feat(api): move authorization service to v2 (#10914)

# Which Problems Are Solved

As part of our efforts to simplify the structure and versions of our
APIs, were moving all existing v2beta endpoints to v2 and deprecate
them. They will be removed in Zitadel V5.

# How the Problems Are Solved

- This PR moves the authorization v2beta service and its endpoints to a
corresponding v2 version. The v2beta service and endpoints are
deprecated.
- The docs are moved to the new GA service and its endpoints. The v2beta
is not displayed anymore.
- The comments and have been improved and, where not already done, moved
from swagger annotations to proto.
- All required fields have been marked with (google.api.field_behavior)
= REQUIRED and validation rules have been added where missing.
- The `organization_id` to create an authorization is now required to be
always passed. There's no implicit fallback to the project's
organization anymore.
- The `user_id` filter has been removed in favor of the recently added
`in_user_ids` filter.
- The returned `Authorization` object has been reworked to return
`project`, `organization` and `roles` as objects like the granted `user`
already was.
- Additionally the `roles` now not only contain the granted `role_keys`,
but also the `display_name` and `group`. To implement this the query has
been updated internally. Existing APIs are unchanged and still return
just the keys.

# Additional Changes

None

# Additional Context

- part of https://github.com/zitadel/zitadel/issues/10772
- closes #10746 
- requires backport to v4.x

internal/api/grpc/authorization/v2/authorization.go

@@ -0,0 +1,76 @@
+package authorization
+
+import (
+	"context"
+
+	"connectrpc.com/connect"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
+	"github.com/zitadel/zitadel/pkg/grpc/authorization/v2"
+)
+
+func (s *Server) CreateAuthorization(ctx context.Context, req *connect.Request[authorization.CreateAuthorizationRequest]) (*connect.Response[authorization.CreateAuthorizationResponse], error) {
+	grant := &domain.UserGrant{
+		UserID:    req.Msg.UserId,
+		ProjectID: req.Msg.ProjectId,
+		RoleKeys:  req.Msg.RoleKeys,
+		ObjectRoot: models.ObjectRoot{
+			ResourceOwner: req.Msg.GetOrganizationId(),
+		},
+	}
+	grant, err := s.command.AddUserGrant(ctx, grant, s.command.NewPermissionCheckUserGrantWrite(ctx))
+	if err != nil {
+		return nil, err
+	}
+	return connect.NewResponse(&authorization.CreateAuthorizationResponse{
+		Id:           grant.AggregateID,
+		CreationDate: timestamppb.New(grant.ChangeDate),
+	}), nil
+}
+
+func (s *Server) UpdateAuthorization(ctx context.Context, request *connect.Request[authorization.UpdateAuthorizationRequest]) (*connect.Response[authorization.UpdateAuthorizationResponse], error) {
+	userGrant, err := s.command.ChangeUserGrant(ctx, &domain.UserGrant{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: request.Msg.Id,
+		},
+		RoleKeys: request.Msg.RoleKeys,
+	}, true, true, s.command.NewPermissionCheckUserGrantWrite(ctx))
+	if err != nil {
+		return nil, err
+	}
+	return connect.NewResponse(&authorization.UpdateAuthorizationResponse{
+		ChangeDate: timestamppb.New(userGrant.ChangeDate),
+	}), nil
+}
+
+func (s *Server) DeleteAuthorization(ctx context.Context, request *connect.Request[authorization.DeleteAuthorizationRequest]) (*connect.Response[authorization.DeleteAuthorizationResponse], error) {
+	details, err := s.command.RemoveUserGrant(ctx, request.Msg.Id, "", true, s.command.NewPermissionCheckUserGrantDelete(ctx))
+	if err != nil {
+		return nil, err
+	}
+	return connect.NewResponse(&authorization.DeleteAuthorizationResponse{
+		DeletionDate: timestamppb.New(details.EventDate),
+	}), nil
+}
+
+func (s *Server) ActivateAuthorization(ctx context.Context, request *connect.Request[authorization.ActivateAuthorizationRequest]) (*connect.Response[authorization.ActivateAuthorizationResponse], error) {
+	details, err := s.command.ReactivateUserGrant(ctx, request.Msg.Id, "", s.command.NewPermissionCheckUserGrantWrite(ctx))
+	if err != nil {
+		return nil, err
+	}
+	return connect.NewResponse(&authorization.ActivateAuthorizationResponse{
+		ChangeDate: timestamppb.New(details.EventDate),
+	}), nil
+}
+
+func (s *Server) DeactivateAuthorization(ctx context.Context, request *connect.Request[authorization.DeactivateAuthorizationRequest]) (*connect.Response[authorization.DeactivateAuthorizationResponse], error) {
+	details, err := s.command.DeactivateUserGrant(ctx, request.Msg.Id, "", s.command.NewPermissionCheckUserGrantWrite(ctx))
+	if err != nil {
+		return nil, err
+	}
+	return connect.NewResponse(&authorization.DeactivateAuthorizationResponse{
+		ChangeDate: timestamppb.New(details.EventDate),
+	}), nil
+}

internal/api/grpc/authorization/v2/integration_test/server_test.go

@@ -0,0 +1,67 @@
+//go:build integration
+
+package authorization_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/muhlemmer/gu"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	"github.com/zitadel/zitadel/pkg/grpc/feature/v2"
+)
+
+var (
+	EmptyCTX             context.Context
+	IAMCTX               context.Context
+	Instance             *integration.Instance
+	InstanceQuery        *integration.Instance
+	InstancePermissionV2 *integration.Instance
+)
+
+func TestMain(m *testing.M) {
+	os.Exit(func() int {
+		ctx, cancel := context.WithTimeout(context.Background(), 15*time.Minute)
+		defer cancel()
+		EmptyCTX = ctx
+		Instance = integration.NewInstance(ctx)
+		InstanceQuery = integration.NewInstance(ctx) // use a separate instance for queries to avoid side effects
+		IAMCTX = Instance.WithAuthorizationToken(ctx, integration.UserTypeIAMOwner)
+		InstancePermissionV2 = integration.NewInstance(ctx)
+		return m.Run()
+	}())
+}
+
+func ensureFeaturePermissionV2Enabled(t *testing.T, instance *integration.Instance) {
+	ctx := instance.WithAuthorizationToken(EmptyCTX, integration.UserTypeIAMOwner)
+	f, err := instance.Client.FeatureV2.GetInstanceFeatures(ctx, &feature.GetInstanceFeaturesRequest{
+		Inheritance: true,
+	})
+	require.NoError(t, err)
+	if f.PermissionCheckV2.GetEnabled() {
+		return
+	}
+	_, err = instance.Client.FeatureV2.SetInstanceFeatures(ctx, &feature.SetInstanceFeaturesRequest{
+		PermissionCheckV2: gu.Ptr(true),
+	})
+	require.NoError(t, err)
+	retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, 5*time.Minute)
+	require.EventuallyWithT(t,
+		func(ttt *assert.CollectT) {
+			f, err := instance.Client.FeatureV2.GetInstanceFeatures(ctx, &feature.GetInstanceFeaturesRequest{
+				Inheritance: true,
+			})
+			assert.NoError(ttt, err)
+			if f.PermissionCheckV2.GetEnabled() {
+				return
+			}
+		},
+		retryDuration,
+		tick,
+		"timed out waiting for ensuring instance feature")
+}

internal/api/grpc/authorization/v2/query.go

@@ -0,0 +1,216 @@
+package authorization
+
+import (
+	"context"
+	"errors"
+
+	"connectrpc.com/connect"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/api/grpc/filter/v2"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/pkg/grpc/authorization/v2"
+	filter_pb "github.com/zitadel/zitadel/pkg/grpc/filter/v2"
+)
+
+func (s *Server) ListAuthorizations(ctx context.Context, req *connect.Request[authorization.ListAuthorizationsRequest]) (*connect.Response[authorization.ListAuthorizationsResponse], error) {
+	queries, err := s.listAuthorizationsRequestToModel(req.Msg)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := s.query.UserGrants(ctx, queries, false, s.checkPermission)
+	if err != nil {
+		return nil, err
+	}
+	return connect.NewResponse(&authorization.ListAuthorizationsResponse{
+		Authorizations: userGrantsToPb(resp.UserGrants),
+		Pagination:     filter.QueryToPaginationPb(queries.SearchRequest, resp.SearchResponse),
+	}), nil
+}
+
+func (s *Server) listAuthorizationsRequestToModel(req *authorization.ListAuthorizationsRequest) (*query.UserGrantsQueries, error) {
+	offset, limit, asc, err := filter.PaginationPbToQuery(s.systemDefaults, req.Pagination)
+	if err != nil {
+		return nil, err
+	}
+	queries, err := AuthorizationQueriesToQuery(req.Filters)
+	if err != nil {
+		return nil, err
+	}
+	return &query.UserGrantsQueries{
+		SearchRequest: query.SearchRequest{
+			Offset:        offset,
+			Limit:         limit,
+			Asc:           asc,
+			SortingColumn: authorizationFieldNameToSortingColumn(req.GetSortingColumn()),
+		},
+		Queries: queries,
+	}, nil
+}
+
+func authorizationFieldNameToSortingColumn(field authorization.AuthorizationFieldName) query.Column {
+	switch field {
+	case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_UNSPECIFIED:
+		return query.UserGrantCreationDate
+	case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_CREATED_DATE:
+		return query.UserGrantCreationDate
+	case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_CHANGED_DATE:
+		return query.UserGrantChangeDate
+	case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_ID:
+		return query.UserGrantID
+	case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_USER_ID:
+		return query.UserGrantUserID
+	case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_PROJECT_ID:
+		return query.UserGrantProjectID
+	case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_ORGANIZATION_ID:
+		return query.UserGrantResourceOwner
+	case authorization.AuthorizationFieldName_AUTHORIZATION_FIELD_NAME_USER_ORGANIZATION_ID:
+		return query.UserResourceOwnerCol
+	default:
+		return query.UserGrantCreationDate
+	}
+}
+
+func AuthorizationQueriesToQuery(queries []*authorization.AuthorizationsSearchFilter) (q []query.SearchQuery, err error) {
+	q = make([]query.SearchQuery, len(queries))
+	for i, query := range queries {
+		q[i], err = AuthorizationSearchFilterToQuery(query)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return q, nil
+}
+
+func AuthorizationSearchFilterToQuery(query *authorization.AuthorizationsSearchFilter) (query.SearchQuery, error) {
+	switch q := query.Filter.(type) {
+	case *authorization.AuthorizationsSearchFilter_AuthorizationIds:
+		return AuthorizationIDQueryToModel(q.AuthorizationIds)
+	case *authorization.AuthorizationsSearchFilter_OrganizationId:
+		return AuthorizationOrganizationIDQueryToModel(q.OrganizationId)
+	case *authorization.AuthorizationsSearchFilter_State:
+		return AuthorizationStateQueryToModel(q.State)
+	case *authorization.AuthorizationsSearchFilter_InUserIds:
+		return AuthorizationInUserIDsQueryToModel(q.InUserIds)
+	case *authorization.AuthorizationsSearchFilter_UserOrganizationId:
+		return AuthorizationUserOrganizationIDQueryToModel(q.UserOrganizationId)
+	case *authorization.AuthorizationsSearchFilter_UserPreferredLoginName:
+		return AuthorizationUserNameQueryToModel(q.UserPreferredLoginName)
+	case *authorization.AuthorizationsSearchFilter_UserDisplayName:
+		return AuthorizationDisplayNameQueryToModel(q.UserDisplayName)
+	case *authorization.AuthorizationsSearchFilter_ProjectId:
+		return AuthorizationProjectIDQueryToModel(q.ProjectId)
+	case *authorization.AuthorizationsSearchFilter_ProjectName:
+		return AuthorizationProjectNameQueryToModel(q.ProjectName)
+	case *authorization.AuthorizationsSearchFilter_RoleKey:
+		return AuthorizationRoleKeyQueryToModel(q.RoleKey)
+	case *authorization.AuthorizationsSearchFilter_ProjectGrantId:
+		return AuthorizationProjectGrantIDQueryToModel(q.ProjectGrantId)
+	default:
+		return nil, errors.New("invalid query")
+	}
+}
+
+func AuthorizationIDQueryToModel(q *filter_pb.InIDsFilter) (query.SearchQuery, error) {
+	return query.NewUserGrantInIDsSearchQuery(q.Ids)
+}
+
+func AuthorizationDisplayNameQueryToModel(q *authorization.UserDisplayNameQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantDisplayNameQuery(q.DisplayName, filter.TextMethodPbToQuery(q.Method))
+}
+
+func AuthorizationOrganizationIDQueryToModel(q *filter_pb.IDFilter) (query.SearchQuery, error) {
+	return query.NewUserGrantResourceOwnerSearchQuery(q.Id)
+}
+
+func AuthorizationProjectIDQueryToModel(q *filter_pb.IDFilter) (query.SearchQuery, error) {
+	return query.NewUserGrantProjectIDSearchQuery(q.Id)
+}
+
+func AuthorizationProjectNameQueryToModel(q *authorization.ProjectNameQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantProjectNameQuery(q.Name, filter.TextMethodPbToQuery(q.Method))
+}
+
+func AuthorizationProjectGrantIDQueryToModel(q *filter_pb.IDFilter) (query.SearchQuery, error) {
+	return query.NewUserGrantGrantIDSearchQuery(q.Id)
+}
+
+func AuthorizationRoleKeyQueryToModel(q *authorization.RoleKeyQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantRoleQuery(q.Key)
+}
+
+func AuthorizationUserNameQueryToModel(q *authorization.UserPreferredLoginNameQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantUsernameQuery(q.LoginName, filter.TextMethodPbToQuery(q.Method))
+}
+
+func AuthorizationInUserIDsQueryToModel(q *filter_pb.InIDsFilter) (query.SearchQuery, error) {
+	return query.NewUserGrantInUserIDsSearchQuery(q.Ids)
+}
+
+func AuthorizationUserOrganizationIDQueryToModel(q *filter_pb.IDFilter) (query.SearchQuery, error) {
+	return query.NewUserGrantUserResourceOwnerSearchQuery(q.Id)
+}
+
+func AuthorizationStateQueryToModel(q *authorization.StateQuery) (query.SearchQuery, error) {
+	return query.NewUserGrantStateQuery(domain.UserGrantState(q.State))
+}
+
+func userGrantsToPb(userGrants []*query.UserGrant) []*authorization.Authorization {
+	o := make([]*authorization.Authorization, len(userGrants))
+	for i, grant := range userGrants {
+		o[i] = userGrantToPb(grant)
+	}
+	return o
+}
+
+func userGrantToPb(userGrant *query.UserGrant) *authorization.Authorization {
+	return &authorization.Authorization{
+		Id:           userGrant.ID,
+		CreationDate: timestamppb.New(userGrant.CreationDate),
+		ChangeDate:   timestamppb.New(userGrant.ChangeDate),
+		Project: &authorization.Project{
+			Id:             userGrant.ProjectID,
+			Name:           userGrant.ProjectName,
+			OrganizationId: userGrant.ProjectResourceOwner,
+		},
+		Organization: &authorization.Organization{
+			Id:   userGrant.ResourceOwner,
+			Name: userGrant.OrgName,
+		},
+		User: &authorization.User{
+			Id:                 userGrant.UserID,
+			PreferredLoginName: userGrant.PreferredLoginName,
+			DisplayName:        userGrant.DisplayName,
+			AvatarUrl:          userGrant.AvatarURL,
+			OrganizationId:     userGrant.UserResourceOwner,
+		},
+		State: userGrantStateToPb(userGrant.State),
+		Roles: rolesToPb(userGrant.RoleInformation),
+	}
+}
+
+func rolesToPb(roles []query.Role) []*authorization.Role {
+	r := make([]*authorization.Role, len(roles))
+	for i, role := range roles {
+		r[i] = &authorization.Role{
+			Key:         role.Key,
+			DisplayName: role.DisplayName,
+			Group:       role.GroupName,
+		}
+	}
+	return r
+}
+
+func userGrantStateToPb(state domain.UserGrantState) authorization.State {
+	switch state {
+	case domain.UserGrantStateActive:
+		return authorization.State_STATE_ACTIVE
+	case domain.UserGrantStateInactive:
+		return authorization.State_STATE_INACTIVE
+	case domain.UserGrantStateUnspecified, domain.UserGrantStateRemoved:
+		return authorization.State_STATE_UNSPECIFIED
+	default:
+		return authorization.State_STATE_UNSPECIFIED
+	}
+}

internal/api/grpc/authorization/v2/server.go

@@ -0,0 +1,60 @@
+package authorization
+
+import (
+	"net/http"
+
+	"connectrpc.com/connect"
+	"google.golang.org/protobuf/reflect/protoreflect"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/config/systemdefaults"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/pkg/grpc/authorization/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/authorization/v2/authorizationconnect"
+)
+
+var _ authorizationconnect.AuthorizationServiceHandler = (*Server)(nil)
+
+type Server struct {
+	systemDefaults systemdefaults.SystemDefaults
+	command        *command.Commands
+	query          *query.Queries
+
+	checkPermission domain.PermissionCheck
+}
+
+func CreateServer(
+	systemDefaults systemdefaults.SystemDefaults,
+	command *command.Commands,
+	query *query.Queries,
+	checkPermission domain.PermissionCheck,
+) *Server {
+	return &Server{
+		systemDefaults:  systemDefaults,
+		command:         command,
+		query:           query,
+		checkPermission: checkPermission,
+	}
+}
+
+func (s *Server) RegisterConnectServer(interceptors ...connect.Interceptor) (string, http.Handler) {
+	return authorizationconnect.NewAuthorizationServiceHandler(s, connect.WithInterceptors(interceptors...))
+}
+
+func (s *Server) FileDescriptor() protoreflect.FileDescriptor {
+	return authorization.File_zitadel_authorization_v2_authorization_service_proto
+}
+
+func (s *Server) AppName() string {
+	return authorization.AuthorizationService_ServiceDesc.ServiceName
+}
+
+func (s *Server) MethodPrefix() string {
+	return authorization.AuthorizationService_ServiceDesc.ServiceName
+}
+
+func (s *Server) AuthMethods() authz.MethodMapping {
+	return authorization.AuthorizationService_AuthMethods
+}

internal/api/grpc/authorization/v2beta/integration_test/query_test.go

@@ -487,17 +487,17 @@ func createAuthorization(ctx context.Context, instance *integration.Instance, t
 	return createAuthorizationForProject(ctx, instance, t, orgID, userID, projectName, projectResp.GetId())
 }
 
-func createAuthorizationForProject(ctx context.Context, instance *integration.Instance, t *testing.T, orgID, userID, projectName, projectID string) *authorization.Authorization {
+func createAuthorizationForProject(ctx context.Context, instance *integration.Instance, t *testing.T, organizationID, userID, projectName, projectID string) *authorization.Authorization {
 	userResp, err := instance.Client.UserV2.GetUserByID(ctx, &user.GetUserByIDRequest{UserId: userID})
 	require.NoError(t, err)
 
-	authResp := instance.CreateAuthorizationProject(t, ctx, projectID, userID)
+	authResp := instance.CreateAuthorizationProject(t, ctx, projectID, userID, organizationID)
 	return &authorization.Authorization{
 		Id:                    authResp.GetId(),
 		ProjectId:             projectID,
 		ProjectName:           projectName,
-		ProjectOrganizationId: orgID,
-		OrganizationId:        orgID,
+		ProjectOrganizationId: organizationID,
+		OrganizationId:        organizationID,
 		CreationDate:          authResp.GetCreationDate(),
 		ChangeDate:            authResp.GetCreationDate(),
 		State:                 1,

internal/api/grpc/oidc/v2/integration_test/oidc_test.go

@@ -961,12 +961,12 @@ func createProjectGrant(ctx context.Context, t *testing.T, projectID, grantedOrg
 	}, retryDuration, tick)
 }
 
-func createProjectUserGrant(ctx context.Context, t *testing.T, orgID, projectID, userID string) {
-	resp := Instance.CreateAuthorizationProject(t, ctx, projectID, userID)
+func createProjectUserGrant(ctx context.Context, t *testing.T, organizationID, projectID, userID string) {
+	resp := Instance.CreateAuthorizationProject(t, ctx, projectID, userID, organizationID)
 
 	retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
 	require.EventuallyWithT(t, func(collect *assert.CollectT) {
-		_, err := Instance.Client.Mgmt.GetUserGrantByID(integration.SetOrgID(ctx, orgID), &mgmt.GetUserGrantByIDRequest{
+		_, err := Instance.Client.Mgmt.GetUserGrantByID(integration.SetOrgID(ctx, organizationID), &mgmt.GetUserGrantByIDRequest{
 			UserId:  userID,
 			GrantId: resp.GetId(),
 		})

internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go

@@ -692,12 +692,12 @@ func createOIDCApplication(ctx context.Context, t *testing.T, projectRoleCheck,
 	return project.GetId(), clientV2.GetClientId()
 }
 
-func createProjectUserGrant(ctx context.Context, t *testing.T, orgID, projectID, userID string) {
-	resp := Instance.CreateAuthorizationProject(t, ctx, projectID, userID)
+func createProjectUserGrant(ctx context.Context, t *testing.T, organizationID, projectID, userID string) {
+	resp := Instance.CreateAuthorizationProject(t, ctx, projectID, userID, organizationID)
 
 	retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
 	require.EventuallyWithT(t, func(collect *assert.CollectT) {
-		_, err := Instance.Client.Mgmt.GetUserGrantByID(integration.SetOrgID(ctx, orgID), &mgmt.GetUserGrantByIDRequest{
+		_, err := Instance.Client.Mgmt.GetUserGrantByID(integration.SetOrgID(ctx, organizationID), &mgmt.GetUserGrantByIDRequest{
 			UserId:  userID,
 			GrantId: resp.GetId(),
 		})

internal/api/grpc/saml/v2/integration_test/saml_test.go

@@ -715,12 +715,12 @@ func createProjectGrant(ctx context.Context, t *testing.T, projectID, grantedOrg
 	}, retryDuration, tick)
 }
 
-func createProjectUserGrant(ctx context.Context, t *testing.T, orgID, projectID, userID string) {
-	resp := Instance.CreateAuthorizationProject(t, ctx, projectID, userID)
+func createProjectUserGrant(ctx context.Context, t *testing.T, organizationID, projectID, userID string) {
+	resp := Instance.CreateAuthorizationProject(t, ctx, projectID, userID, organizationID)
 
 	retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
 	require.EventuallyWithT(t, func(collect *assert.CollectT) {
-		_, err := Instance.Client.Mgmt.GetUserGrantByID(integration.SetOrgID(ctx, orgID), &mgmt.GetUserGrantByIDRequest{
+		_, err := Instance.Client.Mgmt.GetUserGrantByID(integration.SetOrgID(ctx, organizationID), &mgmt.GetUserGrantByIDRequest{
 			UserId:  userID,
 			GrantId: resp.GetId(),
 		})