Description

Users with the TemplateAdmin role currently cannot delete prebuild workspaces. These workspaces are created and owned by a specific system user and often need to be cleaned up when they become outdated or stuck in a failed state.

Users with the TemplateAdmin role are responsible for managing templates and, consequently, should be responsible for managing associated prebuilds. As a result, this role should be able to delete prebuilt workspaces for maintenance reasons.

The current API supports deleting workspaces via the POST /workspaces/{workspace}/builds endpoint. To perform a deletion, the user must meet one of the following conditions:

• Be the owner of the workspace
• Have the workspace.delete permission (note that this permission does not distinguish between normal and prebuilt workspaces)

Objective

Update the current RBAC policy to support deletion of prebuild workspaces by users with the TemplateAdmin role, without granting broader permissions to delete regular user workspaces:

• Update RBAC policy to support scoped delete access for prebuild workspaces
  • TemplateAdmins should be allowed to delete only workspaces owned by the prebuild system user, not workspaces owned by any other user.
• Grant the appropriate permission to the TemplateAdmin role
• Add test coverage for the new permission
• Update documentation if needed