coder
diff --git a/‎coderd/apidoc/docs.go‎
Lines changed: 14 additions & 0 deletions b/‎coderd/apidoc/docs.go‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json‎
Lines changed: 14 additions & 0 deletions b/‎coderd/apidoc/swagger.json‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎coderd/database/dump.sql‎
Lines changed: 8 additions & 1 deletion b/‎coderd/database/dump.sql‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎coderd/database/migrations/000375_add_composite_api_key_scopes.down.sql‎
Lines changed: 3 additions & 0 deletions b/‎coderd/database/migrations/000375_add_composite_api_key_scopes.down.sql‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000375_add_composite_api_key_scopes.up.sql‎
Lines changed: 9 additions & 0 deletions b/‎coderd/database/migrations/000375_add_composite_api_key_scopes.up.sql‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎coderd/database/modelmethods.go‎
Lines changed: 7 additions & 0 deletions b/‎coderd/database/modelmethods.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/models.go‎
Lines changed: 22 additions & 1 deletion b/‎coderd/database/models.go‎
Lines changed: 22 additions & 1 deletion
diff --git a/‎coderd/rbac/roles.go‎
Lines changed: 20 additions & 0 deletions b/‎coderd/rbac/roles.go‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎coderd/rbac/roles_internal_test.go‎
Lines changed: 21 additions & 0 deletions b/‎coderd/rbac/roles_internal_test.go‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎coderd/rbac/scopes.go‎
Lines changed: 64 additions & 0 deletions b/‎coderd/rbac/scopes.go‎
Lines changed: 64 additions & 0 deletions
@@ -0,0 +1,3 @@
+-- No-op: keep enum values to avoid dependency churn.
+-- If strict removal is required, create a new enum type without these values,
+-- cast columns, drop the old type, and rename.
@@ -0,0 +1,9 @@
+-- Add high-level composite coder:* API key scopes
+-- These values are persisted so that tokens can store coder:* names directly.
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'coder:workspaces.create';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'coder:workspaces.operate';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'coder:workspaces.delete';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'coder:workspaces.access';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'coder:templates.build';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'coder:templates.author';
+ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'coder:apikeys.manage_self';
@@ -203,6 +203,13 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {
 		}
 	}
 
+	// De-duplicate permissions across Site/Org/User
+	merged.Site = rbac.DeduplicatePermissions(merged.Site)
+	for orgID, perms := range merged.Org {
+		merged.Org[orgID] = rbac.DeduplicatePermissions(perms)
+	}
+	merged.User = rbac.DeduplicatePermissions(merged.User)
+
 	if allowAll || len(allowSet) == 0 {
 		merged.AllowIDList = []rbac.AllowListElement{rbac.AllowListAll()}
 	} else {
 
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"sort"
+	"strconv"
 	"strings"
 
 	"github.com/google/uuid"
@@ -863,3 +864,22 @@ func Permissions(perms map[string][]policy.Action) []Permission {
 	})
 	return list
 }
+
+// DeduplicatePermissions removes duplicate Permission entries while preserving
+// the original order of the first occurrence for deterministic evaluation.
+func DeduplicatePermissions(perms []Permission) []Permission {
+	if len(perms) == 0 {
+		return perms
+	}
+	seen := make(map[string]struct{}, len(perms))
+	deduped := make([]Permission, 0, len(perms))
+	for _, perm := range perms {
+		key := perm.ResourceType + "\x00" + string(perm.Action) + "\x00" + strconv.FormatBool(perm.Negate)
+		if _, ok := seen[key]; ok {
+			continue
+		}
+		seen[key] = struct{}{}
+		deduped = append(deduped, perm)
+	}
+	return deduped
+}
@@ -249,6 +249,27 @@ func TestRoleByName(t *testing.T) {
 	})
 }
 
+func TestDeduplicatePermissions(t *testing.T) {
+	t.Parallel()
+
+	perms := []Permission{
+		{ResourceType: ResourceWorkspace.Type, Action: policy.ActionRead},
+		{ResourceType: ResourceWorkspace.Type, Action: policy.ActionRead},
+		{ResourceType: ResourceWorkspace.Type, Action: policy.ActionUpdate},
+		{ResourceType: ResourceWorkspace.Type, Action: policy.ActionRead, Negate: true},
+		{ResourceType: ResourceWorkspace.Type, Action: policy.ActionRead, Negate: true},
+	}
+
+	got := DeduplicatePermissions(perms)
+	want := []Permission{
+		{ResourceType: ResourceWorkspace.Type, Action: policy.ActionRead},
+		{ResourceType: ResourceWorkspace.Type, Action: policy.ActionUpdate},
+		{ResourceType: ResourceWorkspace.Type, Action: policy.ActionRead, Negate: true},
+	}
+
+	require.Equal(t, want, got)
+}
+
 // SameAs compares 2 roles for equality.
 func equalRoles(t *testing.T, a, b Role) {
 	require.Equal(t, a.Identifier, b.Identifier, "role names")
 
@@ -3,6 +3,7 @@ package rbac
 import (
 	"fmt"
 	"slices"
+	"sort"
 	"strings"
 
 	"github.com/google/uuid"
@@ -120,6 +121,56 @@ func BuiltinScopeNames() []ScopeName {
 	return names
 }
 
+// Composite coder:* scopes expand to multiple low-level resource:action permissions
+// at Site level. These names are persisted in the DB and expanded during
+// authorization.
+var compositePerms = map[ScopeName]map[string][]policy.Action{
+	"coder:workspaces.create": {
+		ResourceTemplate.Type:  {policy.ActionRead, policy.ActionUse},
+		ResourceWorkspace.Type: {policy.ActionCreate, policy.ActionUpdate, policy.ActionRead},
+	},
+	"coder:workspaces.operate": {
+		ResourceWorkspace.Type: {policy.ActionRead, policy.ActionUpdate},
+	},
+	"coder:workspaces.delete": {
+		ResourceWorkspace.Type: {policy.ActionRead, policy.ActionDelete},
+	},
+	"coder:workspaces.access": {
+		ResourceWorkspace.Type: {policy.ActionRead, policy.ActionSSH, policy.ActionApplicationConnect},
+	},
+	"coder:templates.build": {
+		ResourceTemplate.Type: {policy.ActionRead},
+		ResourceFile.Type:     {policy.ActionCreate, policy.ActionRead},
+		"provisioner_jobs":    {policy.ActionRead},
+	},
+	"coder:templates.author": {
+		ResourceTemplate.Type: {policy.ActionRead, policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete, policy.ActionViewInsights},
+		ResourceFile.Type:     {policy.ActionCreate, policy.ActionRead},
+	},
+	"coder:apikeys.manage_self": {
+		ResourceApiKey.Type: {policy.ActionRead, policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
+	},
+}
+
+// CompositeSitePermissions returns the site-level Permission list for a coder:* scope.
+func CompositeSitePermissions(name ScopeName) ([]Permission, bool) {
+	perms, ok := compositePerms[name]
+	if !ok {
+		return nil, false
+	}
+	return Permissions(perms), true
+}
+
+// CompositeScopeNames lists all high-level coder:* names in sorted order.
+func CompositeScopeNames() []string {
+	out := make([]string, 0, len(compositePerms))
+	for k := range compositePerms {
+		out = append(out, string(k))
+	}
+	sort.Strings(out)
+	return out
+}
+
 type ExpandableScope interface {
 	Expand() (Scope, error)
 	// Name is for logging and tracing purposes, we want to know the human
@@ -175,6 +226,19 @@ func ExpandScope(scope ScopeName) (Scope, error) {
 	if role, ok := builtinScopes[scope]; ok {
 		return role, nil
 	}
+	if site, ok := CompositeSitePermissions(scope); ok {
+		return Scope{
+			Role: Role{
+				Identifier:  RoleIdentifier{Name: fmt.Sprintf("Scope_%s", scope)},
+				DisplayName: string(scope),
+				Site:        site,
+				Org:         map[string][]Permission{},
+				User:        []Permission{},
+			},
+			// Composites are site-level; allow-list empty by default
+			AllowIDList: []AllowListElement{},
+		}, nil
+	}
 	if res, act, ok := parseLowLevelScope(scope); ok {
 		return expandLowLevel(res, act), nil
 	}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+-- No-op: keep enum values to avoid dependency churn.`
	`2`	`+-- If strict removal is required, create a new enum type without these values,`
	`3`	`+-- cast columns, drop the old type, and rename.`
Original file line number	Diff line number	Diff line change
`@@ -203,6 +203,13 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`203`	`203`	`}`
`204`	`204`	`}`
`205`	`205`
	`206`	`+ // De-duplicate permissions across Site/Org/User`
	`207`	`+ merged.Site = rbac.DeduplicatePermissions(merged.Site)`
	`208`	`+ for orgID, perms := range merged.Org {`
	`209`	`+ merged.Org[orgID] = rbac.DeduplicatePermissions(perms)`
	`210`	`+ }`
	`211`	`+ merged.User = rbac.DeduplicatePermissions(merged.User)`
	`212`	`+`
`206`	`213`	`if allowAll \|\| len(allowSet) == 0 {`
`207`	`214`	`merged.AllowIDList = []rbac.AllowListElement{rbac.AllowListAll()}`
`208`	`215`	`} else {`