From 6d5c2412d946fd2ed347f11905be903da8f85d0e Mon Sep 17 00:00:00 2001
From: Douglas Voet <dvoet@users.noreply.github.com>
Date: Tue, 30 Jul 2024 11:38:47 -0400
Subject: [PATCH] controlled-user-shared-workspace-resource/read

---
 src/main/resources/reference.conf |  6 ++++++
 src/main/resources/sam.conf       | 13 +++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf
index 78f891ecf..7fbd4acfe 100644
--- a/src/main/resources/reference.conf
+++ b/src/main/resources/reference.conf
@@ -285,6 +285,12 @@ resourceTypes = {
       reader = {
         roleActions = ["read"]
       }
+      rawls = {
+        roleActions = [
+          # rawls needs read workspace storage containers for clone operation
+          "read"
+        ]
+      }
     }
     reuseIds = false
   }
diff --git a/src/main/resources/sam.conf b/src/main/resources/sam.conf
index 4b723235f..1b5b858ae 100644
--- a/src/main/resources/sam.conf
+++ b/src/main/resources/sam.conf
@@ -363,6 +363,19 @@ resourceAccessPolicies {
         ]
       }
     }
+    controlled-user-shared-workspace-resource {
+      rawls {
+        memberEmails = [
+          ${?RAWLS_SERVICE_ACCOUNT}
+        ]
+        descendantPermissions = [
+          {
+            resourceTypeName = "controlled-user-shared-workspace-resource",
+            roles = ["rawls"]
+          }
+        ]
+      }
+    }
     kubernetes-app {
       rawls {
         memberEmails = [