@@ -22,10 +22,13 @@ const spicedbSchema = `
2222 /** Permission to manage organization */
2323 permission can_manage = organization_admin
2424
25+ /** Permission for a service account for organization admin */
26+ permission service_account_for_org_admin = organization_admin->service_accounts
27+
2528 /** Permission to contribute to organization */
2629 permission can_contribute = organization_contributor +
2730 organization_contributor->service_accounts +
28- organization_admin->service_accounts +
31+ service_account_for_org_admin +
2932 can_manage
3033 }
3134
@@ -36,14 +39,16 @@ const spicedbSchema = `
3639 relation workspace_contributor: user
3740 /** Parent organization of the workspace */
3841 relation parent_organization: organization
39-
42+
4043 /** Permission to manage workspace */
4144 permission can_manage = workspace_admin +
4245 workspace_admin->service_accounts +
46+ parent_organization->service_account_for_org_admin +
4347 parent_organization->can_manage
4448 /** Permission to contribute to the workspace, granted to workspace contributors, administrators and their service accounts */
4549 permission can_contribute = workspace_contributor +
4650 workspace_contributor->service_accounts +
51+ parent_organization->service_account_for_org_admin +
4752 can_manage
4853 /** Permission to view all workspace jobs, granted to administrators and their service accounts */
4954 permission view_all_workspace_jobs = can_manage + workspace_admin->service_accounts
@@ -60,7 +65,7 @@ const spicedbSchema = `
6065 relation project_contributor: user
6166 /** Parent workspace of the project */
6267 relation parent_workspace: workspace
63-
68+
6469 /** Permission to manage project, granted to project managers and parent workspace admins */
6570 permission can_manage = project_manager +
6671 project_manager->service_accounts +
0 commit comments