In #16029 we introduced a new RBAC resource called rbac.ResourceProvisionerJobs. However, the scope was limited to owners and template admins for now because proper expression (via RBACObject) requires that we also know the associated template or workspace (jobs refer only to template versions or workspace builds).

If we implement this as a PostgreSQL view which joins in the relevant template or workspace data, we can provisioner jobs to users as well (e.g. builds of their own workspace).

#16029 (comment)