Commit 67571fb
authored
feat: grant org owners IPAM admin access (#257)
## What
Adds `ipam.miloapis.com-admin` to the datum-cloud **owner** assignable
organization role, so organization owners can fully manage their IP
address space — pools, prefixes, and allocations — within their own
org's scope.
## Why here
The datum-cloud owner/editor/viewer roles are defined here and published
in the `assignable-organization-roles` bundle that every environment
consumes. Service grants like networking, DNS, telemetry, and billing
already live in this role's `inheritedRoles`; the IPAM grant belongs
alongside them, not as an environment-specific patch layered on top of
the bundle in the infra repo. Defining it at the source means it flows
to every environment through the normal release, with no per-overlay
duplication.
## Scope
- Owner role only (mirrors admin grants for the other services).
- Reference by name/namespace; the `ipam.miloapis.com-admin` role is
provided by the IPAM service. Read/write of IPAM resources stays scoped
to the owner's own organization.
Companion change: the IPAM production deployment in
datum-cloud/infra#2976, which no longer carries this grant.1 file changed
Lines changed: 2 additions & 0 deletions
Lines changed: 2 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
36 | 36 | | |
37 | 37 | | |
38 | 38 | | |
| 39 | + | |
| 40 | + | |
0 commit comments