gitpod-io
diff --git a/‎components/gitpod-protocol/src/protocol.ts
Lines changed: 2 additions & 1 deletion b/‎components/gitpod-protocol/src/protocol.ts
Lines changed: 2 additions & 1 deletion
diff --git a/‎components/server/src/api/envvar-service-api.ts
Lines changed: 1 addition & 0 deletions b/‎components/server/src/api/envvar-service-api.ts
Lines changed: 1 addition & 0 deletions
diff --git a/‎components/server/src/authorization/definitions.ts
Lines changed: 2 additions & 0 deletions b/‎components/server/src/authorization/definitions.ts
Lines changed: 2 additions & 0 deletions
@@ -277,11 +277,12 @@ export namespace UserEnvVar {
     export const WILDCARD_DOUBLE_ASTERISK = "**";
     const WILDCARD_SHARP = "#"; // TODO(gpl) Where does this come from? Bc we have/had patterns as part of URLs somewhere, maybe...?
     const MIN_PATTERN_SEGMENTS = 2;
+    export const GITPOD_IMAGE_AUTH_ENV_VAR_NAME = "GITPOD_IMAGE_AUTH";
 
     /**
      * - GITPOD_IMAGE_AUTH is documented https://www.gitpod.io/docs/configure/workspaces/workspace-image#use-a-private-docker-image
      */
-    export const WhiteListFromReserved = ["GITPOD_IMAGE_AUTH"];
+    export const WhiteListFromReserved = [GITPOD_IMAGE_AUTH_ENV_VAR_NAME];
 
     function isWildcard(c: string): boolean {
         return c === WILDCARD_ASTERISK || c === WILDCARD_SHARP;
 
@@ -207,6 +207,7 @@ export class EnvironmentVariableServiceAPI implements ServiceImpl<typeof Environ
         const { workspace } = await this.workspaceService.getWorkspace(ctxUserId(), req.workspaceId);
         const envVars = await this.envVarService.resolveEnvVariables(
             workspace.ownerId,
+            workspace.organizationId,
             workspace.projectId,
             workspace.type,
             workspace.context,
 
@@ -65,6 +65,8 @@ export type OrganizationPermission =
     | "delete"
     | "read_settings"
     | "write_settings"
+    | "read_env_var"
+    | "write_env_var"
     | "read_audit_logs"
     | "read_members"
     | "invite_members"