fix: improve permission checks (#682)

* separate roles for global org * remove old user grant permissions * allow context permissions Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-12 01:37:31 +00:00 · 2020-09-01 16:38:34 +02:00
parent 0d44b69c0e
commit 370cd19a83
10 changed files with 98 additions and 36 deletions
--- a/cmd/zitadel/authz.yaml
+++ b/cmd/zitadel/authz.yaml
@@ -47,18 +47,12 @@ InternalAuthZ:
        - "project.app.read"
        - "project.app.write"
        - "project.app.delete"
-        - "project.user.grant.read"
-        - "project.user.grant.write"
-        - "project.user.grant.delete"
        - "project.grant.read"
        - "project.grant.write"
        - "project.grant.delete"
        - "project.grant.member.read"
        - "project.grant.member.write"
        - "project.grant.member.delete"
-        - "project.grant.user.grant.read"
-        - "project.grant.user.grant.write"
-        - "project.grant.user.grant.delete"
    - Role: 'IAM_OWNER_VIEWER'
      Permissions:
        - "iam.read"
@@ -77,10 +71,8 @@ InternalAuthZ:
        - "project.member.read"
        - "project.role.read"
        - "project.app.read"
-        - "project.user.grant.read"
        - "project.grant.read"
        - "project.grant.member.read"
-        - "project.grant.user.grant.read"
    - Role: 'ORG_OWNER'
      Permissions:
        - "org.read"
@@ -116,18 +108,12 @@ InternalAuthZ:
        - "project.role.delete"
        - "project.app.read"
        - "project.app.write"
-        - "project.user.grant.read"
-        - "project.user.grant.write"
-        - "project.user.grant.delete"
        - "project.grant.read"
        - "project.grant.write"
        - "project.grant.delete"
        - "project.grant.member.read"
        - "project.grant.member.write"
        - "project.grant.member.delete"
-        - "project.grant.user.grant.read"
-        - "project.grant.user.grant.write"
-        - "project.grant.user.grant.delete"
    - Role: 'ORG_OWNER_VIEWER'
      Permissions:
        - "org.read"
@@ -142,7 +128,6 @@ InternalAuthZ:
        - "project.member.read"
        - "project.role.read"
        - "project.app.read"
-        - "project.user.grant.read"
        - "project.grant.read"
        - "project.grant.member.read"
        - "project.grant.user.grant.read"
@@ -224,6 +209,37 @@ InternalAuthZ:
        - "user.global.read"
        - "user.grant.read"
        - "user.membership.read"
+    - Role: 'PROJECT_OWNER_GLOBAL'
+      Permissions:
+        - "org.global.read"
+        - "project.read"
+        - "project.write"
+        - "project.delete"
+        - "project.member.read"
+        - "project.member.write"
+        - "project.member.delete"
+        - "project.role.read"
+        - "project.role.write"
+        - "project.role.delete"
+        - "project.app.read"
+        - "project.app.write"
+        - "project.app.delete"
+        - "user.global.read"
+        - "user.grant.read"
+        - "user.grant.write"
+        - "user.grant.delete"
+        - "user.membership.read"
+    - Role: 'PROJECT_OWNER_VIEWER_GLOBAL'
+      Permissions:
+        - "project.read"
+        - "project.member.read"
+        - "project.role.read"
+        - "project.app.read"
+        - "project.grant.read"
+        - "project.grant.member.read"
+        - "user.global.read"
+        - "user.grant.read"
+        - "user.membership.read"
    - Role: 'PROJECT_GRANT_OWNER'
      Permissions:
        - "org.global.read"