coder
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 5 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 5 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 8 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/database/dbmem/dbmem.go
Lines changed: 24 additions & 0 deletions b/‎coderd/database/dbmem/dbmem.go
Lines changed: 24 additions & 0 deletions
diff --git a/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 7 additions & 0 deletions b/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/dbmock/dbmock.go
Lines changed: 15 additions & 0 deletions b/‎coderd/database/dbmock/dbmock.go
Lines changed: 15 additions & 0 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 61 additions & 0 deletions b/‎coderd/database/queries.sql.go
Lines changed: 61 additions & 0 deletions
diff --git a/‎coderd/database/queries/groups.sql
Lines changed: 25 additions & 0 deletions b/‎coderd/database/queries/groups.sql
Lines changed: 25 additions & 0 deletions
diff --git a/‎coderd/provisionerdserver/provisionerdserver.go
Lines changed: 12 additions & 0 deletions b/‎coderd/provisionerdserver/provisionerdserver.go
Lines changed: 12 additions & 0 deletions
diff --git a/‎coderd/provisionerdserver/provisionerdserver_test.go
Lines changed: 10 additions & 0 deletions b/‎coderd/provisionerdserver/provisionerdserver_test.go
Lines changed: 10 additions & 0 deletions
@@ -174,6 +174,7 @@ var (
 					// When org scoped provisioner credentials are implemented,
 					// this can be reduced to read a specific org.
 					rbac.ResourceOrganization.Type: {rbac.ActionRead},
+					rbac.ResourceGroup.Type:        {rbac.ActionRead},
 				}),
 				Org:  map[string][]rbac.Permission{},
 				User: []rbac.Permission{},
@@ -1141,6 +1142,10 @@ func (q *querier) GetGroupMembers(ctx context.Context, id uuid.UUID) ([]database
 	return q.db.GetGroupMembers(ctx, id)
 }
 
+func (q *querier) GetGroupsByOrganizationAndUserID(ctx context.Context, arg database.GetGroupsByOrganizationAndUserIDParams) ([]database.Group, error) {
+	return fetchWithPostFilter(q.auth, q.db.GetGroupsByOrganizationAndUserID)(ctx, arg)
+}
+
 func (q *querier) GetGroupsByOrganizationID(ctx context.Context, organizationID uuid.UUID) ([]database.Group, error) {
 	return fetchWithPostFilter(q.auth, q.db.GetGroupsByOrganizationID)(ctx, organizationID)
 }
 
@@ -314,6 +314,14 @@ func (s *MethodTestSuite) TestGroup() {
 		_ = dbgen.GroupMember(s.T(), db, database.GroupMember{})
 		check.Args(g.ID).Asserts(g, rbac.ActionRead)
 	}))
+	s.Run("GetGroupsByOrganizationAndUserID", s.Subtest(func(db database.Store, check *expects) {
+		g := dbgen.Group(s.T(), db, database.Group{})
+		gm := dbgen.GroupMember(s.T(), db, database.GroupMember{GroupID: g.ID})
+		check.Args(database.GetGroupsByOrganizationAndUserIDParams{
+			OrganizationID: g.OrganizationID,
+			UserID:         gm.UserID,
+		}).Asserts(g, rbac.ActionRead)
+	}))
 	s.Run("InsertAllUsersGroup", s.Subtest(func(db database.Store, check *expects) {
 		o := dbgen.Organization(s.T(), db, database.Organization{})
 		check.Args(o.ID).Asserts(rbac.ResourceGroup.InOrg(o.ID), rbac.ActionCreate)
 
@@ -2250,6 +2250,30 @@ func (q *FakeQuerier) GetGroupMembers(_ context.Context, id uuid.UUID) ([]databa
 	return users, nil
 }
 
+func (q *FakeQuerier) GetGroupsByOrganizationAndUserID(_ context.Context, arg database.GetGroupsByOrganizationAndUserIDParams) ([]database.Group, error) {
+	err := validateDatabaseType(arg)
+	if err != nil {
+		return nil, err
+	}
+
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+	var groupIds []uuid.UUID
+	for _, member := range q.groupMembers {
+		if member.UserID == arg.UserID {
+			groupIds = append(groupIds, member.GroupID)
+		}
+	}
+	groups := []database.Group{}
+	for _, group := range q.groups {
+		if slices.Contains(groupIds, group.ID) && group.OrganizationID == arg.OrganizationID {
+			groups = append(groups, group)
+		}
+	}
+
+	return groups, nil
+}
+
 func (q *FakeQuerier) GetGroupsByOrganizationID(_ context.Context, id uuid.UUID) ([]database.Group, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
 
@@ -28,6 +28,31 @@ FROM
 WHERE
 	organization_id = $1;
 
+-- name: GetGroupsByOrganizationAndUserID :many
+SELECT
+    groups.*
+FROM
+    groups
+	-- If the group is a user made group, then we need to check the group_members table.
+LEFT JOIN
+    group_members
+ON
+    group_members.group_id = groups.id AND
+    group_members.user_id = @user_id
+	-- If it is the "Everyone" group, then we need to check the organization_members table.
+LEFT JOIN
+    organization_members
+ON
+    organization_members.organization_id = groups.id AND
+    organization_members.user_id = @user_id
+WHERE
+    -- In either case, the group_id will only match an org or a group.
+    (group_members.user_id = @user_id OR organization_members.user_id = @user_id)
+AND
+    -- Ensure the group or organization is the specified organization.
+    groups.organization_id = @organization_id;
+
+
 -- name: InsertGroup :one
 INSERT INTO groups (
 	id,
 
@@ -467,6 +467,17 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
 		if err != nil {
 			return nil, failJob(fmt.Sprintf("get owner: %s", err))
 		}
+		ownerGroups, err := s.Database.GetGroupsByOrganizationAndUserID(ctx, database.GetGroupsByOrganizationAndUserIDParams{
+			UserID:         owner.ID,
+			OrganizationID: s.OrganizationID,
+		})
+		if err != nil {
+			return nil, failJob(fmt.Sprintf("get owner group names: %s", err))
+		}
+		ownerGroupNames := []string{}
+		for _, group := range ownerGroups {
+			ownerGroupNames = append(ownerGroupNames, group.Name)
+		}
 		err = s.Pubsub.Publish(codersdk.WorkspaceNotifyChannel(workspace.ID), []byte{})
 		if err != nil {
 			return nil, failJob(fmt.Sprintf("publish workspace update: %s", err))
@@ -567,6 +578,7 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
 					WorkspaceOwner:                owner.Username,
 					WorkspaceOwnerEmail:           owner.Email,
 					WorkspaceOwnerName:            owner.Name,
+					WorkspaceOwnerGroups:          ownerGroupNames,
 					WorkspaceOwnerOidcAccessToken: workspaceOwnerOIDCAccessToken,
 					WorkspaceId:                   workspace.ID.String(),
 					WorkspaceOwnerId:              owner.ID.String(),
 
@@ -182,6 +182,15 @@ func TestAcquireJob(t *testing.T) {
 			defer cancel()
 
 			user := dbgen.User(t, db, database.User{})
+			group1 := dbgen.Group(t, db, database.Group{
+				Name:           "group1",
+				OrganizationID: pd.OrganizationID,
+			})
+			err := db.InsertGroupMember(ctx, database.InsertGroupMemberParams{
+				UserID:  user.ID,
+				GroupID: group1.ID,
+			})
+			require.NoError(t, err)
 			link := dbgen.UserLink(t, db, database.UserLink{
 				LoginType:        database.LoginTypeOIDC,
 				UserID:           user.ID,
@@ -340,6 +349,7 @@ func TestAcquireJob(t *testing.T) {
 						WorkspaceOwnerEmail:           user.Email,
 						WorkspaceOwnerName:            user.Name,
 						WorkspaceOwnerOidcAccessToken: link.OAuthAccessToken,
+						WorkspaceOwnerGroups:          []string{group1.Name},
 						WorkspaceId:                   workspace.ID.String(),
 						WorkspaceOwnerId:              user.ID.String(),
 						TemplateId:                    template.ID.String(),