coder
diff --git a/‎coderd/rbac/object_gen.go
Lines changed: 8 additions & 0 deletions b/‎coderd/rbac/object_gen.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/rbac/policy/policy.go
Lines changed: 5 additions & 0 deletions b/‎coderd/rbac/policy/policy.go
Lines changed: 5 additions & 0 deletions
diff --git a/‎coderd/rbac/roles.go
Lines changed: 9 additions & 4 deletions b/‎coderd/rbac/roles.go
Lines changed: 9 additions & 4 deletions
diff --git a/‎codersdk/rbacresources_gen.go
Lines changed: 2 additions & 0 deletions b/‎codersdk/rbacresources_gen.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎site/src/api/rbacresources_gen.ts
Lines changed: 3 additions & 0 deletions b/‎site/src/api/rbacresources_gen.ts
Lines changed: 3 additions & 0 deletions
diff --git a/‎site/src/api/typesGenerated.ts
Lines changed: 2 additions & 0 deletions b/‎site/src/api/typesGenerated.ts
Lines changed: 2 additions & 0 deletions
@@ -149,6 +149,11 @@ var RBACPermissions = map[string]PermissionDefinition{
 			ActionUpdate: actDef("update a group"),
 		},
 	},
+	"group_member": {
+		Actions: map[Action]ActionDefinition{
+			ActionRead: actDef("read group members"),
+		},
+	},
 	"file": {
 		Actions: map[Action]ActionDefinition{
 			ActionCreate: actDef("create a file"),
 
@@ -301,10 +301,11 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		Site: Permissions(map[string][]policy.Action{
 			// Should be able to read all template details, even in orgs they
 			// are not in.
-			ResourceTemplate.Type: {policy.ActionRead, policy.ActionViewInsights},
-			ResourceAuditLog.Type: {policy.ActionRead},
-			ResourceUser.Type:     {policy.ActionRead},
-			ResourceGroup.Type:    {policy.ActionRead},
+			ResourceTemplate.Type:    {policy.ActionRead, policy.ActionViewInsights},
+			ResourceAuditLog.Type:    {policy.ActionRead},
+			ResourceUser.Type:        {policy.ActionRead},
+			ResourceGroup.Type:       {policy.ActionRead},
+			ResourceGroupMember.Type: {policy.ActionRead},
 			// Allow auditors to query deployment stats and insights.
 			ResourceDeploymentStats.Type:  {policy.ActionRead},
 			ResourceDeploymentConfig.Type: {policy.ActionRead},
@@ -329,6 +330,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			ResourceOrganization.Type: {policy.ActionRead},
 			ResourceUser.Type:         {policy.ActionRead},
 			ResourceGroup.Type:        {policy.ActionRead},
+			ResourceGroupMember.Type:  {policy.ActionRead},
 			// Org roles are not really used yet, so grant the perm at the site level.
 			ResourceOrganizationMember.Type: {policy.ActionRead},
 		}),
@@ -351,6 +353,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			// Full perms to manage org members
 			ResourceOrganizationMember.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 			ResourceGroup.Type:              {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+			ResourceGroupMember.Type:        {policy.ActionRead},
 		}),
 		Org:  map[string][]Permission{},
 		User: []Permission{},
@@ -461,6 +464,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 						ResourceAssignOrgRole.Type:      {policy.ActionAssign, policy.ActionDelete, policy.ActionRead},
 						ResourceOrganizationMember.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 						ResourceGroup.Type:              ResourceGroup.AvailableActions(),
+						ResourceGroupMember.Type:        ResourceGroupMember.AvailableActions(),
 					}),
 				},
 				User: []Permission{},
@@ -480,6 +484,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 						// Assigning template perms requires this permission.
 						ResourceOrganizationMember.Type: {policy.ActionRead},
 						ResourceGroup.Type:              {policy.ActionRead},
+						ResourceGroupMember.Type:        {policy.ActionRead},
 					}),
 				},
 				User: []Permission{},
 
@@ -50,6 +50,9 @@ export const RBACResourceActions: Partial<
     read: "read groups",
     update: "update a group",
   },
+  group_member: {
+    read: "read group members",
+  },
   license: {
     create: "create a license",
     delete: "delete license",