From a5bc68fdad4e1dcf6927a8ee4c74d6adcf326b49 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabienne=20B=C3=BChler?= <fabienne@zitadel.com>
Date: Tue, 4 Mar 2025 07:41:06 +0100
Subject: [PATCH] fix: add session roles to iam owner (#9413)

# Which Problems Are Solved

Currently I am not able to run the new login with a service account with
an IAM_OWNER role.
As the role is missing some permissions which the LOGIN_CLIENT role does
have

# How the Problems Are Solved

Added session permissions to the IAM_OWNER

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
---
 cmd/defaults.yaml                            | 3 +++
 docs/docs/guides/manage/console/managers.mdx | 1 +
 2 files changed, 4 insertions(+)

diff --git a/cmd/defaults.yaml b/cmd/defaults.yaml
index 059fce59ff..71ad22a4f9 100644
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -1297,6 +1297,8 @@ InternalAuthZ:
         - "userschema.read"
         - "userschema.write"
         - "userschema.delete"
+        - "session.read"
+        - "session.delete"
     - Role: "IAM_OWNER_VIEWER"
       Permissions:
         - "iam.read"
@@ -1332,6 +1334,7 @@ InternalAuthZ:
         - "action.target.read"
         - "action.execution.read"
         - "userschema.read"
+        - "session.read"
     - Role: "IAM_ORG_MANAGER"
       Permissions:
         - "org.read"
diff --git a/docs/docs/guides/manage/console/managers.mdx b/docs/docs/guides/manage/console/managers.mdx
index 59d4a02bfb..626768ed97 100644
--- a/docs/docs/guides/manage/console/managers.mdx
+++ b/docs/docs/guides/manage/console/managers.mdx
@@ -26,6 +26,7 @@ import AddManager from "./_add_manager.mdx";
 | IAM User Manager              | IAM_USER_MANAGER              | Manage all users and their authorizations over all organizations                                             |
 | IAM Admin Impersonator        | IAM_ADMIN_IMPERSONATOR        | Allow impersonation of admin and end users from all organizations                                            |
 | IAM Impersonator              | IAM_END_USER_IMPERSONATOR     | Allow impersonation of end users from all organizations                                                      |
+| IAM Login Client              | IAM_LOGIN_CLIENT              | Get all permissions needed to implement your own Login UI.                                                    |
 | Org Owner                     | ORG_OWNER                     | Manage everything within an organization                                                                     |
 | Org Owner Viewer              | ORG_OWNER_VIEWER              | View everything within an organization                                                                       |
 | Org User Manager              | ORG_USER_MANAGER              | Manage users and their authorizations within an organization                                                 |