Include workspace agent token example in rbac readme

Emyrk · Emyrk · commit f9245785f64b · 2023-01-18T11:28:43.000-06:00
diff --git a/coderd/rbac/README.md b/coderd/rbac/README.md
@@ -87,6 +87,19 @@ an unbounded set of resource IDs that be added to an "allow_list", as the number
 
 The use case for specifying this type of permission in a role is limited, and does not justify the extra cost. To solve this for the remaining cases (eg. workspace agent tokens), we can apply an `allow_list` on a scope. For most cases, the `allow_list` will just be `["*"]` which means the scope is allowed to be applied to any resource. This adds negligible cost to the role evaluation logic and 0 cost to partial evaluations.
 
+Example of a scope for a workspace agent token, using an `allow_list` containing a single resource id.
+```javascript
+    "scope": {
+      "name": "workspace_agent",
+      "display_name": "Workspace_Agent",
+      // The ID of the given workspace the agent token corrolates to.
+      "allow_list": ["10d03e62-7703-4df5-a358-4f76577d4e2f"],
+      "site": [/* ... perms ... */],
+      "org": {/* ... perms ... */},
+      "user": [/* ... perms ... */]
+    }
+```
+
 # Testing
 
 You can test outside of golang by using the `opa` cli.
