custom roles: feature request to allow use of the negate function / negative permissions #21349

rowansmithau · 2025-12-21T23:03:31Z

rowansmithau
Dec 21, 2025
Collaborator

As custom roles within organizations are purely additive and the "organization member" role is both automatically assigned and also not able to be unassigned, the scope / functionality of custom roles is limited. "organization member" receives basically all permissions except some relating to dormant & prebuilt workspaces and user management:

coder/coderd/rbac/roles.go

Line 454 in 4f7b279

    
           Member: append(allPermsExcept(ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceUser, ResourceOrganizationMember),

Seemingly because of these design primitives the 'Negate' permission is used on some built in roles, i.e. "Organization Workspace Creation Ban" in order to remove permissions from users:

coder/coderd/rbac/roles.go

Lines 548 to 587 in 4f7b279

    
           		// orgWorkspaceCreationBan prevents creating & deleting workspaces. This 
        
           		// overrides any permissions granted by the org or user level. It accomplishes 
        
           		// this by using negative permissions. 
        
           		orgWorkspaceCreationBan: func(organizationID uuid.UUID) Role { 
        
           			return Role{ 
        
           				Identifier:  RoleIdentifier{Name: orgWorkspaceCreationBan, OrganizationID: organizationID}, 
        
           				DisplayName: "Organization Workspace Creation Ban", 
        
           				Site:        []Permission{}, 
        
           				User:        []Permission{}, 
        
           				ByOrgID: map[string]OrgPermissions{ 
        
           					organizationID.String(): { 
        
           						Org: []Permission{ 
        
           							{ 
        
           								Negate:       true, 
        
           								ResourceType: ResourceWorkspace.Type, 
        
           								Action:       policy.ActionCreate, 
        
           							}, 
        
           							{ 
        
           								Negate:       true, 
        
           								ResourceType: ResourceWorkspace.Type, 
        
           								Action:       policy.ActionDelete, 
        
           							}, 
        
           							{ 
        
           								Negate:       true, 
        
           								ResourceType: ResourceWorkspace.Type, 
        
           								Action:       policy.ActionCreateAgent, 
        
           							}, 
        
           							{ 
        
           								Negate:       true, 
        
           								ResourceType: ResourceWorkspace.Type, 
        
           								Action:       policy.ActionDeleteAgent, 
        
           							}, 
        
           						}, 
        
           						Member: []Permission{}, 
        
           					}, 
        
           				}, 
        
           			} 
        
           		}, 
        
           	} 
        
           }

However the negate function is not available for use on custom roles as an intentional decision per the code comment:

coder/coderd/database/dbauthz/dbauthz.go

Lines 1260 to 1261 in 0ba3f7e

    
           // Users do not need negative permissions. We can include it later if required. 
        
           return xerrors.Errorf("invalid permission for action=%q type=%q, no negative permissions", perm.Action, perm.ResourceType)

The result is that custom roles cannot be created which remove permissions from those assigned to the "organization member" role, and this is a feature request to allow the use of the negate function.

A customer is attempting to create a role which satisfies the following requirements:

Cannot start own workspace
Cannot stop own workspace
Cannot modify parameters of own workspace
Cannot upgrade own workspace
Cannot reach control plane directly, e.g., can only get to application URLs
Cannot ssh into own workspace
Cannot port-forward own workspace
Cannot make API keys for self
Cannot see all the templates and options

It does not appear to be possible to create a custom role which satisfies any of these requirements, the closest option appears to be using "Organization Workspace Creation Ban" which does not satisfy most of these requirements.

If/when implemented this functionality should be available in both the CLI and UI.

Error displayed when attempting to create a role which uses the negate function:

coder organizations roles create -O=rshl --stdin < test.json
Encountered an error running "coder organizations roles create", see "coder organizations roles create --help" for more information
error: Trace=[patch role: ]
Failed to update role permissions
org="d898ad9c-63b7-40dd-a0b0-70216f783be0": org: invalid permission for action="create" type="workspace", no negative permissions

test.json:

{
  "name": "test-custom-role",
  "organization_id": "d898ad9c-63b7-40dd-a0b0-70216f783be0",
  "display_name": "",
  "site_permissions": [],
  "user_permissions": [],
  "organization_permissions": [
    {
      "negate": true,
      "resource_type": "workspace",
      "action": "create"
    }
  ],
  "organization_member_permissions": [],
  "assignable": true,
  "built_in": false
}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

custom roles: feature request to allow use of the negate function / negative permissions #21349

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

custom roles: feature request to allow use of the negate function / negative permissions #21349

Uh oh!

Uh oh!

rowansmithau Dec 21, 2025 Collaborator

Replies: 0 comments

rowansmithau
Dec 21, 2025
Collaborator