feat: iam members in admin api (#272)

* feat: iam members in admin api * feat: add error id in translate error * fix: resolve merge conflicts
2025-10-24 06:01:53 +00:00 · 2020-06-25 08:12:29 +02:00
parent 8bfa1a083c
commit 62b654ea18
27 changed files with 3023 additions and 363 deletions
--- a/pkg/admin/admin.go
+++ b/pkg/admin/admin.go
@@ -17,7 +17,12 @@ type Config struct {
 }

 func Start(ctx context.Context, config Config, authZRepo *authz_repo.EsRepository, authZ auth.Config, systemDefaults sd.SystemDefaults) {
-	repo, err := eventsourcing.Start(ctx, config.Repository, systemDefaults)
+	roles := make([]string, len(authZ.RolePermissionMappings))
+	for i, role := range authZ.RolePermissionMappings {
+		roles[i] = role.Role
+	}
+
+	repo, err := eventsourcing.Start(ctx, config.Repository, systemDefaults, roles)
 	logging.Log("MAIN-9uBxp").OnError(err).Panic("unable to start app")

 	api.Start(ctx, config.API, authZRepo, authZ, systemDefaults, repo)
--- a/pkg/admin/api/grpc/admin.pb.authoptions.go
+++ b/pkg/admin/api/grpc/admin.pb.authoptions.go
@@ -55,6 +55,31 @@ var AdminService_AuthMethods = utils_auth.MethodMapping{
 		CheckParam: "",
 	},

+	"/caos.zitadel.admin.api.v1.AdminService/GetIamMemberRoles": utils_auth.Option{
+		Permission: "iam.member.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.admin.api.v1.AdminService/AddIamMember": utils_auth.Option{
+		Permission: "iam.member.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.admin.api.v1.AdminService/ChangeIamMember": utils_auth.Option{
+		Permission: "iam.member.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.admin.api.v1.AdminService/RemoveIamMember": utils_auth.Option{
+		Permission: "iam.member.delete",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.admin.api.v1.AdminService/SearchIamMembers": utils_auth.Option{
+		Permission: "iam.member.read",
+		CheckParam: "",
+	},
+
 	"/caos.zitadel.admin.api.v1.AdminService/GetViews": utils_auth.Option{
 		Permission: "iam.read",
 		CheckParam: "",
--- a/pkg/admin/api/grpc/admin.pb.go
+++ b/pkg/admin/api/grpc/admin.pb.go
--- a/pkg/admin/api/grpc/admin.pb.gw.go
+++ b/pkg/admin/api/grpc/admin.pb.gw.go
@@ -258,6 +258,111 @@ func request_AdminService_DeleteOrgIamPolicy_0(ctx context.Context, marshaler ru

 }

+func request_AdminService_GetIamMemberRoles_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq empty.Empty
+	var metadata runtime.ServerMetadata
+
+	msg, err := client.GetIamMemberRoles(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func request_AdminService_AddIamMember_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq AddIamMemberRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.AddIamMember(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func request_AdminService_ChangeIamMember_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq ChangeIamMemberRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["user_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "user_id")
+	}
+
+	protoReq.UserId, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "user_id", err)
+	}
+
+	msg, err := client.ChangeIamMember(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func request_AdminService_RemoveIamMember_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RemoveIamMemberRequest
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["user_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "user_id")
+	}
+
+	protoReq.UserId, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "user_id", err)
+	}
+
+	msg, err := client.RemoveIamMember(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func request_AdminService_SearchIamMembers_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq IamMemberSearchRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.SearchIamMembers(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
 func request_AdminService_GetViews_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq empty.Empty
 	var metadata runtime.ServerMetadata
@@ -621,6 +726,106 @@ func RegisterAdminServiceHandlerClient(ctx context.Context, mux *runtime.ServeMu

 	})

+	mux.Handle("GET", pattern_AdminService_GetIamMemberRoles_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_GetIamMemberRoles_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_GetIamMemberRoles_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("POST", pattern_AdminService_AddIamMember_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_AddIamMember_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_AddIamMember_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("PUT", pattern_AdminService_ChangeIamMember_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_ChangeIamMember_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_ChangeIamMember_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("DELETE", pattern_AdminService_RemoveIamMember_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_RemoveIamMember_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_RemoveIamMember_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("POST", pattern_AdminService_SearchIamMembers_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_SearchIamMembers_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_SearchIamMembers_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("GET", pattern_AdminService_GetViews_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -727,6 +932,16 @@ var (

 	pattern_AdminService_DeleteOrgIamPolicy_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 2, 2}, []string{"orgs", "org_id", "iampolicy"}, ""))

+	pattern_AdminService_GetIamMemberRoles_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1}, []string{"members", "roles"}, ""))
+
+	pattern_AdminService_AddIamMember_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0}, []string{"members"}, ""))
+
+	pattern_AdminService_ChangeIamMember_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1}, []string{"members", "user_id"}, ""))
+
+	pattern_AdminService_RemoveIamMember_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1}, []string{"members", "user_id"}, ""))
+
+	pattern_AdminService_SearchIamMembers_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1}, []string{"members", "_search"}, ""))
+
 	pattern_AdminService_GetViews_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0}, []string{"views"}, ""))

 	pattern_AdminService_ClearView_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1, 1, 0, 4, 1, 5, 2}, []string{"views", "database", "view_name"}, ""))
@@ -759,6 +974,16 @@ var (

 	forward_AdminService_DeleteOrgIamPolicy_0 = runtime.ForwardResponseMessage

+	forward_AdminService_GetIamMemberRoles_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_AddIamMember_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_ChangeIamMember_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_RemoveIamMember_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_SearchIamMembers_0 = runtime.ForwardResponseMessage
+
 	forward_AdminService_GetViews_0 = runtime.ForwardResponseMessage

 	forward_AdminService_ClearView_0 = runtime.ForwardResponseMessage
--- a/pkg/admin/api/grpc/admin.swagger.json
+++ b/pkg/admin/api/grpc/admin.swagger.json
@@ -89,6 +89,128 @@
        ]
      }
    },
+    "/members": {
+      "post": {
+        "operationId": "AddIamMember",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1IamMember"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1AddIamMemberRequest"
+            }
+          }
+        ],
+        "tags": [
+          "AdminService"
+        ]
+      }
+    },
+    "/members/_search": {
+      "post": {
+        "operationId": "SearchIamMembers",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1IamMemberSearchResponse"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1IamMemberSearchRequest"
+            }
+          }
+        ],
+        "tags": [
+          "AdminService"
+        ]
+      }
+    },
+    "/members/roles": {
+      "get": {
+        "operationId": "GetIamMemberRoles",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1IamMemberRoles"
+            }
+          }
+        },
+        "tags": [
+          "AdminService"
+        ]
+      }
+    },
+    "/members/{user_id}": {
+      "delete": {
+        "operationId": "RemoveIamMember",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "properties": {}
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "user_id",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          }
+        ],
+        "tags": [
+          "AdminService"
+        ]
+      },
+      "put": {
+        "operationId": "ChangeIamMember",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1IamMember"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "user_id",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1ChangeIamMemberRequest"
+            }
+          }
+        ],
+        "tags": [
+          "AdminService"
+        ]
+      }
+    },
    "/orgs/_isunique": {
      "get": {
        "summary": "ORG",
@@ -450,6 +572,34 @@
      },
      "description": "`Value` represents a dynamically typed value which can be either\nnull, a number, a string, a boolean, a recursive struct value, or a\nlist of values. A producer of value is expected to set one of that\nvariants, absence of any variant indicates an error.\n\nThe JSON representation for `Value` is JSON value."
    },
+    "v1AddIamMemberRequest": {
+      "type": "object",
+      "properties": {
+        "user_id": {
+          "type": "string"
+        },
+        "roles": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "v1ChangeIamMemberRequest": {
+      "type": "object",
+      "properties": {
+        "user_id": {
+          "type": "string"
+        },
+        "roles": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
    "v1CreateOrgRequest": {
      "type": "object",
      "properties": {
@@ -559,6 +709,148 @@
      ],
      "default": "GENDER_UNSPECIFIED"
    },
+    "v1IamMember": {
+      "type": "object",
+      "properties": {
+        "user_id": {
+          "type": "string"
+        },
+        "roles": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "change_date": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "creation_date": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "sequence": {
+          "type": "string",
+          "format": "uint64"
+        }
+      }
+    },
+    "v1IamMemberRoles": {
+      "type": "object",
+      "properties": {
+        "roles": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "v1IamMemberSearchKey": {
+      "type": "string",
+      "enum": [
+        "IAMMEMBERSEARCHKEY_UNSPECIFIED",
+        "IAMMEMBERSEARCHKEY_FIRST_NAME",
+        "IAMMEMBERSEARCHKEY_LAST_NAME",
+        "IAMMEMBERSEARCHKEY_EMAIL",
+        "IAMMEMBERSEARCHKEY_USER_ID"
+      ],
+      "default": "IAMMEMBERSEARCHKEY_UNSPECIFIED"
+    },
+    "v1IamMemberSearchQuery": {
+      "type": "object",
+      "properties": {
+        "key": {
+          "$ref": "#/definitions/v1IamMemberSearchKey"
+        },
+        "method": {
+          "$ref": "#/definitions/v1SearchMethod"
+        },
+        "value": {
+          "type": "string"
+        }
+      }
+    },
+    "v1IamMemberSearchRequest": {
+      "type": "object",
+      "properties": {
+        "offset": {
+          "type": "string",
+          "format": "uint64"
+        },
+        "limit": {
+          "type": "string",
+          "format": "uint64"
+        },
+        "queries": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1IamMemberSearchQuery"
+          }
+        }
+      }
+    },
+    "v1IamMemberSearchResponse": {
+      "type": "object",
+      "properties": {
+        "offset": {
+          "type": "string",
+          "format": "uint64"
+        },
+        "limit": {
+          "type": "string",
+          "format": "uint64"
+        },
+        "total_result": {
+          "type": "string",
+          "format": "uint64"
+        },
+        "result": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1IamMemberView"
+          }
+        }
+      }
+    },
+    "v1IamMemberView": {
+      "type": "object",
+      "properties": {
+        "user_id": {
+          "type": "string"
+        },
+        "roles": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "change_date": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "creation_date": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "sequence": {
+          "type": "string",
+          "format": "uint64"
+        },
+        "user_name": {
+          "type": "string"
+        },
+        "email": {
+          "type": "string"
+        },
+        "first_name": {
+          "type": "string"
+        },
+        "last_name": {
+          "type": "string"
+        }
+      }
+    },
    "v1Org": {
      "type": "object",
      "properties": {
@@ -743,6 +1035,23 @@
      ],
      "default": "ORGSTATE_UNSPECIFIED"
    },
+    "v1SearchMethod": {
+      "type": "string",
+      "enum": [
+        "SEARCHMETHOD_EQUALS",
+        "SEARCHMETHOD_STARTS_WITH",
+        "SEARCHMETHOD_CONTAINS",
+        "SEARCHMETHOD_EQUALS_IGNORE_CASE",
+        "SEARCHMETHOD_STARTS_WITH_IGNORE_CASE",
+        "SEARCHMETHOD_CONTAINS_IGNORE_CASE",
+        "SEARCHMETHOD_NOT_EQUALS",
+        "SEARCHMETHOD_GREATER_THAN",
+        "SEARCHMETHOD_LESS_THAN",
+        "SEARCHMETHOD_IS_ONE_OF",
+        "SEARCHMETHOD_LIST_CONTAINS"
+      ],
+      "default": "SEARCHMETHOD_EQUALS"
+    },
    "v1UniqueOrgResponse": {
      "type": "object",
      "properties": {
--- a/pkg/admin/api/grpc/iam_member.go
+++ b/pkg/admin/api/grpc/iam_member.go
@@ -0,0 +1,41 @@
+package grpc
+
+import (
+	"context"
+
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetIamMemberRoles(ctx context.Context, _ *empty.Empty) (*IamMemberRoles, error) {
+	return &IamMemberRoles{Roles: s.iam.GetIamMemberRoles()}, nil
+}
+
+func (s *Server) SearchIamMembers(ctx context.Context, in *IamMemberSearchRequest) (*IamMemberSearchResponse, error) {
+	members, err := s.iam.SearchIamMembers(ctx, iamMemberSearchRequestToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return iamMemberSearchResponseFromModel(members), nil
+}
+
+func (s *Server) AddIamMember(ctx context.Context, member *AddIamMemberRequest) (*IamMember, error) {
+	addedMember, err := s.iam.AddIamMember(ctx, addIamMemberToModel(member))
+	if err != nil {
+		return nil, err
+	}
+
+	return iamMemberFromModel(addedMember), nil
+}
+
+func (s *Server) ChangeIamMember(ctx context.Context, member *ChangeIamMemberRequest) (*IamMember, error) {
+	changedMember, err := s.iam.ChangeIamMember(ctx, changeIamMemberToModel(member))
+	if err != nil {
+		return nil, err
+	}
+	return iamMemberFromModel(changedMember), nil
+}
+
+func (s *Server) RemoveIamMember(ctx context.Context, member *RemoveIamMemberRequest) (*empty.Empty, error) {
+	err := s.iam.RemoveIamMember(ctx, member.UserId)
+	return &empty.Empty{}, err
+}
--- a/pkg/admin/api/grpc/iam_member_converter.go
+++ b/pkg/admin/api/grpc/iam_member_converter.go
@@ -0,0 +1,138 @@
+package grpc
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/model"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func addIamMemberToModel(member *AddIamMemberRequest) *iam_model.IamMember {
+	memberModel := &iam_model.IamMember{
+		UserID: member.UserId,
+	}
+	memberModel.Roles = member.Roles
+
+	return memberModel
+}
+
+func changeIamMemberToModel(member *ChangeIamMemberRequest) *iam_model.IamMember {
+	memberModel := &iam_model.IamMember{
+		UserID: member.UserId,
+	}
+	memberModel.Roles = member.Roles
+
+	return memberModel
+}
+
+func iamMemberFromModel(member *iam_model.IamMember) *IamMember {
+	creationDate, err := ptypes.TimestampProto(member.CreationDate)
+	logging.Log("GRPC-Lsp76").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
+	logging.Log("GRPC-3fG5s").OnError(err).Debug("date parse failed")
+
+	return &IamMember{
+		UserId:       member.UserID,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		Roles:        member.Roles,
+		Sequence:     member.Sequence,
+	}
+}
+
+func iamMemberSearchRequestToModel(request *IamMemberSearchRequest) *iam_model.IamMemberSearchRequest {
+	return &iam_model.IamMemberSearchRequest{
+		Limit:   request.Limit,
+		Offset:  request.Offset,
+		Queries: iamMemberSearchQueriesToModel(request.Queries),
+	}
+}
+
+func iamMemberSearchQueriesToModel(queries []*IamMemberSearchQuery) []*iam_model.IamMemberSearchQuery {
+	modelQueries := make([]*iam_model.IamMemberSearchQuery, len(queries))
+	for i, query := range queries {
+		modelQueries[i] = iamMemberSearchQueryToModel(query)
+	}
+
+	return modelQueries
+}
+
+func iamMemberSearchQueryToModel(query *IamMemberSearchQuery) *iam_model.IamMemberSearchQuery {
+	return &iam_model.IamMemberSearchQuery{
+		Key:    iamMemberSearchKeyToModel(query.Key),
+		Method: iamMemberSearchMethodToModel(query.Method),
+		Value:  query.Value,
+	}
+}
+
+func iamMemberSearchKeyToModel(key IamMemberSearchKey) iam_model.IamMemberSearchKey {
+	switch key {
+	case IamMemberSearchKey_IAMMEMBERSEARCHKEY_EMAIL:
+		return iam_model.IamMemberSearchKeyEmail
+	case IamMemberSearchKey_IAMMEMBERSEARCHKEY_FIRST_NAME:
+		return iam_model.IamMemberSearchKeyFirstName
+	case IamMemberSearchKey_IAMMEMBERSEARCHKEY_LAST_NAME:
+		return iam_model.IamMemberSearchKeyLastName
+	case IamMemberSearchKey_IAMMEMBERSEARCHKEY_USER_ID:
+		return iam_model.IamMemberSearchKeyUserID
+	default:
+		return iam_model.IamMemberSearchKeyUnspecified
+	}
+}
+
+func iamMemberSearchMethodToModel(key SearchMethod) model.SearchMethod {
+	switch key {
+	case SearchMethod_SEARCHMETHOD_CONTAINS:
+		return model.SearchMethodContains
+	case SearchMethod_SEARCHMETHOD_CONTAINS_IGNORE_CASE:
+		return model.SearchMethodContainsIgnoreCase
+	case SearchMethod_SEARCHMETHOD_EQUALS:
+		return model.SearchMethodEquals
+	case SearchMethod_SEARCHMETHOD_EQUALS_IGNORE_CASE:
+		return model.SearchMethodEqualsIgnoreCase
+	case SearchMethod_SEARCHMETHOD_STARTS_WITH:
+		return model.SearchMethodStartsWith
+	case SearchMethod_SEARCHMETHOD_STARTS_WITH_IGNORE_CASE:
+		return model.SearchMethodStartsWithIgnoreCase
+	default:
+		return -1
+	}
+}
+
+func iamMemberSearchResponseFromModel(resp *iam_model.IamMemberSearchResponse) *IamMemberSearchResponse {
+	return &IamMemberSearchResponse{
+		Limit:       resp.Limit,
+		Offset:      resp.Offset,
+		TotalResult: resp.TotalResult,
+		Result:      iamMembersFromView(resp.Result),
+	}
+}
+func iamMembersFromView(viewMembers []*iam_model.IamMemberView) []*IamMemberView {
+	members := make([]*IamMemberView, len(viewMembers))
+
+	for i, member := range viewMembers {
+		members[i] = iamMemberFromView(member)
+	}
+
+	return members
+}
+
+func iamMemberFromView(member *iam_model.IamMemberView) *IamMemberView {
+	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
+	logging.Log("GRPC-Lso9c").OnError(err).Debug("unable to parse changedate")
+	creationDate, err := ptypes.TimestampProto(member.CreationDate)
+	logging.Log("GRPC-6szE").OnError(err).Debug("unable to parse creation date")
+
+	return &IamMemberView{
+		ChangeDate:   changeDate,
+		CreationDate: creationDate,
+		Roles:        member.Roles,
+		Sequence:     member.Sequence,
+		UserId:       member.UserID,
+		UserName:     member.UserName,
+		Email:        member.Email,
+		FirstName:    member.FirstName,
+		LastName:     member.LastName,
+	}
+}
--- a/pkg/admin/api/grpc/server.go
+++ b/pkg/admin/api/grpc/server.go
@@ -15,22 +15,24 @@ import (
 var _ AdminServiceServer = (*Server)(nil)

 type Server struct {
-	port          string
-	org           repository.OrgRepository
+	port     string
+	org      repository.OrgRepository
+	iam      repository.IamRepository
 	administrator repository.AdministratorRepository
-	verifier      auth.TokenVerifier
-	authZ         auth.Config
-	repo          repository.Repository
+	verifier auth.TokenVerifier
+	authZ    auth.Config
+	repo     repository.Repository
 }

 func StartServer(conf grpc_util.ServerConfig, authZRepo *authz_repo.EsRepository, authZ auth.Config, repo repository.Repository) *Server {
 	return &Server{
-		port:          conf.Port,
-		org:           repo,
+		port:     conf.Port,
+		org:      repo,
+		iam:      repo,
 		administrator: repo,
-		repo:          repo,
-		authZ:         authZ,
-		verifier:      admin_auth.Start(authZRepo),
+		repo:     repo,
+		authZ:    authZ,
+		verifier: admin_auth.Start(authZRepo),
 	}
 }

--- a/pkg/admin/api/proto/admin.proto
+++ b/pkg/admin/api/proto/admin.proto
@@ -142,6 +142,59 @@ service AdminService {
        };
    }

+    rpc GetIamMemberRoles(google.protobuf.Empty) returns (IamMemberRoles) {
+        option (google.api.http) = {
+            get: "/members/roles"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.member.read"
+        };
+    }
+
+    rpc AddIamMember(AddIamMemberRequest) returns (IamMember) {
+        option (google.api.http) = {
+            post: "/members"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.member.write"
+        };
+    }
+
+    rpc ChangeIamMember(ChangeIamMemberRequest) returns (IamMember) {
+        option (google.api.http) = {
+            put: "/members/{user_id}"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.member.write"
+        };
+    }
+
+    rpc RemoveIamMember(RemoveIamMemberRequest) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+            delete: "/members/{user_id}"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.member.delete"
+        };
+    }
+
+    rpc SearchIamMembers(IamMemberSearchRequest) returns (IamMemberSearchResponse) {
+        option (google.api.http) = {
+            post: "/members/_search"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.member.read"
+        };
+    }
+
    rpc GetViews(google.protobuf.Empty) returns (Views) {
        option (google.api.http) = {
            get: "/views"
@@ -340,6 +393,85 @@ message OrgIamPolicyID {
    string org_id = 1;
 }

+message IamMemberRoles {
+    repeated string roles = 1;
+}
+
+message IamMember {
+    string user_id = 1;
+    repeated string roles = 2;
+    google.protobuf.Timestamp change_date = 3;
+    google.protobuf.Timestamp creation_date = 4;
+    uint64 sequence = 5;
+}
+
+message AddIamMemberRequest {
+    string user_id = 1;
+    repeated string roles = 2;
+}
+
+message ChangeIamMemberRequest {
+    string user_id = 1;
+    repeated string roles = 2;
+}
+
+message RemoveIamMemberRequest {
+    string user_id = 1;
+}
+
+message IamMemberSearchResponse {
+    uint64 offset = 1;
+    uint64 limit = 2;
+    uint64 total_result = 3;
+    repeated IamMemberView result = 4;
+}
+
+message IamMemberView {
+    string user_id = 1;
+    repeated string roles = 2;
+    google.protobuf.Timestamp change_date = 3;
+    google.protobuf.Timestamp creation_date = 4;
+    uint64 sequence = 5;
+    string user_name = 6;
+    string email = 7;
+    string first_name = 8;
+    string last_name = 9;
+}
+
+message IamMemberSearchRequest {
+    uint64 offset = 1;
+    uint64 limit = 2;
+    repeated IamMemberSearchQuery queries = 3;
+}
+
+message IamMemberSearchQuery {
+    IamMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
+    SearchMethod method = 2;
+    string value = 3;
+}
+
+enum IamMemberSearchKey {
+    IAMMEMBERSEARCHKEY_UNSPECIFIED = 0;
+    IAMMEMBERSEARCHKEY_FIRST_NAME = 1;
+    IAMMEMBERSEARCHKEY_LAST_NAME = 2;
+    IAMMEMBERSEARCHKEY_EMAIL = 3;
+    IAMMEMBERSEARCHKEY_USER_ID = 4;
+}
+
+enum SearchMethod {
+    SEARCHMETHOD_EQUALS = 0;
+    SEARCHMETHOD_STARTS_WITH = 1;
+    SEARCHMETHOD_CONTAINS = 2;
+    SEARCHMETHOD_EQUALS_IGNORE_CASE = 3;
+    SEARCHMETHOD_STARTS_WITH_IGNORE_CASE = 4;
+    SEARCHMETHOD_CONTAINS_IGNORE_CASE = 5;
+    SEARCHMETHOD_NOT_EQUALS = 6;
+    SEARCHMETHOD_GREATER_THAN = 7;
+    SEARCHMETHOD_LESS_THAN = 8;
+    SEARCHMETHOD_IS_ONE_OF = 9;
+    SEARCHMETHOD_LIST_CONTAINS = 10;
+}
+
 message FailedEventID {
    string database = 1;
    string view_name = 2;