Skip to content

feat: implement WorkspaceCreationBan org role #16686

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Feb 27, 2025
Merged

feat: implement WorkspaceCreationBan org role #16686

merged 11 commits into from
Feb 27, 2025

Conversation

Emyrk
Copy link
Member

@Emyrk Emyrk commented Feb 24, 2025
edited
Loading

Using negative permissions, this role prevents a user's ability to create & delete a workspace within a given organization.

Workspaces are uniquely owned by an org and a user, so the org has to supercede the user permission with a negative permission.

Use case

Organizations must be able to restrict a member's ability to create a workspace. This permission is implicitly granted (see #16546 (comment)).

To revoke this permission, the solution chosen was to use negative permissions in a built in role called WorkspaceCreationBan.

Rational

Using negative permissions is new territory, and not ideal. However, workspaces are in a unique position.

Workspaces have 2 owners. The organization and the user. To prevent users from creating a workspace in another organization, an implied negative permission is used. So the truth table looks like: how to read this table here

Role (example) Site Org User Result
non-org-member _ N YN_ N
user _ _ Y Y
WorkspaceBan _ N Y N
unauthenticated _ _ _ N
org-admin _ Y YN_ Y

This new role, WorkspaceCreationBan is the same truth table condition as if the user was not a member of the organization (when doing a workspace create/delete). So this behavior is not entirely new.

How to do it without a negative permission

The alternate approach would be to remove the implied permission, and grant it via and organization role. However this would add new behavior that an organizational role has the ability to grant a user permissions on their own resources?

It does not make sense for an org role to prevent user from changing their profile information for example. So the only option is to create a new truth table column for resources that are owned by both an organization and a user.

Role (example) Site Org User+Org User Result
non-org-member _ N _ _ N
user _ _ _ _ N
WorkspaceAllow _ _ Y _ Y
unauthenticated _ _ _ _ N

Now a user has no opinion on if they can create a workspace, which feels a little wrong. A user should have the authority over what is theres.

There is fundamental philosophical question of "Who does a workspace belong to?". The user has some set of autonomy, yet it is the organization that controls it's existence. A head scratcher 🤔

Will we need more negative built in roles?

There are few resources that have shared ownership. Only ResourceOrganizationMember and ResourceGroupMember. Since negative permissions is intended to revoke access to a shared resource, then no. This is the only one we need.

Classic resources like ResourceTemplate are entirely controlled by the Organization permissions. And resources entirely in the user control (like user profile) are only controlled by User permissions.

Screenshot 2025-02-26 at 22 26 52

@Emyrk
feat: implement WorkspaceCreationBan org role
36d9f5d 
Using negative permissions, this role prevents a user's ability
to create & delete a workspace within a given organization.

Workspaces are uniquely owned by an org and a user, so the org
has to supercede the user permission with a negative permission.
@jaaydenh jaaydenh self-assigned this Feb 25, 2025
@jaaydenh jaaydenh marked this pull request as ready for review February 26, 2025 18:41
@jaaydenh jaaydenh requested a review from aslilac February 26, 2025 18:41
aslilac
aslilac approved these changes Feb 26, 2025
View reviewed changes
Copy link
Member

@aslilac aslilac left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it bugs me a tiny bit that the text wraps on the ban role. maybe we make the menu a little wider, or the text a little smaller? it's close enough that maybe even lowering the font weight would make it fit

left a few minor comments but this looks pretty good!

site/src/pages/OrganizationSettingsPage/UserTable/EditRolesButton.tsx
Comment on lines +115 to +120
const filteredRoles = roles.filter(
(role) => role.name !== "organization-workspace-creation-ban",
);
const advancedRoles = roles.filter(
(role) => role.name === "organization-workspace-creation-ban",
);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we wanted to be brave we could use Object.groupBy here, but that function is super new :\ I'm not crazy about iterating over the list twice but it'll always be short so I'm probably overthinking it

@jaaydenh jaaydenh merged commit cccdf1e into main Feb 27, 2025
33 checks passed
@jaaydenh jaaydenh deleted the stevenmasley/workspaceban branch February 27, 2025 11:23
@github-actions github-actions bot locked and limited conversation to collaborators Feb 27, 2025
@stirby
Copy link
Collaborator

stirby commented Mar 3, 2025

/cherry-pick release/2.20

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jaaydenh jaaydenh jaaydenh left review comments

@aslilac aslilac aslilac approved these changes

Assignees

@jaaydenh jaaydenh

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Emyrk @stirby @aslilac @jaaydenh