feat: impersonation roles (#7442)

* partial work done

* test IAM membership roles

* org membership tests

* console :(, translations and docs

* fix integration test

* fix tests

* add EnableImpersonation to security policy API

* fix integration test timestamp checking

* add security policy tests and fix projections

* add impersonation setting in console

* add security settings to the settings v2 API

* fix typo

* move impersonation to instance

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/api/grpc/settings/v2/settings_converter_test.go

@@ -12,6 +12,7 @@ import (
 	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/zitadel/zitadel/internal/api/grpc"
+	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
 	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
@@ -450,3 +451,35 @@ func Test_idpTypeToPb(t *testing.T) {
 		})
 	}
 }
+
+func Test_securityPolicyToSettingsPb(t *testing.T) {
+	want := &settings.SecuritySettings{
+		EmbeddedIframe: &settings.EmbeddedIframeSettings{
+			Enabled:        true,
+			AllowedOrigins: []string{"foo", "bar"},
+		},
+		EnableImpersonation: true,
+	}
+	got := securityPolicyToSettingsPb(&query.SecurityPolicy{
+		EnableIframeEmbedding: true,
+		AllowedOrigins:        []string{"foo", "bar"},
+		EnableImpersonation:   true,
+	})
+	assert.Equal(t, want, got)
+}
+
+func Test_securitySettingsToCommand(t *testing.T) {
+	want := &command.SecurityPolicy{
+		EnableIframeEmbedding: true,
+		AllowedOrigins:        []string{"foo", "bar"},
+		EnableImpersonation:   true,
+	}
+	got := securitySettingsToCommand(&settings.SetSecuritySettingsRequest{
+		EmbeddedIframe: &settings.EmbeddedIframeSettings{
+			Enabled:        true,
+			AllowedOrigins: []string{"foo", "bar"},
+		},
+		EnableImpersonation: true,
+	})
+	assert.Equal(t, want, got)
+}