Skip to content

feat: grant org owners IPAM admin access#257

Merged
scotwells merged 1 commit into
mainfrom
feat/ipam-owner-role
Jul 1, 2026
Merged

feat: grant org owners IPAM admin access#257
scotwells merged 1 commit into
mainfrom
feat/ipam-owner-role

Conversation

@scotwells

Copy link
Copy Markdown
Collaborator

What

Adds ipam.miloapis.com-admin to the datum-cloud owner assignable organization role, so organization owners can fully manage their IP address space — pools, prefixes, and allocations — within their own org's scope.

Why here

The datum-cloud owner/editor/viewer roles are defined here and published in the assignable-organization-roles bundle that every environment consumes. Service grants like networking, DNS, telemetry, and billing already live in this role's inheritedRoles; the IPAM grant belongs alongside them, not as an environment-specific patch layered on top of the bundle in the infra repo. Defining it at the source means it flows to every environment through the normal release, with no per-overlay duplication.

Scope

  • Owner role only (mirrors admin grants for the other services).
  • Reference by name/namespace; the ipam.miloapis.com-admin role is provided by the IPAM service. Read/write of IPAM resources stays scoped to the owner's own organization.

Companion change: the IPAM production deployment in datum-cloud/infra#2976, which no longer carries this grant.

@scotwells scotwells requested a review from a team as a code owner July 1, 2026 15:06
@scotwells scotwells requested a review from bmertens-datum July 1, 2026 15:06
@scotwells scotwells merged commit 67571fb into main Jul 1, 2026
11 checks passed
@scotwells scotwells deleted the feat/ipam-owner-role branch July 1, 2026 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants