Question

In coderd/rbac/roles.go, OrgMemberPermissions() conditionally grants org-wide Read on OrganizationMember and Group to every organization member so they can participate in workspace sharing:

if org.ShareableWorkspaceOwners != ShareableWorkspaceOwnersNone {
    orgPermMap[ResourceOrganizationMember.Type] = []policy.Action{policy.ActionRead}
}
if org.ShareableWorkspaceOwners == ShareableWorkspaceOwnersEveryone {
    orgPermMap[ResourceGroup.Type] = []policy.Action{policy.ActionRead}
}

#25929 splits the workspace-ops elevation off organization-member and onto a new organization-workspace-access role. When the minimum-implicit-member experiment is on, only users with organization-workspace-access get the elevation; everyone else gets the floor.

Open question raised in the #25929 review: with minimum-implicit-member on, should the two Reads above (org-member listing, group listing for sharing) stay on organization-member, or do they belong on the workspace-elevation role like the rest of the workspace-ops perms?

Why it matters

If they stay on organization-member:

• Gateway-account users without organization-workspace-access can still list every other org member and (in everyone sharing mode) every group. That may be more visibility than a service account should have.

If they move to the elevation role:

• Gateway-account users without the elevation cannot enumerate sharers, which lines up with "no workspace ops" but breaks the symmetry with the floor's "members know members" assumption for non-sharing contexts.

Scope

This was deferred from #25929 to avoid expanding scope. Filing here so we don't lose it.

Acceptance

Decide the policy and update OrgMemberPermissions / OrgServiceAccountPermissions accordingly, with a test under TestMinimumImplicitMember.

_{Coder Agents on behalf of @Emyrk.}