options.Authorizer = rbac.NewCachingAuthorizer(options.PrometheusRegistry)`
`176`	`182`	`}`
Original file line number	Diff line number	Diff line change
`@@ -203,6 +203,8 @@ func NewOptions(t testing.T, options Options) (func(http.Handler), context.Can`
`203`	`203`	`if options.DeploymentValues == nil {`
`204`	`204`	`options.DeploymentValues = DeploymentValues(t)`
`205`	`205`	`}`
	`206`	`+ // This value is not safe to run in parallel. Force it to be false.`
	`207`	`+ options.DeploymentValues.DisableOwnerWorkspaceExec = false`
`206`	`208`
`207`	`209`	`// If no ratelimits are set, disable all rate limiting for tests.`
`208`	`210`	`if options.APIRateLimit == 0 {`