feat: add SYSTEM_OWNER role (#6765)

* define roles and permissions

* support system user memberships

* don't limit system users

* cleanup permissions

* restrict memberships to aggregates

* default to SYSTEM_OWNER

* update unit tests

* test: system user token test (#6778)

* update unit tests

* refactor: make authz testable

* move session constants

* cleanup

* comment

* comment

* decode member type string to enum (#6780)

* decode member type string to enum

* handle all membership types

* decode enums where necessary

* decode member type in steps config

* update system api docs

* add technical advisory

* tweak docs a bit

* comment in comment

* lint

* extract token from Bearer header prefix

* review changes

* fix tests

* fix: add fix for activityhandler

* add isSystemUser

* remove IsSystemUser from activity info

* fix: add fix for activityhandler

---------

Co-authored-by: Stefan Benz <stefan@caos.ch>

internal/authz/repository/eventsourcing/eventstore/user_membership.go

@@ -51,7 +51,7 @@ func (repo *UserMembershipRepo) searchUserMemberships(ctx context.Context, orgID
 func userMembershipToMembership(membership *query.Membership) *authz.Membership {
 	if membership.IAM != nil {
 		return &authz.Membership{
-			MemberType:  authz.MemberTypeIam,
+			MemberType:  authz.MemberTypeIAM,
 			AggregateID: membership.IAM.IAMID,
 			ObjectID:    membership.IAM.IAMID,
 			Roles:       membership.Roles,
@@ -59,7 +59,7 @@ func userMembershipToMembership(membership *query.Membership) *authz.Membership
 	}
 	if membership.Org != nil {
 		return &authz.Membership{
-			MemberType:  authz.MemberTypeOrganisation,
+			MemberType:  authz.MemberTypeOrganization,
 			AggregateID: membership.Org.OrgID,
 			ObjectID:    membership.Org.OrgID,
 			Roles:       membership.Roles,