coder
diff --git a/‎cli/server_createadminuser.go
Lines changed: 1 addition & 1 deletion b/‎cli/server_createadminuser.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/server_createadminuser_test.go
Lines changed: 1 addition & 1 deletion b/‎cli/server_createadminuser_test.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 3 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 3 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/authorize_test.go
Lines changed: 1 addition & 1 deletion b/‎coderd/authorize_test.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/batchstats/batcher_internal_test.go
Lines changed: 1 addition & 1 deletion b/‎coderd/batchstats/batcher_internal_test.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 4 additions & 1 deletion b/‎coderd/coderdtest/coderdtest.go
Lines changed: 4 additions & 1 deletion
diff --git a/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 13 additions & 7 deletions b/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 13 additions & 7 deletions
diff --git a/‎coderd/database/dbauthz/customroles_test.go
Lines changed: 3 additions & 3 deletions b/‎coderd/database/dbauthz/customroles_test.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 16 additions & 2 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 16 additions & 2 deletions
@@ -222,7 +222,7 @@ func (r *RootCmd) newCreateAdminUserCommand() *serpent.Command {
 						UserID:         newUser.ID,
 						CreatedAt:      dbtime.Now(),
 						UpdatedAt:      dbtime.Now(),
-						Roles:          []string{rbac.RoleOrgAdmin(org.ID)},
+						Roles:          []string{rbac.ScopedRoleOrgAdmin(org.ID)},
 					})
 					if err != nil {
 						return xerrors.Errorf("insert organization member: %w", err)
 
@@ -71,7 +71,7 @@ func TestServerCreateAdminUser(t *testing.T) {
 		orgIDs2 := make(map[uuid.UUID]struct{}, len(orgMemberships))
 		for _, membership := range orgMemberships {
 			orgIDs2[membership.OrganizationID] = struct{}{}
-			assert.Equal(t, []string{rbac.RoleOrgAdmin(membership.OrganizationID)}, membership.Roles, "user is not org admin")
+			assert.Equal(t, []string{rbac.ScopedRoleOrgAdmin(membership.OrganizationID)}, membership.Roles, "user is not org admin")
 		}
 
 		require.Equal(t, orgIDs, orgIDs2, "user is not in all orgs")
 
@@ -27,7 +27,7 @@ func TestCheckPermissions(t *testing.T) {
 	memberClient, _ := coderdtest.CreateAnotherUser(t, adminClient, adminUser.OrganizationID)
 	memberUser, err := memberClient.User(ctx, codersdk.Me)
 	require.NoError(t, err)
-	orgAdminClient, _ := coderdtest.CreateAnotherUser(t, adminClient, adminUser.OrganizationID, rbac.RoleOrgAdmin(adminUser.OrganizationID))
+	orgAdminClient, _ := coderdtest.CreateAnotherUser(t, adminClient, adminUser.OrganizationID, rbac.ScopedRoleOrgAdmin(adminUser.OrganizationID))
 	orgAdminUser, err := orgAdminClient.User(ctx, codersdk.Me)
 	require.NoError(t, err)
 
 
@@ -177,7 +177,7 @@ func setupDeps(t *testing.T, store database.Store, ps pubsub.Pubsub) deps {
 	_, err := store.InsertOrganizationMember(context.Background(), database.InsertOrganizationMemberParams{
 		OrganizationID: org.ID,
 		UserID:         user.ID,
-		Roles:          []string{rbac.RoleOrgMember(org.ID)},
+		Roles:          []string{rbac.ScopedRoleOrgMember(org.ID)},
 	})
 	require.NoError(t, err)
 	tv := dbgen.TemplateVersion(t, store, database.TemplateVersion{
 
@@ -663,6 +663,7 @@ func CreateFirstUser(t testing.TB, client *codersdk.Client) codersdk.CreateFirst
 }
 
 // CreateAnotherUser creates and authenticates a new user.
+// Roles can include org scoped roles with 'roleName:<organization_id>'
 func CreateAnotherUser(t testing.TB, client *codersdk.Client, organizationID uuid.UUID, roles ...string) (*codersdk.Client, codersdk.User) {
 	return createAnotherUserRetry(t, client, organizationID, 5, roles)
 }
@@ -680,7 +681,7 @@ func AuthzUserSubject(user codersdk.User, orgID uuid.UUID) rbac.Subject {
 		roles = append(roles, r.Name)
 	}
 	// We assume only 1 org exists
-	roles = append(roles, rbac.RoleOrgMember(orgID))
+	roles = append(roles, rbac.ScopedRoleOrgMember(orgID))
 
 	return rbac.Subject{
 		ID:     user.ID.String(),
@@ -754,6 +755,8 @@ func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationI
 		for _, roleName := range roles {
 			roleName := roleName
 			orgID, ok := rbac.IsOrgRole(roleName)
+			roleName, _, err = rbac.RoleSplit(roleName)
+			require.NoError(t, err, "split org role name")
 			if ok {
 				orgRoles[orgID] = append(orgRoles[orgID], roleName)
 			} else {
 
@@ -204,13 +204,6 @@ func Group(group database.Group, members []database.User) codersdk.Group {
 	}
 }
 
-func SlimRole(role rbac.Role) codersdk.SlimRole {
-	return codersdk.SlimRole{
-		DisplayName: role.DisplayName,
-		Name:        role.Name,
-	}
-}
-
 func TemplateInsightsParameters(parameterRows []database.GetTemplateParameterInsightsRow) ([]codersdk.TemplateParameterUsage, error) {
 	// Use a stable sort, similarly to how we would sort in the query, note that
 	// we don't sort in the query because order varies depending on the table
@@ -525,6 +518,19 @@ func ProvisionerDaemon(dbDaemon database.ProvisionerDaemon) codersdk.Provisioner
 	return result
 }
 
+func SlimRole(role rbac.Role) codersdk.SlimRole {
+	roleName, orgIDStr, err := rbac.RoleSplit(role.Name)
+	if err != nil {
+		roleName = role.Name
+	}
+
+	return codersdk.SlimRole{
+		DisplayName:    role.DisplayName,
+		Name:           roleName,
+		OrganizationID: orgIDStr,
+	}
+}
+
 func RBACRole(role rbac.Role) codersdk.Role {
 	roleName, orgIDStr, err := rbac.RoleSplit(role.Name)
 	if err != nil {
 
@@ -153,7 +153,7 @@ func TestUpsertCustomRoles(t *testing.T) {
 				UUID:  uuid.New(),
 				Valid: true,
 			},
-			subject: merge(canAssignRole, rbac.RoleOrgAdmin(orgID.UUID)),
+			subject: merge(canAssignRole, rbac.ScopedRoleOrgAdmin(orgID.UUID)),
 			org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
 				codersdk.ResourceWorkspace: {codersdk.ActionRead},
 			}),
@@ -162,7 +162,7 @@ func TestUpsertCustomRoles(t *testing.T) {
 		{
 			name: "user-escalation",
 			// These roles do not grant user perms
-			subject: merge(canAssignRole, rbac.RoleOrgAdmin(orgID.UUID)),
+			subject: merge(canAssignRole, rbac.ScopedRoleOrgAdmin(orgID.UUID)),
 			user: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
 				codersdk.ResourceWorkspace: {codersdk.ActionRead},
 			}),
@@ -190,7 +190,7 @@ func TestUpsertCustomRoles(t *testing.T) {
 		},
 		{
 			name:           "read-workspace-in-org",
-			subject:        merge(canAssignRole, rbac.RoleOrgAdmin(orgID.UUID)),
+			subject:        merge(canAssignRole, rbac.ScopedRoleOrgAdmin(orgID.UUID)),
 			organizationID: orgID,
 			org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
 				codersdk.ResourceWorkspace: {codersdk.ActionRead},
 
@@ -2472,7 +2472,7 @@ func (q *querier) InsertOrganization(ctx context.Context, arg database.InsertOrg
 
 func (q *querier) InsertOrganizationMember(ctx context.Context, arg database.InsertOrganizationMemberParams) (database.OrganizationMember, error) {
 	// All roles are added roles. Org member is always implied.
-	addedRoles := append(arg.Roles, rbac.RoleOrgMember(arg.OrganizationID))
+	addedRoles := append(arg.Roles, rbac.ScopedRoleOrgMember(arg.OrganizationID))
 	err := q.canAssignRoles(ctx, &arg.OrganizationID, addedRoles, []string{})
 	if err != nil {
 		return database.OrganizationMember{}, err
@@ -2847,8 +2847,22 @@ func (q *querier) UpdateMemberRoles(ctx context.Context, arg database.UpdateMemb
 		return database.OrganizationMember{}, err
 	}
 
+	// The 'rbac' package expects role names to be scoped.
+	// Convert the argument roles for validation.
+	scopedGranted := make([]string, 0, len(arg.GrantedRoles))
+	for _, grantedRole := range arg.GrantedRoles {
+		// This check is a developer safety check. Old code might try to invoke this code path with
+		// organization id suffixes. Catch this and return a nice error so it can be fixed.
+		_, foundOrg, _ := rbac.RoleSplit(grantedRole)
+		if foundOrg != "" {
+			return database.OrganizationMember{}, xerrors.Errorf("attempt to assign a role %q, remove the ':<organization_id> suffix", grantedRole)
+		}
+
+		scopedGranted = append(scopedGranted, rbac.RoleName(grantedRole, arg.OrgID.String()))
+	}
+
 	// The org member role is always implied.
-	impliedTypes := append(arg.GrantedRoles, rbac.RoleOrgMember(arg.OrgID))
+	impliedTypes := append(scopedGranted, rbac.ScopedRoleOrgMember(arg.OrgID))
 	added, removed := rbac.ChangeRoleSet(member.Roles, impliedTypes)
 	err = q.canAssignRoles(ctx, &arg.OrgID, added, removed)
 	if err != nil {
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ func TestServerCreateAdminUser(t *testing.T) {`
`71`	`71`	`orgIDs2 := make(map[uuid.UUID]struct{}, len(orgMemberships))`
`72`	`72`	`for _, membership := range orgMemberships {`
`73`	`73`	`orgIDs2[membership.OrganizationID] = struct{}{}`
`74`		`- assert.Equal(t, []string{rbac.RoleOrgAdmin(membership.OrganizationID)}, membership.Roles, "user is not org admin")`
	`74`	`+ assert.Equal(t, []string{rbac.ScopedRoleOrgAdmin(membership.OrganizationID)}, membership.Roles, "user is not org admin")`
`75`	`75`	`}`
`76`	`76`
`77`	`77`	`require.Equal(t, orgIDs, orgIDs2, "user is not in all orgs")`