coder
diff --git a/‎coderd/apidoc/docs.go
+2 b/‎coderd/apidoc/docs.go
+2
diff --git a/‎coderd/apidoc/swagger.json
+2 b/‎coderd/apidoc/swagger.json
+2
diff --git a/‎coderd/database/dbauthz/dbauthz.go
+2-3 b/‎coderd/database/dbauthz/dbauthz.go
+2-3
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
+42-31 b/‎coderd/database/dbauthz/dbauthz_test.go
+42-31
diff --git a/‎coderd/rbac/object_gen.go
+9 b/‎coderd/rbac/object_gen.go
+9
diff --git a/‎coderd/rbac/policy/policy.go
+6 b/‎coderd/rbac/policy/policy.go
+6
diff --git a/‎coderd/rbac/roles_test.go
+15 b/‎coderd/rbac/roles_test.go
+15
diff --git a/‎codersdk/rbacresources_gen.go
+2 b/‎codersdk/rbacresources_gen.go
+2
diff --git a/‎docs/reference/api/members.md
+5 b/‎docs/reference/api/members.md
+5
diff --git a/‎docs/reference/api/schemas.md
+1 b/‎docs/reference/api/schemas.md
+1
diff --git a/‎site/src/api/rbacresourcesGenerated.ts
+4 b/‎site/src/api/rbacresourcesGenerated.ts
+4
diff --git a/‎site/src/api/typesGenerated.ts
+2 b/‎site/src/api/typesGenerated.ts
+2
@@ -186,6 +186,7 @@ var (
 					rbac.ResourceNotificationMessage.Type: {policy.ActionCreate, policy.ActionRead},
 					// Provisionerd creates workspaces resources monitor
 					rbac.ResourceWorkspaceAgentResourceMonitor.Type: {policy.ActionCreate},
+					rbac.ResourceWorkspaceAgentDevcontainers.Type:   {policy.ActionCreate},
 				}),
 				Org:  map[string][]rbac.Permission{},
 				User: []rbac.Permission{},
@@ -3399,9 +3400,7 @@ func (q *querier) InsertWorkspaceAgent(ctx context.Context, arg database.InsertW
 }
 
 func (q *querier) InsertWorkspaceAgentDevcontainers(ctx context.Context, arg database.InsertWorkspaceAgentDevcontainersParams) ([]database.WorkspaceAgentDevcontainer, error) {
-	// TODO: This should probably be a new RBAC resource and not rely on ResourceSystem.
-	// See: https://github.com/coder/coder/issues/13315
-	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {
+	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceWorkspaceAgentDevcontainers); err != nil {
 		return nil, err
 	}
 	return q.db.InsertWorkspaceAgentDevcontainers(ctx, arg)
 
@@ -3988,37 +3988,6 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 			WorkspaceResourceID: uuid.New(),
 		}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
 	}))
-	s.Run("InsertWorkspaceAgentDevcontainers", s.Subtest(func(db database.Store, check *expects) {
-		u := dbgen.User(s.T(), db, database.User{})
-		o := dbgen.Organization(s.T(), db, database.Organization{})
-		tpl := dbgen.Template(s.T(), db, database.Template{
-			OrganizationID: o.ID,
-			CreatedBy:      u.ID,
-		})
-		tv := dbgen.TemplateVersion(s.T(), db, database.TemplateVersion{
-			TemplateID:     uuid.NullUUID{UUID: tpl.ID, Valid: true},
-			OrganizationID: o.ID,
-			CreatedBy:      u.ID,
-		})
-		w := dbgen.Workspace(s.T(), db, database.WorkspaceTable{
-			TemplateID:     tpl.ID,
-			OrganizationID: o.ID,
-			OwnerID:        u.ID,
-		})
-		j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{
-			Type: database.ProvisionerJobTypeWorkspaceBuild,
-		})
-		b := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{
-			JobID:             j.ID,
-			WorkspaceID:       w.ID,
-			TemplateVersionID: tv.ID,
-		})
-		res := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: b.JobID})
-		agt := dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: res.ID})
-		check.Args(database.InsertWorkspaceAgentDevcontainersParams{
-			WorkspaceAgentID: agt.ID,
-		}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
-	}))
 	s.Run("UpdateWorkspaceAgentConnectionByID", s.Subtest(func(db database.Store, check *expects) {
 		dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
 		ws := dbgen.Workspace(s.T(), db, database.WorkspaceTable{})
@@ -5082,3 +5051,45 @@ func (s *MethodTestSuite) TestResourcesMonitor() {
 		check.Args(agt.ID).Asserts(w, policy.ActionRead).Returns(monitors)
 	}))
 }
+
+func (s *MethodTestSuite) TestResourcesProvisionerdserver() {
+	createAgent := func(t *testing.T, db database.Store) (database.WorkspaceAgent, database.WorkspaceTable) {
+		t.Helper()
+
+		u := dbgen.User(t, db, database.User{})
+		o := dbgen.Organization(t, db, database.Organization{})
+		tpl := dbgen.Template(t, db, database.Template{
+			OrganizationID: o.ID,
+			CreatedBy:      u.ID,
+		})
+		tv := dbgen.TemplateVersion(t, db, database.TemplateVersion{
+			TemplateID:     uuid.NullUUID{UUID: tpl.ID, Valid: true},
+			OrganizationID: o.ID,
+			CreatedBy:      u.ID,
+		})
+		w := dbgen.Workspace(t, db, database.WorkspaceTable{
+			TemplateID:     tpl.ID,
+			OrganizationID: o.ID,
+			OwnerID:        u.ID,
+		})
+		j := dbgen.ProvisionerJob(t, db, nil, database.ProvisionerJob{
+			Type: database.ProvisionerJobTypeWorkspaceBuild,
+		})
+		b := dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{
+			JobID:             j.ID,
+			WorkspaceID:       w.ID,
+			TemplateVersionID: tv.ID,
+		})
+		res := dbgen.WorkspaceResource(t, db, database.WorkspaceResource{JobID: b.JobID})
+		agt := dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{ResourceID: res.ID})
+
+		return agt, w
+	}
+
+	s.Run("InsertWorkspaceAgentDevcontainers", s.Subtest(func(db database.Store, check *expects) {
+		agt, _ := createAgent(s.T(), db)
+		check.Args(database.InsertWorkspaceAgentDevcontainersParams{
+			WorkspaceAgentID: agt.ID,
+		}).Asserts(rbac.ResourceWorkspaceAgentDevcontainers, policy.ActionCreate)
+	}))
+}
@@ -309,4 +309,10 @@ var RBACPermissions = map[string]PermissionDefinition{
 			ActionUpdate: actDef("update workspace agent resource monitor"),
 		},
 	},
+	"workspace_agent_devcontainers": {
+		Actions: map[Action]ActionDefinition{
+			ActionRead:   actDef("read workspace agent devcontainers"),
+			ActionCreate: actDef("create workspace agent devcontainers"),
+		},
+	},
 }
@@ -806,6 +806,21 @@ func TestRolePermissions(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name:     "WorkspaceAgentDevcontainers",
+			Actions:  []policy.Action{policy.ActionCreate},
+			Resource: rbac.ResourceWorkspaceAgentDevcontainers,
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true: {owner},
+				false: {
+					memberMe, orgMemberMe, otherOrgMember,
+					orgAdmin, otherOrgAdmin,
+					orgAuditor, otherOrgAuditor,
+					templateAdmin, orgTemplateAdmin, otherOrgTemplateAdmin,
+					userAdmin, orgUserAdmin, otherOrgUserAdmin,
+				},
+			},
+		},
 	}
 
 	// We expect every permission to be tested above.
 
@@ -167,6 +167,10 @@ export const RBACResourceActions: Partial<
 		stop: "allows stopping a workspace",
 		update: "edit workspace settings (scheduling, permissions, parameters)",
 	},
+	workspace_agent_devcontainers: {
+		create: "create workspace agent devcontainers",
+		read: "read workspace agent devcontainers",
+	},
 	workspace_agent_resource_monitor: {
 		create: "create workspace agent resource monitor",
 		read: "read workspace agent resource monitor",