feat: usergrant (#489)

* fix: search usergrants only for allowed projects * fix: check permissions * fix: check permissions * fix: check permissions * Update internal/management/repository/eventsourcing/eventstore/project.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix: merge request changes * fix: variable name Co-authored-by: Silvan <silvan.reusser@gmail.com>
2024-12-12 11:04:25 +00:00 · 2020-07-22 14:00:29 +02:00 · 2020-07-22 14:00:29 +02:00 · 351aac22f8
commit 351aac22f8
parent a9f0e15e65
24 changed files with 1522 additions and 1017 deletions
--- a/cmd/zitadel/authz.yaml
+++ b/cmd/zitadel/authz.yaml
@ -48,6 +48,24 @@ InternalAuthZ:
        - "project.grant.user.grant.read"
        - "project.grant.user.grant.write"
        - "project.grant.user.grant.delete"
+    - Role: 'IAM_OWNER_VIEWER'
+      Permissions:
+        - "iam.read"
+        - "iam.policy.read"
+        - "iam.member.read"
+        - "org.read"
+        - "org.member.read"
+        - "user.read"
+        - "user.grant.read"
+        - "policy.read"
+        - "project.read"
+        - "project.member.read"
+        - "project.role.read"
+        - "project.app.read"
+        - "project.user.grant.read"
+        - "project.grant.read"
+        - "project.grant.member.read"
+        - "project.grant.user.grant.read"
    - Role: 'ORG_OWNER'
      Permissions:
        - "org.read"
@ -87,136 +105,25 @@ InternalAuthZ:
        - "project.grant.user.grant.read"
        - "project.grant.user.grant.write"
        - "project.grant.user.grant.delete"
-    - Role: 'ORG_EDITOR'
-      Permissions:
-        - "org.read"
-        - "org.write"
-    - Role: 'ORG_VIEWER'
-      Permissions:
-        - "org.read"
-    - Role: 'ORG_MEMBER_EDITOR'
-      Permissions:
-        - "org.read"
-        - "org.member.read"
-        - "org.member.write"
-        - "org.member.delete"
-    - Role: 'ORG_MEMBER_VIEWER'
+    - Role: 'ORG_OWNER'
      Permissions:
        - "org.read"
        - "org.member.read"
+        - "user.read"
+        - "user.grant.read"
+        - "policy.read"
+        - "project.read"
+        - "project.member.read"
+        - "project.role.read"
+        - "project.app.read"
+        - "project.user.grant.read"
+        - "project.grant.read"
+        - "project.grant.member.read"
+        - "project.grant.user.grant.read"
    - Role: 'ORG_PROJECT_CREATOR'
      Permissions:
        - "project.read:self"
        - "project.write"
-    - Role: 'ORG_PROJECT_EDITOR'
-      Permissions:
-        - "project.read"
-        - "project.write"
-        - "project.member.read"
-        - "project.member.write"
-        - "project.member.delete"
-        - "project.role.read"
-        - "project.role.write"
-        - "project.role.delete"
-        - "project.app.read"
-        - "project.app.write"
-        - "project.app.delete"
-        - "project.grant.read"
-        - "project.grant.write"
-        - "project.grant.delete"
-        - "project.grant.member.read"
-        - "project.grant.member.write"
-        - "project.grant.member.delete"
-    - Role: 'ORG_PROJECT_VIEWER'
-      Permissions:
-        - "project.read"
-        - "project.member.read"
-        - "project.role.read"
-        - "project.app.read"
-        - "project.grant.read"
-        - "project.grant.member.read"
-    - Role: 'ORG_PROJECT_MEMBER_EDITOR'
-      Permissions:
-        - "project.read"
-        - "project.member.read"
-        - "project.member.write"
-        - "project.member.delete"
-        - "project.grant.member.delete"
-    - Role: 'ORG_PROJECT_MEMBER_VIEWER'
-      Permissions:
-        - "project.read"
-        - "project.member.read"
-    - Role: 'ORG_PROJECT_ROLE_EDITOR'
-      Permissions:
-        - "project.read"
-        - "project.role.read"
-        - "project.role.write"
-        - "project.role.delete"
-    - Role: 'ORG_PROJECT_ROLE_VIEWER'
-      Permissions:
-        - "project.read"
-        - "project.role.read"
-    - Role: 'ORG_PROJECT_APP_EDITOR'
-      Permissions:
-        - "project.read"
-        - "project.app.read"
-        - "project.app.write"
-        - "project.app.delete"
-    - Role: 'ORG_PROJECT_APP_VIEWER'
-      Permissions:
-        - "project.read"
-        - "project.app.read"
-    - Role: 'ORG_PROJECT_GRANT_EDITOR'
-      Permissions:
-        - "project.read"
-        - "project.grant.read"
-        - "project.grant.write"
-        - "project.grant.member.read"
-        - "project.grant.member.write"
-        - "project.grant.member.delete"
-    - Role: 'ORG_PROJECT_GRANT_VIEWER'
-      Permissions:
-        - "project.read"
-        - "project.grant.read"
-    - Role: 'ORG_PROJECT_GRANT_MEMBER_EDITOR'
-      Permissions:
-        - "project.read"
-        - "project.grant.read"
-        - "project.grant.member.read"
-        - "project.grant.member.write"
-        - "project.grant.member.delete"
-    - Role: 'ORG_PROJECT_GRANT_MEMBER_VIEWER'
-      Permissions:
-        - "project.read"
-        - "project.grant.read"
-        - "project.grant.member.read"
-    - Role: 'ORG_USER_EDITOR'
-      Permissions:
-        - "user.read"
-        - "user.write"
-        - "user.delete"
-    - Role: 'ORG_USER_VIEWER'
-      Permissions:
-        - "user.read"
-    - Role: 'ORG_USER_GRANT_EDITOR'
-      Permissions:
-        - "user.read"
-        - "user.grant.read"
-        - "user.grant.write"
-        - "user.grant.delete"
-        - "project.read"
-    - Role: 'ORG_USER_GRANT_VIEWER'
-      Permissions:
-        - "user.read"
-        - "user.grant.read"
-    - Role: 'ORG_POLICY_EDITOR'
-      Permissions:
-        - "policy.read"
-        - "policy.write"
-        - "policy.delete"
-    - Role: 'ORG_POLICY_VIEWER'
-      Permissions:
-        - "policy.read"
    - Role: 'PROJECT_OWNER'
      Permissions:
        - "project.read"
@ -237,95 +144,35 @@ InternalAuthZ:
        - "project.grant.member.read"
        - "project.grant.member.write"
        - "project.grant.member.delete"
-        - "project.user.grant.read"
-        - "project.user.grant.write"
-        - "project.user.grant.delete"
-    - Role: 'PROJECT_MEMBER_EDITOR'
+        - "user.read"
+        - "user.grant.read"
+        - "user.grant.write"
+        - "user.grant.delete"
+    - Role: 'PROJECT_OWNER_VIEWER'
      Permissions:
        - "project.read"
        - "project.member.read"
-        - "project.member.write"
-        - "project.member.delete"
-    - Role: 'PROJECT_MEMBER_VIEWER'
-      Permissions:
-        - "project.read"
-        - "project.member.read"
-    - Role: 'PROJECT_ROLE_EDITOR'
-      Permissions:
-        - "project.read"
        - "project.role.read"
-        - "project.role.write"
-        - "project.role.delete"
-    - Role: 'PROJECT_APP_EDITOR'
-      Permissions:
-        - "project.read"
        - "project.app.read"
-        - "project.app.write"
-    - Role: 'PROJECT_APP_VIEWER'
-      Permissions:
-        - "project.read"
-        - "project.app.read"
-    - Role: 'PROJECT_GRANT_EDITOR'
-      Permissions:
-        - "project.read"
-        - "project.grant.read"
-        - "project.grant.write"
-        - "project.grant.delete"
-    - Role: 'PROJECT_GRANT_VIEWER'
-      Permissions:
-        - "project.read"
-        - "project.grant.read"
-    - Role: 'PROJECT_GRANT_MEMBER_EDITOR'
-      Permissions:
-        - "project.read"
        - "project.grant.read"
        - "project.grant.member.read"
-        - "project.grant.member.write"
-        - "project.grant.member.delete"
-    - Role: 'PROJECT_GRANT_MEMBER_VIEWER'
-      Permissions:
-        - "project.read"
-        - "project.grant.read"
-        - "project.grant.member.read"
-    - Role: 'PROJECT_USER_GRANT_EDITOR'
-      Permissions:
-        - "project.read"
-        - "project.user.grant.read"
-        - "project.user.grant.write"
-        - "project.user.grant.delete"
-    - Role: 'PROJECT_USER_GRANT_VIEWER'
-      Permissions:
-        - "project.read"
-        - "project.user.grant.read"
+        - "user.read"
+        - "user.grant.read"
    - Role: 'PROJECT_GRANT_OWNER'
      Permissions:
        - "project.read"
        - "project.grant.read"
-        - "project.grant.write"
        - "project.grant.member.read"
        - "project.grant.member.write"
        - "project.grant.member.delete"
-    - Role: 'PROJECT_GRANT_MEMBER_EDITOR'
+        - "user.read"
+        - "user.grant.read"
+        - "user.grant.write"
+        - "user.grant.delete"
+    - Role: 'PROJECT_GRANT_OWNER'
      Permissions:
        - "project.read"
        - "project.grant.read"
        - "project.grant.member.read"
-        - "project.grant.member.write"
-        - "project.grant.member.delete"
-    - Role: 'PROJECT_GRANT_MEMBER_VIEWER'
-      Permissions:
-        - "project.read"
-        - "project.grant.read"
-        - "project.grant.member.read"
-    - Role: 'PROJECT_GRANT_USER_GRANT_EDITOR'
-      Permissions:
-        - "project.read"
-        - "project.grant.read"
-        - "project.grant.user.grant.read"
-        - "project.grant.user.grant.write"
-        - "project.grant.user.grant.delete"
-    - Role: 'PROJECT_GRANT_USER_GRANT_VIEWER'
-      Permissions:
-        - "project.read"
-        - "project.grant.read"
-        - "project.grant.user.grant.read"
+        - "user.read"
+        - "user.grant.read"
--- a/internal/api/authz/authorization.go
+++ b/internal/api/authz/authorization.go
@ -98,7 +98,19 @@ func HasGlobalPermission(perms []string) bool {
 	return false
 }

-func GetPermissionCtxIDs(perms []string) []string {
+func HasGlobalExplicitPermission(perms []string, permToCheck string) bool {
+	for _, perm := range perms {
+		p, ctxID := SplitPermission(perm)
+		if p == permToCheck {
+			if ctxID == "" {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func GetAllPermissionCtxIDs(perms []string) []string {
 	ctxIDs := make([]string, 0)
 	for _, perm := range perms {
 		_, ctxID := SplitPermission(perm)
@ -108,3 +120,16 @@ func GetPermissionCtxIDs(perms []string) []string {
 	}
 	return ctxIDs
 }
+
+func GetExplicitPermissionCtxIDs(perms []string, searchPerm string) []string {
+	ctxIDs := make([]string, 0)
+	for _, perm := range perms {
+		p, ctxID := SplitPermission(perm)
+		if p == searchPerm {
+			if ctxID != "" {
+				ctxIDs = append(ctxIDs, ctxID)
+			}
+		}
+	}
+	return ctxIDs
+}
--- a/internal/api/authz/authorization_test.go
+++ b/internal/api/authz/authorization_test.go
@ -269,7 +269,7 @@ func Test_GetPermissionCtxIDs(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := GetPermissionCtxIDs(tt.args.perms)
+			result := GetAllPermissionCtxIDs(tt.args.perms)
 			if !equalStringArray(result, tt.result) {
 				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
 			}
--- a/internal/api/authz/context.go
+++ b/internal/api/authz/context.go
@ -10,8 +10,9 @@ import (
 type key int

 const (
-	permissionsKey key = 1
+	requestPermissionsKey key = 1
 	dataKey               key = 2
+	allPermissionsKey     key = 3
 )

 type CtxData struct {
@ -59,7 +60,12 @@ func GetCtxData(ctx context.Context) CtxData {
 	return ctxData
 }

-func GetPermissionsFromCtx(ctx context.Context) []string {
-	ctxPermission, _ := ctx.Value(permissionsKey).([]string)
+func GetRequestPermissionsFromCtx(ctx context.Context) []string {
+	ctxPermission, _ := ctx.Value(requestPermissionsKey).([]string)
+	return ctxPermission
+}
+
+func GetAllPermissionsFromCtx(ctx context.Context) []string {
+	ctxPermission, _ := ctx.Value(allPermissionsKey).([]string)
 	return ctxPermission
 }
--- a/internal/api/authz/permissions.go
+++ b/internal/api/authz/permissions.go
@ -16,34 +16,40 @@ func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPer
 		return nil, nil, err
 	}
 	if grant == nil {
-		return context.WithValue(ctx, permissionsKey, []string{}), []string{}, nil
+		return context.WithValue(ctx, requestPermissionsKey, []string{}), []string{}, nil
 	}
-	permissions := mapGrantToPermissions(requiredPerm, grant, authConfig)
-	return context.WithValue(ctx, permissionsKey, permissions), permissions, nil
+	requestPermissions, allPermissions := mapGrantToPermissions(requiredPerm, grant, authConfig)
+	ctx = context.WithValue(ctx, allPermissionsKey, allPermissions)
+	return context.WithValue(ctx, requestPermissionsKey, requestPermissions), requestPermissions, nil
 }

-func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig Config) []string {
-	resolvedPermissions := make([]string, 0)
+func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig Config) ([]string, []string) {
+	requestPermissions := make([]string, 0)
+	allPermissions := make([]string, 0)
 	for _, role := range grant.Roles {
-		resolvedPermissions = mapRoleToPerm(requiredPerm, role, authConfig, resolvedPermissions)
+		requestPermissions, allPermissions = mapRoleToPerm(requiredPerm, role, authConfig, requestPermissions, allPermissions)
 	}

-	return resolvedPermissions
+	return requestPermissions, allPermissions
 }

-func mapRoleToPerm(requiredPerm, actualRole string, authConfig Config, resolvedPermissions []string) []string {
+func mapRoleToPerm(requiredPerm, actualRole string, authConfig Config, requestPermissions, allPermissions []string) ([]string, []string) {
 	roleName, roleContextID := SplitPermission(actualRole)
 	perms := authConfig.getPermissionsFromRole(roleName)

 	for _, p := range perms {
+		permWithCtx := addRoleContextIDToPerm(p, roleContextID)
+		if !ExistsPerm(allPermissions, permWithCtx) {
+			allPermissions = append(allPermissions, permWithCtx)
+		}
+
 		if p == requiredPerm {
-			p = addRoleContextIDToPerm(p, roleContextID)
-			if !ExistsPerm(resolvedPermissions, p) {
-				resolvedPermissions = append(resolvedPermissions, p)
+			if !ExistsPerm(requestPermissions, permWithCtx) {
+				requestPermissions = append(requestPermissions, permWithCtx)
 			}
 		}
 	}
-	return resolvedPermissions
+	return requestPermissions, allPermissions
 }

 func addRoleContextIDToPerm(perm, roleContextID string) string {
--- a/internal/api/authz/permissions_test.go
+++ b/internal/api/authz/permissions_test.go
@ -159,7 +159,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 	tests := []struct {
 		name         string
 		args         args
-		result []string
+		requestPerms []string
+		allPerms     []string
 	}{
 		{
 			name: "One Role existing perm",
@ -179,7 +180,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 					},
 				},
 			},
-			result: []string{"project.read"},
+			requestPerms: []string{"project.read"},
+			allPerms:     []string{"org.read", "project.read"},
 		},
 		{
 			name: "One Role not existing perm",
@ -199,7 +201,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 					},
 				},
 			},
-			result: []string{},
+			requestPerms: []string{},
+			allPerms:     []string{"org.read", "project.read"},
 		},
 		{
 			name: "Multiple Roles one existing",
@ -219,7 +222,8 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 					},
 				},
 			},
-			result: []string{"project.read"},
+			requestPerms: []string{"project.read"},
+			allPerms:     []string{"org.read", "project.read"},
 		},
 		{
 			name: "Multiple Roles, global and specific",
@ -239,14 +243,18 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 					},
 				},
 			},
-			result: []string{"project.read", "project.read:1"},
+			requestPerms: []string{"project.read", "project.read:1"},
+			allPerms:     []string{"org.read", "project.read", "project.read:1"},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := mapGrantToPermissions(tt.args.requiredPerm, tt.args.grant, tt.args.authConfig)
-			if !equalStringArray(result, tt.result) {
-				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			requestPerms, allPerms := mapGrantToPermissions(tt.args.requiredPerm, tt.args.grant, tt.args.authConfig)
+			if !equalStringArray(requestPerms, tt.requestPerms) {
+				t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
+			}
+			if !equalStringArray(allPerms, tt.allPerms) {
+				t.Errorf("got wrong allPerms, expecting: %v, actual: %v ", tt.allPerms, allPerms)
 			}
 		})
 	}
@ -257,12 +265,14 @@ func Test_MapRoleToPerm(t *testing.T) {
 		requiredPerm string
 		actualRole   string
 		authConfig   Config
-		resolvedPermissions []string
+		requestPerms []string
+		allPerms     []string
 	}
 	tests := []struct {
 		name         string
 		args         args
-		result []string
+		requestPerms []string
+		allPerms     []string
 	}{
 		{
 			name: "first perm without context id",
@ -281,9 +291,11 @@ func Test_MapRoleToPerm(t *testing.T) {
 						},
 					},
 				},
-				resolvedPermissions: []string{},
+				requestPerms: []string{},
+				allPerms:     []string{},
 			},
-			result: []string{"project.read"},
+			requestPerms: []string{"project.read"},
+			allPerms:     []string{"org.read", "project.read"},
 		},
 		{
 			name: "existing perm without context id",
@ -302,9 +314,11 @@ func Test_MapRoleToPerm(t *testing.T) {
 						},
 					},
 				},
-				resolvedPermissions: []string{"project.read"},
+				requestPerms: []string{"project.read"},
+				allPerms:     []string{"org.read", "project.read"},
 			},
-			result: []string{"project.read"},
+			requestPerms: []string{"project.read"},
+			allPerms:     []string{"org.read", "project.read"},
 		},
 		{
 			name: "first perm with context id",
@ -323,9 +337,11 @@ func Test_MapRoleToPerm(t *testing.T) {
 						},
 					},
 				},
-				resolvedPermissions: []string{},
+				requestPerms: []string{},
+				allPerms:     []string{},
 			},
-			result: []string{"project.read:1"},
+			requestPerms: []string{"project.read:1"},
+			allPerms:     []string{"project.read:1"},
 		},
 		{
 			name: "perm with context id, existing global",
@ -344,16 +360,21 @@ func Test_MapRoleToPerm(t *testing.T) {
 						},
 					},
 				},
-				resolvedPermissions: []string{"project.read"},
+				requestPerms: []string{"project.read"},
+				allPerms:     []string{"org.read", "project.read"},
 			},
-			result: []string{"project.read", "project.read:1"},
+			requestPerms: []string{"project.read", "project.read:1"},
+			allPerms:     []string{"org.read", "project.read", "project.read:1"},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := mapRoleToPerm(tt.args.requiredPerm, tt.args.actualRole, tt.args.authConfig, tt.args.resolvedPermissions)
-			if !equalStringArray(result, tt.result) {
-				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			requestPerms, allPerms := mapRoleToPerm(tt.args.requiredPerm, tt.args.actualRole, tt.args.authConfig, tt.args.requestPerms, tt.args.allPerms)
+			if !equalStringArray(requestPerms, tt.requestPerms) {
+				t.Errorf("got wrong requestPerms, expecting: %v, actual: %v ", tt.requestPerms, requestPerms)
+			}
+			if !equalStringArray(allPerms, tt.allPerms) {
+				t.Errorf("got wrong allPerms, expecting: %v, actual: %v ", tt.allPerms, allPerms)
 			}
 		})
 	}
--- a/internal/api/grpc/management/project.go
+++ b/internal/api/grpc/management/project.go
@ -61,7 +61,7 @@ func (s *Server) ProjectByID(ctx context.Context, id *management.ProjectID) (*ma
 func (s *Server) SearchGrantedProjects(ctx context.Context, in *management.GrantedProjectSearchRequest) (*management.ProjectGrantSearchResponse, error) {
 	request := grantedProjectSearchRequestsToModel(in)
 	request.AppendMyOrgQuery(grpc_util.GetHeader(ctx, http.ZitadelOrgID))
-	response, err := s.project.SearchProjectGrants(ctx, request)
+	response, err := s.project.SearchGrantedProjects(ctx, request)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/user_grant.go
+++ b/internal/api/grpc/management/user_grant.go
@ -27,6 +27,22 @@ func (s *Server) UserGrantByID(ctx context.Context, request *management.UserGran
 	return userGrantViewFromModel(user), nil
 }

+func (s *Server) CreateUserGrant(ctx context.Context, in *management.UserGrantCreate) (*management.UserGrant, error) {
+	user, err := s.usergrant.AddUserGrant(ctx, userGrantCreateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+
+func (s *Server) UpdateUserGrant(ctx context.Context, in *management.UserGrantUpdate) (*management.UserGrant, error) {
+	user, err := s.usergrant.ChangeUserGrant(ctx, userGrantUpdateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+
 func (s *Server) DeactivateUserGrant(ctx context.Context, in *management.UserGrantID) (*management.UserGrant, error) {
 	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
 	if err != nil {
--- a/internal/auth/repository/eventsourcing/handler/user_grant.go
+++ b/internal/auth/repository/eventsourcing/handler/user_grant.go
@ -231,7 +231,7 @@ func (u *UserGrant) processMember(event *models.Event, rolePrefix, roleSuffix st
 			return err
 		}
 		if roleSuffix != "" {
-			roleKeys = suffixRoles(event.AggregateID, roleKeys)
+			roleKeys = suffixRoles(roleSuffix, roleKeys)
 		}
 		if errors.IsNotFound(err) {
 			grant = &view_model.UserGrantView{
--- a/internal/authz/repository/eventsourcing/handler/user_grant.go
+++ b/internal/authz/repository/eventsourcing/handler/user_grant.go
@ -150,7 +150,7 @@ func (u *UserGrant) processMember(event *models.Event, rolePrefix, roleSuffix st
 			return err
 		}
 		if roleSuffix != "" {
-			roleKeys = suffixRoles(event.AggregateID, roleKeys)
+			roleKeys = suffixRoles(roleSuffix, roleKeys)
 		}
 		if errors.IsNotFound(err) {
 			grant = &view_model.UserGrantView{
--- a/internal/management/repository/eventsourcing/eventstore/project.go
+++ b/internal/management/repository/eventsourcing/eventstore/project.go
@ -82,15 +82,38 @@ func (repo *ProjectRepo) ReactivateProject(ctx context.Context, id string) (*pro

 func (repo *ProjectRepo) SearchProjects(ctx context.Context, request *proj_model.ProjectViewSearchRequest) (*proj_model.ProjectViewSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
-
-	permissions := authz.GetPermissionsFromCtx(ctx)
-	if !authz.HasGlobalPermission(permissions) {
-		ids := authz.GetPermissionCtxIDs(permissions)
-		request.Queries = append(request.Queries, &proj_model.ProjectViewSearchQuery{Key: proj_model.ProjectViewSearchKeyProjectID, Method: global_model.SearchMethodIsOneOf, Value: ids})
-	}
-
 	sequence, err := repo.View.GetLatestProjectSequence()
 	logging.Log("EVENT-Edc56").OnError(err).Warn("could not read latest project sequence")
+
+	permissions := authz.GetRequestPermissionsFromCtx(ctx)
+	if !authz.HasGlobalPermission(permissions) {
+		ids := authz.GetAllPermissionCtxIDs(permissions)
+		if _, q := request.GetSearchQuery(proj_model.ProjectViewSearchKeyProjectID); q != nil {
+			containsID := false
+			for _, id := range ids {
+				if id == q.Value {
+					containsID = true
+					break
+				}
+			}
+			if !containsID {
+				result := &proj_model.ProjectViewSearchResponse{
+					Offset:      request.Offset,
+					Limit:       request.Limit,
+					TotalResult: uint64(0),
+					Result:      []*proj_model.ProjectView{},
+				}
+				if err == nil {
+					result.Sequence = sequence.CurrentSequence
+					result.Timestamp = sequence.CurrentTimestamp
+				}
+				return result, nil
+			}
+		} else {
+			request.Queries = append(request.Queries, &proj_model.ProjectViewSearchQuery{Key: proj_model.ProjectViewSearchKeyProjectID, Method: global_model.SearchMethodIsOneOf, Value: ids})
+		}
+	}
+
 	projects, count, err := repo.View.SearchProjects(request)
 	if err != nil {
 		return nil, err
@ -348,6 +371,57 @@ func (repo *ProjectRepo) SearchProjectGrants(ctx context.Context, request *proj_
 	return result, nil
 }

+func (repo *ProjectRepo) SearchGrantedProjects(ctx context.Context, request *proj_model.ProjectGrantViewSearchRequest) (*proj_model.ProjectGrantViewSearchResponse, error) {
+	request.EnsureLimit(repo.SearchLimit)
+	sequence, err := repo.View.GetLatestProjectGrantSequence()
+	logging.Log("EVENT-Skw9f").OnError(err).Warn("could not read latest project grant sequence")
+
+	permissions := authz.GetRequestPermissionsFromCtx(ctx)
+	if !authz.HasGlobalPermission(permissions) {
+		ids := authz.GetAllPermissionCtxIDs(permissions)
+		if _, q := request.GetSearchQuery(proj_model.GrantedProjectSearchKeyGrantID); q != nil {
+			containsID := false
+			for _, id := range ids {
+				if id == q.Value {
+					containsID = true
+					break
+				}
+			}
+			if !containsID {
+				result := &proj_model.ProjectGrantViewSearchResponse{
+					Offset:      request.Offset,
+					Limit:       request.Limit,
+					TotalResult: uint64(0),
+					Result:      []*proj_model.ProjectGrantView{},
+				}
+				if err == nil {
+					result.Sequence = sequence.CurrentSequence
+					result.Timestamp = sequence.CurrentTimestamp
+				}
+				return result, nil
+			}
+		} else {
+			request.Queries = append(request.Queries, &proj_model.ProjectGrantViewSearchQuery{Key: proj_model.GrantedProjectSearchKeyGrantID, Method: global_model.SearchMethodIsOneOf, Value: ids})
+		}
+	}
+
+	projects, count, err := repo.View.SearchProjectGrants(request)
+	if err != nil {
+		return nil, err
+	}
+	result := &proj_model.ProjectGrantViewSearchResponse{
+		Offset:      request.Offset,
+		Limit:       request.Limit,
+		TotalResult: uint64(count),
+		Result:      model.ProjectGrantsToModel(projects),
+	}
+	if err == nil {
+		result.Sequence = sequence.CurrentSequence
+		result.Timestamp = sequence.CurrentTimestamp
+	}
+	return result, nil
+}
+
 func (repo *ProjectRepo) AddProjectGrant(ctx context.Context, grant *proj_model.ProjectGrant) (*proj_model.ProjectGrant, error) {
 	return repo.ProjectEvents.AddProjectGrant(ctx, grant)
 }
--- a/internal/management/repository/eventsourcing/eventstore/user_grant.go
+++ b/internal/management/repository/eventsourcing/eventstore/user_grant.go
@ -3,10 +3,18 @@ package eventstore
 import (
 	"context"
 	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/authz"
+	caos_errors "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/management/repository/eventsourcing/view"
+	global_model "github.com/caos/zitadel/internal/model"
 	grant_model "github.com/caos/zitadel/internal/usergrant/model"
 	grant_event "github.com/caos/zitadel/internal/usergrant/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/usergrant/repository/view/model"
+	"github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	projectReadPerm = "project.read"
 )

 type UserGrantRepo struct {
@ -24,34 +32,88 @@ func (repo *UserGrantRepo) UserGrantByID(ctx context.Context, grantID string) (*
 }

 func (repo *UserGrantRepo) AddUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
+	err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+	if err != nil {
+		return nil, err
+	}
 	return repo.UserGrantEvents.AddUserGrant(ctx, grant)
 }

 func (repo *UserGrantRepo) ChangeUserGrant(ctx context.Context, grant *grant_model.UserGrant) (*grant_model.UserGrant, error) {
+	err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+	if err != nil {
+		return nil, err
+	}
 	return repo.UserGrantEvents.ChangeUserGrant(ctx, grant)
 }

 func (repo *UserGrantRepo) DeactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) {
+	grant, err := repo.UserGrantByID(ctx, grantID)
+	if err != nil {
+		return nil, err
+	}
+	err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+	if err != nil {
+		return nil, err
+	}
 	return repo.UserGrantEvents.DeactivateUserGrant(ctx, grantID)
 }

 func (repo *UserGrantRepo) ReactivateUserGrant(ctx context.Context, grantID string) (*grant_model.UserGrant, error) {
+	grant, err := repo.UserGrantByID(ctx, grantID)
+	if err != nil {
+		return nil, err
+	}
+	err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+	if err != nil {
+		return nil, err
+	}
 	return repo.UserGrantEvents.ReactivateUserGrant(ctx, grantID)
 }

 func (repo *UserGrantRepo) RemoveUserGrant(ctx context.Context, grantID string) error {
+	grant, err := repo.UserGrantByID(ctx, grantID)
+	if err != nil {
+		return err
+	}
+	err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+	if err != nil {
+		return err
+	}
 	return repo.UserGrantEvents.RemoveUserGrant(ctx, grantID)
 }

 func (repo *UserGrantRepo) BulkAddUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
+	for _, grant := range grants {
+		err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+		if err != nil {
+			return err
+		}
+	}
 	return repo.UserGrantEvents.AddUserGrants(ctx, grants...)
 }

 func (repo *UserGrantRepo) BulkChangeUserGrant(ctx context.Context, grants ...*grant_model.UserGrant) error {
+	for _, grant := range grants {
+		err := checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+		if err != nil {
+			return err
+		}
+	}
 	return repo.UserGrantEvents.ChangeUserGrants(ctx, grants...)
 }

 func (repo *UserGrantRepo) BulkRemoveUserGrant(ctx context.Context, grantIDs ...string) error {
+	for _, grantID := range grantIDs {
+		grant, err := repo.UserGrantByID(ctx, grantID)
+		if err != nil {
+			return err
+		}
+		err = checkExplicitPermission(ctx, grant.GrantID, grant.ProjectID)
+		if err != nil {
+			return err
+		}
+	}
 	return repo.UserGrantEvents.RemoveUserGrants(ctx, grantIDs...)
 }

@ -59,11 +121,18 @@ func (repo *UserGrantRepo) SearchUserGrants(ctx context.Context, request *grant_
 	request.EnsureLimit(repo.SearchLimit)
 	sequence, err := repo.View.GetLatestUserGrantSequence()
 	logging.Log("EVENT-5Viwf").OnError(err).Warn("could not read latest user grant sequence")
+
+	result := handleSearchUserGrantPermissions(ctx, request, sequence)
+	if result != nil {
+		return result, nil
+	}
+
 	grants, count, err := repo.View.SearchUserGrants(request)
 	if err != nil {
 		return nil, err
 	}
-	result := &grant_model.UserGrantSearchResponse{
+
+	result = &grant_model.UserGrantSearchResponse{
 		Offset:      request.Offset,
 		Limit:       request.Limit,
 		TotalResult: uint64(count),
@ -75,3 +144,67 @@ func (repo *UserGrantRepo) SearchUserGrants(ctx context.Context, request *grant_
 	}
 	return result, nil
 }
+
+func handleSearchUserGrantPermissions(ctx context.Context, request *grant_model.UserGrantSearchRequest, sequence *repository.CurrentSequence) *grant_model.UserGrantSearchResponse {
+	permissions := authz.GetAllPermissionsFromCtx(ctx)
+	if authz.HasGlobalExplicitPermission(permissions, projectReadPerm) {
+		return nil
+	}
+
+	ids := authz.GetExplicitPermissionCtxIDs(permissions, projectReadPerm)
+	if _, q := request.GetSearchQuery(grant_model.UserGrantSearchKeyProjectID); q != nil {
+		containsID := false
+		for _, id := range ids {
+			if id == q.Value {
+				containsID = true
+				break
+			}
+		}
+		if !containsID {
+			result := &grant_model.UserGrantSearchResponse{
+				Offset:      request.Offset,
+				Limit:       request.Limit,
+				TotalResult: uint64(0),
+				Result:      []*grant_model.UserGrantView{},
+			}
+			if sequence != nil {
+				result.Sequence = sequence.CurrentSequence
+				result.Timestamp = sequence.CurrentTimestamp
+			}
+			return result
+		}
+	}
+	request.Queries = append(request.Queries, &grant_model.UserGrantSearchQuery{Key: grant_model.UserGrantSearchKeyProjectID, Method: global_model.SearchMethodIsOneOf, Value: ids})
+	return nil
+}
+
+func checkExplicitPermission(ctx context.Context, grantID, projectID string) error {
+	permissions := authz.GetRequestPermissionsFromCtx(ctx)
+	if authz.HasGlobalPermission(permissions) {
+		return nil
+	}
+	ids := authz.GetAllPermissionCtxIDs(permissions)
+	containsID := false
+	if grantID != "" {
+		containsID = listContainsID(ids, grantID)
+		if containsID {
+			return nil
+		}
+	}
+	containsID = listContainsID(ids, projectID)
+	if !containsID {
+		return caos_errors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject")
+	}
+	return nil
+}
+
+func listContainsID(ids []string, id string) bool {
+	containsID := false
+	for _, i := range ids {
+		if i == id {
+			containsID = true
+			break
+		}
+	}
+	return containsID
+}
--- a/internal/management/repository/project.go
+++ b/internal/management/repository/project.go
@ -14,6 +14,7 @@ type ProjectRepository interface {
 	ReactivateProject(ctx context.Context, id string) (*model.Project, error)
 	SearchProjects(ctx context.Context, request *model.ProjectViewSearchRequest) (*model.ProjectViewSearchResponse, error)
 	SearchProjectGrants(ctx context.Context, request *model.ProjectGrantViewSearchRequest) (*model.ProjectGrantViewSearchResponse, error)
+	SearchGrantedProjects(ctx context.Context, request *model.ProjectGrantViewSearchRequest) (*model.ProjectGrantViewSearchResponse, error)
 	ProjectGrantViewByID(ctx context.Context, grantID string) (*model.ProjectGrantView, error)

 	ProjectMemberByID(ctx context.Context, projectID, userID string) (*model.ProjectMemberView, error)
--- a/internal/project/model/project_grant_view.go
+++ b/internal/project/model/project_grant_view.go
@ -56,6 +56,15 @@ type ProjectGrantViewSearchResponse struct {
 	Timestamp   time.Time
 }

+func (r *ProjectGrantViewSearchRequest) GetSearchQuery(key ProjectGrantViewSearchKey) (int, *ProjectGrantViewSearchQuery) {
+	for i, q := range r.Queries {
+		if q.Key == key {
+			return i, q
+		}
+	}
+	return -1, nil
+}
+
 func (r *ProjectGrantViewSearchRequest) AppendMyOrgQuery(orgID string) {
 	r.Queries = append(r.Queries, &ProjectGrantViewSearchQuery{Key: GrantedProjectSearchKeyOrgID, Method: model.SearchMethodEquals, Value: orgID})
 }
--- a/internal/project/model/project_view.go
+++ b/internal/project/model/project_view.go
@ -47,6 +47,15 @@ type ProjectViewSearchResponse struct {
 	Timestamp   time.Time
 }

+func (r *ProjectViewSearchRequest) GetSearchQuery(key ProjectViewSearchKey) (int, *ProjectViewSearchQuery) {
+	for i, q := range r.Queries {
+		if q.Key == key {
+			return i, q
+		}
+	}
+	return -1, nil
+}
+
 func (r *ProjectViewSearchRequest) AppendMyResourceOwnerQuery(orgID string) {
 	r.Queries = append(r.Queries, &ProjectViewSearchQuery{Key: ProjectViewSearchKeyResourceOwner, Method: model.SearchMethodEquals, Value: orgID})
 }
--- a/internal/static/i18n/de.yaml
+++ b/internal/static/i18n/de.yaml
@ -109,6 +109,7 @@ Errors:
    IDMissing: Id fehlt
    NotActive: Benutzer Berechtigung ist nicht aktiv
    NotInactive: Benutzer Berechtigung ist nicht deaktiviert
+    NoPermissionForProject: Benutzer hat keine Rechte auf diesem Projekt
  Changes:
    NotFound: Es konnte kein Änderungsverlauf gefunden werden
  Token:
--- a/internal/static/i18n/en.yaml
+++ b/internal/static/i18n/en.yaml
@ -109,6 +109,7 @@ Errors:
    IDMissing: Id missing
    NotActive: User grant is not active
    NotInactive: User grant is not deactivated
+    NoPermissionForProject: User has no permissions on this project
  Changes:
    NotFound: No history found
  Token:
--- a/internal/usergrant/model/user_grant_view.go
+++ b/internal/usergrant/model/user_grant_view.go
@ -71,6 +71,15 @@ func (r *UserGrantSearchRequest) EnsureLimit(limit uint64) {
 	}
 }

+func (r *UserGrantSearchRequest) GetSearchQuery(key UserGrantSearchKey) (int, *UserGrantSearchQuery) {
+	for i, q := range r.Queries {
+		if q.Key == key {
+			return i, q
+		}
+	}
+	return -1, nil
+}
+
 func (r *UserGrantSearchRequest) AppendMyOrgQuery(orgID string) {
 	r.Queries = append(r.Queries, &UserGrantSearchQuery{Key: UserGrantSearchKeyResourceOwner, Method: model.SearchMethodEquals, Value: orgID})
 }
--- a/internal/view/repository/query.go
+++ b/internal/view/repository/query.go
@ -76,7 +76,7 @@ func SetQuery(query *gorm.DB, key ColumnKey, value interface{}, method model.Sea
 	case model.SearchMethodStartsWith:
 		valueText, ok := value.(string)
 		if !ok {
-			return nil, caos_errs.ThrowInvalidArgument(nil, "VIEW-idu8e", "Starts with only possible for strings")
+			return nil, caos_errs.ThrowInvalidArgument(nil, "VIEW-SLj7s", "Starts with only possible for strings")
 		}
 		query = query.Where(column+" LIKE ?", valueText+"%")
 	case model.SearchMethodStartsWithIgnoreCase:
--- a/pkg/grpc/management/management.pb.authoptions.go
+++ b/pkg/grpc/management/management.pb.authoptions.go
@ -321,7 +321,7 @@ var ManagementService_AuthMethods = authz.MethodMapping{

 	"/caos.zitadel.management.api.v1.ManagementService/SearchGrantedProjects": authz.Option{
 		Permission: "project.read",
-		CheckParam: "ProjectId",
+		CheckParam: "",
 	},

 	"/caos.zitadel.management.api.v1.ManagementService/GetGrantedProjectByID": authz.Option{
@ -494,6 +494,16 @@ var ManagementService_AuthMethods = authz.MethodMapping{
 		CheckParam: "",
 	},

+	"/caos.zitadel.management.api.v1.ManagementService/CreateUserGrant": authz.Option{
+		Permission: "user.grant.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UpdateUserGrant": authz.Option{
+		Permission: "user.grant.write",
+		CheckParam: "",
+	},
+
 	"/caos.zitadel.management.api.v1.ManagementService/DeactivateUserGrant": authz.Option{
 		Permission: "user.grant.write",
 		CheckParam: "",
--- a/pkg/grpc/management/management.pb.go
+++ b/pkg/grpc/management/management.pb.go
--- a/pkg/grpc/management/management.pb.gw.go
+++ b/pkg/grpc/management/management.pb.gw.go
@ -2839,6 +2839,87 @@ func request_ManagementService_UserGrantByID_0(ctx context.Context, marshaler ru

 }

+func request_ManagementService_CreateUserGrant_0(ctx context.Context, marshaler runtime.Marshaler, client ManagementServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq UserGrantCreate
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["user_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "user_id")
+	}
+
+	protoReq.UserId, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "user_id", err)
+	}
+
+	msg, err := client.CreateUserGrant(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func request_ManagementService_UpdateUserGrant_0(ctx context.Context, marshaler runtime.Marshaler, client ManagementServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq UserGrantUpdate
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["user_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "user_id")
+	}
+
+	protoReq.UserId, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "user_id", err)
+	}
+
+	val, ok = pathParams["id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "id")
+	}
+
+	protoReq.Id, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "id", err)
+	}
+
+	msg, err := client.UpdateUserGrant(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
 func request_ManagementService_DeactivateUserGrant_0(ctx context.Context, marshaler runtime.Marshaler, client ManagementServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq UserGrantID
 	var metadata runtime.ServerMetadata
@ -5606,6 +5687,46 @@ func RegisterManagementServiceHandlerClient(ctx context.Context, mux *runtime.Se

 	})

+	mux.Handle("POST", pattern_ManagementService_CreateUserGrant_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_ManagementService_CreateUserGrant_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_ManagementService_CreateUserGrant_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("PUT", pattern_ManagementService_UpdateUserGrant_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_ManagementService_UpdateUserGrant_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_ManagementService_UpdateUserGrant_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("PUT", pattern_ManagementService_DeactivateUserGrant_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@ -6128,6 +6249,10 @@ var (

 	pattern_ManagementService_UserGrantByID_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"users", "user_id", "grants", "id"}, ""))

+	pattern_ManagementService_CreateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2}, []string{"users", "user_id", "grants"}, ""))
+
+	pattern_ManagementService_UpdateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"users", "user_id", "grants", "id"}, ""))
+
 	pattern_ManagementService_DeactivateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"users", "user_id", "grants", "id", "_deactivate"}, ""))

 	pattern_ManagementService_ReactivateUserGrant_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"users", "user_id", "grants", "id", "_reactivate"}, ""))
@ -6360,6 +6485,10 @@ var (

 	forward_ManagementService_UserGrantByID_0 = runtime.ForwardResponseMessage

+	forward_ManagementService_CreateUserGrant_0 = runtime.ForwardResponseMessage
+
+	forward_ManagementService_UpdateUserGrant_0 = runtime.ForwardResponseMessage
+
 	forward_ManagementService_DeactivateUserGrant_0 = runtime.ForwardResponseMessage

 	forward_ManagementService_ReactivateUserGrant_0 = runtime.ForwardResponseMessage
--- a/pkg/grpc/management/mock/management.proto.mock.go
+++ b/pkg/grpc/management/mock/management.proto.mock.go
@ -517,6 +517,26 @@ func (mr *MockManagementServiceClientMockRecorder) CreateUser(arg0, arg1 interfa
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateUser", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateUser), varargs...)
 }

+// CreateUserGrant mocks base method
+func (m *MockManagementServiceClient) CreateUserGrant(arg0 context.Context, arg1 *management.UserGrantCreate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "CreateUserGrant", varargs...)
+	ret0, _ := ret[0].(*management.UserGrant)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CreateUserGrant indicates an expected call of CreateUserGrant
+func (mr *MockManagementServiceClientMockRecorder) CreateUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateUserGrant), varargs...)
+}
+
 // DeactivateApplication mocks base method
 func (m *MockManagementServiceClient) DeactivateApplication(arg0 context.Context, arg1 *management.ApplicationID, arg2 ...grpc.CallOption) (*management.Application, error) {
 	m.ctrl.T.Helper()
@ -2257,6 +2277,26 @@ func (mr *MockManagementServiceClientMockRecorder) UpdateUserAddress(arg0, arg1
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserAddress", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateUserAddress), varargs...)
 }

+// UpdateUserGrant mocks base method
+func (m *MockManagementServiceClient) UpdateUserGrant(arg0 context.Context, arg1 *management.UserGrantUpdate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "UpdateUserGrant", varargs...)
+	ret0, _ := ret[0].(*management.UserGrant)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdateUserGrant indicates an expected call of UpdateUserGrant
+func (mr *MockManagementServiceClientMockRecorder) UpdateUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateUserGrant), varargs...)
+}
+
 // UpdateUserProfile mocks base method
 func (m *MockManagementServiceClient) UpdateUserProfile(arg0 context.Context, arg1 *management.UpdateUserProfileRequest, arg2 ...grpc.CallOption) (*management.UserProfile, error) {
 	m.ctrl.T.Helper()
--- a/pkg/grpc/management/proto/management.proto
+++ b/pkg/grpc/management/proto/management.proto
@ -722,7 +722,6 @@ service ManagementService {

        option (caos.zitadel.utils.v1.auth_option) = {
            permission: "project.read"
-            check_field_name: "ProjectId"
        };
    }

@ -1112,6 +1111,28 @@ service ManagementService {
        };
    }

+    rpc CreateUserGrant(UserGrantCreate) returns (UserGrant) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/grants"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "user.grant.write"
+        };
+    }
+
+    rpc UpdateUserGrant(UserGrantUpdate) returns (UserGrant) {
+        option (google.api.http) = {
+            put: "/users/{user_id}/grants/{id}"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "user.grant.write"
+        };
+    }
+
    rpc DeactivateUserGrant(UserGrantID) returns (UserGrant) {
        option (google.api.http) = {
            put: "/users/{user_id}/grants/{id}/_deactivate"
@ -1159,6 +1180,7 @@ service ManagementService {
    // search user grants based on a project
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc SearchProjectUserGrants(ProjectUserGrantSearchRequest) returns (UserGrantSearchResponse) {
+        option deprecated = true;
        option (google.api.http) = {
            post: "/projects/{project_id}/users/grants/_search"
            body: "*"
@ -1173,6 +1195,7 @@ service ManagementService {
    // get user grant based on a project
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc ProjectUserGrantByID(ProjectUserGrantID) returns (UserGrantView) {
+        option deprecated = true;
        option (google.api.http) = {
            get: "/projects/{project_id}/users/{user_id}/grants/{id}"
        };
@ -1186,6 +1209,7 @@ service ManagementService {
    // create user grant based on a project
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc CreateProjectUserGrant(UserGrantCreate) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            post: "/projects/{project_id}/users/{user_id}/grants"
            body: "*"
@ -1200,6 +1224,7 @@ service ManagementService {
    // update user grant based on a project
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc UpdateProjectUserGrant(ProjectUserGrantUpdate) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            put: "/projects/{project_id}/users/{user_id}/grants/{id}"
            body: "*"
@ -1214,6 +1239,7 @@ service ManagementService {
    // deactivate user grant based on a project
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc DeactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            put: "/projects/{project_id}/users/{user_id}/grants/{id}/_deactivate"
            body: "*"
@ -1228,6 +1254,7 @@ service ManagementService {
    // reactivate user grant based on a project
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc ReactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            put: "/projects/{project_id}/users/{user_id}/grants/{id}/_reactivate"
            body: "*"
@ -1242,6 +1269,7 @@ service ManagementService {
    // search user grants based on a projectgrant
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc SearchProjectGrantUserGrants(ProjectGrantUserGrantSearchRequest) returns (UserGrantSearchResponse) {
+        option deprecated = true;
        option (google.api.http) = {
            post: "/projectgrants/{project_grant_id}/users/grants/_search"
            body: "*"
@ -1256,6 +1284,7 @@ service ManagementService {
    // get user grant based on a projectgrant
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc ProjectGrantUserGrantByID(ProjectGrantUserGrantID) returns (UserGrantView) {
+        option deprecated = true;
        option (google.api.http) = {
            get: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
        };
@ -1269,6 +1298,7 @@ service ManagementService {
    // create user grant based on a projectgrant
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc CreateProjectGrantUserGrant(ProjectGrantUserGrantCreate) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            post: "/projectgrants/{project_grant_id}/users/{user_id}/grants"
            body: "*"
@ -1283,6 +1313,7 @@ service ManagementService {
    // update user grant based on a projectgrant
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc UpdateProjectGrantUserGrant(ProjectGrantUserGrantUpdate) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
            body: "*"
@ -1297,6 +1328,7 @@ service ManagementService {
    // deactivate user grant based on a projectgrant
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc DeactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_deactivate"
            body: "*"
@ -1311,6 +1343,7 @@ service ManagementService {
    // reactivate user grant based on a projectgrant
    // This request is required that the user authorizations of zitadel can be differentiated
    rpc ReactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
+        option deprecated = true;
        option (google.api.http) = {
            put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_reactivate"
            body: "*"