From d590da7c7d10ef0ed3c999a5ef4591dee0d6b712 Mon Sep 17 00:00:00 2001
From: Miguel Cabrerizo <30386061+doncicuto@users.noreply.github.com>
Date: Wed, 24 Jan 2024 11:36:04 +0100
Subject: [PATCH] fix(console): display granted org name in authorizations and
 show user information (#7116)

* fix: add granted org info to user grants query response

* fix: show user info, tests and add columns to user grant

* fix: add check for org membership

* fix: typo in find logic

---------

Co-authored-by: Max Peintner <max@caos.ch>
---
 .../user-grants/user-grants.component.html    |  4 +-
 .../user-grants/user-grants.component.ts      | 24 +++++-
 console/src/assets/i18n/bg.json               |  3 +-
 console/src/assets/i18n/cs.json               |  3 +-
 console/src/assets/i18n/de.json               |  3 +-
 console/src/assets/i18n/en.json               |  3 +-
 console/src/assets/i18n/es.json               |  3 +-
 console/src/assets/i18n/fr.json               |  3 +-
 console/src/assets/i18n/it.json               |  3 +-
 console/src/assets/i18n/ja.json               |  3 +-
 console/src/assets/i18n/mk.json               |  3 +-
 console/src/assets/i18n/nl.json               |  3 +-
 console/src/assets/i18n/pl.json               |  3 +-
 console/src/assets/i18n/pt.json               |  3 +-
 console/src/assets/i18n/ru.json               |  3 +-
 console/src/assets/i18n/zh.json               |  3 +-
 internal/api/grpc/user/user_grant.go          |  3 +
 internal/query/user_grant.go                  | 54 +++++++++++-
 internal/query/user_grant_test.go             | 85 ++++++++++++++++++-
 proto/zitadel/user.proto                      | 15 ++++
 20 files changed, 208 insertions(+), 19 deletions(-)

diff --git a/console/src/app/modules/user-grants/user-grants.component.html b/console/src/app/modules/user-grants/user-grants.component.html
index 184d8b002d..efca9f74ec 100644
--- a/console/src/app/modules/user-grants/user-grants.component.html
+++ b/console/src/app/modules/user-grants/user-grants.component.html
@@ -109,7 +109,7 @@
       <ng-container matColumnDef="org">
         <th mat-header-cell *matHeaderCellDef>{{ 'PROJECT.GRANT.ORG' | translate }}</th>
         <td mat-cell *matCellDef="let grant">
-          {{ grant.orgName }}
+          {{ grant.grantedOrgName }}
         </td>
       </ng-container>
 
@@ -169,7 +169,7 @@
               <i class="las la-trash"></i>
             </button>
 
-            <button menuActions mat-menu-item [routerLink]="['/users', grant.userId]">
+            <button menuActions mat-menu-item (click)="showUser(grant)">
               {{ 'ACTIONS.TABLE.SHOWUSER' | translate: { value: grant.displayName } }}
             </button>
           </cnsl-table-actions>
diff --git a/console/src/app/modules/user-grants/user-grants.component.ts b/console/src/app/modules/user-grants/user-grants.component.ts
index f3c5521fae..4b65eb99bf 100644
--- a/console/src/app/modules/user-grants/user-grants.component.ts
+++ b/console/src/app/modules/user-grants/user-grants.component.ts
@@ -8,7 +8,7 @@ import { tap } from 'rxjs/operators';
 import { enterAnimations } from 'src/app/animations';
 import { UserGrant as AuthUserGrant } from 'src/app/proto/generated/zitadel/auth_pb';
 import { Role } from 'src/app/proto/generated/zitadel/project_pb';
-import { Type, UserGrant as MgmtUserGrant, UserGrantQuery } from 'src/app/proto/generated/zitadel/user_pb';
+import { Type, UserGrant as MgmtUserGrant, UserGrantQuery, UserGrant } from 'src/app/proto/generated/zitadel/user_pb';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
@@ -18,6 +18,7 @@ import { PageEvent, PaginatorComponent } from '../paginator/paginator.component'
 import { UserGrantRoleDialogComponent } from '../user-grant-role-dialog/user-grant-role-dialog.component';
 import { WarnDialogComponent } from '../warn-dialog/warn-dialog.component';
 import { UserGrantContext, UserGrantsDataSource } from './user-grants-datasource';
+import { Org, OrgState } from 'src/app/proto/generated/zitadel/org_pb';
 
 export enum UserGrantListSearchKey {
   DISPLAY_NAME,
@@ -68,6 +69,7 @@ export class UserGrantsComponent implements OnInit, AfterViewInit {
   @Input() public type: Type | undefined = undefined;
 
   public filterOpen: boolean = false;
+  public myOrgs: Array<Org.AsObject> = [];
   constructor(
     private authService: GrpcAuthService,
     private userService: ManagementService,
@@ -115,6 +117,9 @@ export class UserGrantsComponent implements OnInit, AfterViewInit {
     }
 
     this.loadGrantsPage(this.type);
+    this.authService.listMyProjectOrgs(undefined, 0).then((orgs) => {
+      this.myOrgs = orgs.resultList;
+    });
   }
 
   public ngAfterViewInit(): void {
@@ -300,4 +305,21 @@ export class UserGrantsComponent implements OnInit, AfterViewInit {
       this.loadGrantsPage(this.type);
     }
   }
+
+  public showUser(grant: UserGrant.AsObject) {
+    const org: Org.AsObject = {
+      id: grant.grantedOrgId,
+      name: grant.grantedOrgName,
+      state: OrgState.ORG_STATE_ACTIVE,
+      primaryDomain: grant.grantedOrgDomain,
+    };
+
+    // Check if user has permissions for that org before changing active org
+    if (this.myOrgs.find((org) => org.id === grant.grantedOrgId)) {
+      this.authService.setActiveOrg(org);
+      this.router.navigate(['/users', grant.userId]);
+    } else {
+      this.toast.showInfo('GRANTS.TOAST.CANTSHOWINFO', true);
+    }
+  }
 }
diff --git a/console/src/assets/i18n/bg.json b/console/src/assets/i18n/bg.json
index d69caf8d7b..7de69dfadd 100644
--- a/console/src/assets/i18n/bg.json
+++ b/console/src/assets/i18n/bg.json
@@ -2227,7 +2227,8 @@
     "TOAST": {
       "UPDATED": "Упълномощаването е актуализирано.",
       "REMOVED": "Упълномощаването е премахнато",
-      "BULKREMOVED": "Разрешенията са премахнати."
+      "BULKREMOVED": "Разрешенията са премахнати.",
+      "CANTSHOWINFO": "Не можете да посетите профила на този потребител, тъй като не сте член на организацията, към която принадлежи този потребител"
     },
     "DIALOG": {
       "DELETE_TITLE": "Изтриване на разрешението",
diff --git a/console/src/assets/i18n/cs.json b/console/src/assets/i18n/cs.json
index 18e1455ba1..f4bdbefe63 100644
--- a/console/src/assets/i18n/cs.json
+++ b/console/src/assets/i18n/cs.json
@@ -2246,7 +2246,8 @@
     "TOAST": {
       "UPDATED": "Autorizace aktualizována.",
       "REMOVED": "Autorizace odebrána",
-      "BULKREMOVED": "Autorizace odebrány."
+      "BULKREMOVED": "Autorizace odebrány.",
+      "CANTSHOWINFO": "Nemůžete navštívit profil tohoto uživatele, protože nejste členem organizace, do které tento uživatel patří"
     },
     "DIALOG": {
       "DELETE_TITLE": "Smazat autorizaci",
diff --git a/console/src/assets/i18n/de.json b/console/src/assets/i18n/de.json
index f6fe2e7c10..c60c01d394 100644
--- a/console/src/assets/i18n/de.json
+++ b/console/src/assets/i18n/de.json
@@ -2236,7 +2236,8 @@
     "TOAST": {
       "UPDATED": "Berechtigung geändert.",
       "REMOVED": "Berechtigung entfernt.",
-      "BULKREMOVED": "Berechtigungen entfernt."
+      "BULKREMOVED": "Berechtigungen entfernt.",
+      "CANTSHOWINFO": "Sie können das Profil dieses Benutzers nicht besuchen, da Sie kein Mitglied der Organisation sind, zu der dieser Benutzer gehört"
     },
     "DIALOG": {
       "DELETE_TITLE": "Authorisierung löschen",
diff --git a/console/src/assets/i18n/en.json b/console/src/assets/i18n/en.json
index 440ca14292..f8466cb073 100644
--- a/console/src/assets/i18n/en.json
+++ b/console/src/assets/i18n/en.json
@@ -2255,7 +2255,8 @@
     "TOAST": {
       "UPDATED": "Authorization updated.",
       "REMOVED": "Authorization removed",
-      "BULKREMOVED": "Authorizations removed."
+      "BULKREMOVED": "Authorizations removed.",
+      "CANTSHOWINFO": "You cannot visit this user's profile as you are not a member of the organization where this user belongs to"
     },
     "DIALOG": {
       "DELETE_TITLE": "Delete authorization",
diff --git a/console/src/assets/i18n/es.json b/console/src/assets/i18n/es.json
index a915b8af6c..9e6c4d4334 100644
--- a/console/src/assets/i18n/es.json
+++ b/console/src/assets/i18n/es.json
@@ -2234,7 +2234,8 @@
     "TOAST": {
       "UPDATED": "Autorización actualizada.",
       "REMOVED": "Autorización eliminada",
-      "BULKREMOVED": "Autorizaciones eliminadas."
+      "BULKREMOVED": "Autorizaciones eliminadas.",
+      "CANTSHOWINFO": "No puedes visitar el perfil de este usuario porque no eres miembro de la organización a la que pertenece este usuario."
     },
     "DIALOG": {
       "DELETE_TITLE": "Borrar autorización",
diff --git a/console/src/assets/i18n/fr.json b/console/src/assets/i18n/fr.json
index 9318fc2ed1..143ec49c45 100644
--- a/console/src/assets/i18n/fr.json
+++ b/console/src/assets/i18n/fr.json
@@ -2237,7 +2237,8 @@
     "TOAST": {
       "UPDATED": "Autorisation mise à jour.",
       "REMOVED": "Autorisation supprimée",
-      "BULKREMOVED": "Autorisations supprimées."
+      "BULKREMOVED": "Autorisations supprimées.",
+      "CANTSHOWINFO": "Vous ne pouvez pas visiter le profil de cet utilisateur car vous n'êtes pas membre de l'organisation à laquelle appartient cet utilisateur."
     },
     "DIALOG": {
       "DELETE_TITLE": "Supprimer une autorisation",
diff --git a/console/src/assets/i18n/it.json b/console/src/assets/i18n/it.json
index 4e32a907d5..3921e3b232 100644
--- a/console/src/assets/i18n/it.json
+++ b/console/src/assets/i18n/it.json
@@ -2237,7 +2237,8 @@
     "TOAST": {
       "UPDATED": "Autorizzazione aggiornata.",
       "REMOVED": "Autorizzazione rimossa con successo.",
-      "BULKREMOVED": "Autorizzazioni rimossi con successo."
+      "BULKREMOVED": "Autorizzazioni rimossi con successo.",
+      "CANTSHOWINFO": "Non puoi visitare il profilo di questo utente poiché non sei un membro dell'organizzazione a cui appartiene questo utente"
     },
     "DIALOG": {
       "DELETE_TITLE": "Elima autorizzazione",
diff --git a/console/src/assets/i18n/ja.json b/console/src/assets/i18n/ja.json
index 81477aafb4..8518afa08a 100644
--- a/console/src/assets/i18n/ja.json
+++ b/console/src/assets/i18n/ja.json
@@ -2228,7 +2228,8 @@
     "TOAST": {
       "UPDATED": "認可が更新されました。",
       "REMOVED": "認可が削除されました",
-      "BULKREMOVED": "認可が削除されました。"
+      "BULKREMOVED": "認可が削除されました。",
+      "CANTSHOWINFO": "このユーザーが所属する組織のメンバーではないため、このユーザーのプロフィールにアクセスできません"
     },
     "DIALOG": {
       "DELETE_TITLE": "認可の削除",
diff --git a/console/src/assets/i18n/mk.json b/console/src/assets/i18n/mk.json
index ecf8e01a91..873172e1c2 100644
--- a/console/src/assets/i18n/mk.json
+++ b/console/src/assets/i18n/mk.json
@@ -2234,7 +2234,8 @@
     "TOAST": {
       "UPDATED": "Овластувањето е ажурирано.",
       "REMOVED": "Овластувањето е отстрането",
-      "BULKREMOVED": "Овластувањата се отстранети."
+      "BULKREMOVED": "Овластувањата се отстранети.",
+      "CANTSHOWINFO": "Не можете да го посетите профилот на овој корисник бидејќи не сте член на организацијата каде што припаѓа овој корисник"
     },
     "DIALOG": {
       "DELETE_TITLE": "Избриши овластување",
diff --git a/console/src/assets/i18n/nl.json b/console/src/assets/i18n/nl.json
index 88e4eae086..b6861b5347 100644
--- a/console/src/assets/i18n/nl.json
+++ b/console/src/assets/i18n/nl.json
@@ -2255,7 +2255,8 @@
     "TOAST": {
       "UPDATED": "Autorisatie bijgewerkt.",
       "REMOVED": "Autorisatie verwijderd",
-      "BULKREMOVED": "Autorisaties verwijderd."
+      "BULKREMOVED": "Autorisaties verwijderd.",
+      "CANTSHOWINFO": "U kunt het profiel van deze gebruiker niet bezoeken omdat u geen lid bent van de organisatie waartoe deze gebruiker behoort"
     },
     "DIALOG": {
       "DELETE_TITLE": "Verwijder autorisatie",
diff --git a/console/src/assets/i18n/pl.json b/console/src/assets/i18n/pl.json
index 38bc4c8093..5cc3c07e32 100644
--- a/console/src/assets/i18n/pl.json
+++ b/console/src/assets/i18n/pl.json
@@ -2237,7 +2237,8 @@
     "TOAST": {
       "UPDATED": "Autoryzacja zaktualizowana.",
       "REMOVED": "Autoryzacja usunięta",
-      "BULKREMOVED": "Autoryzacje usunięte."
+      "BULKREMOVED": "Autoryzacje usunięte.",
+      "CANTSHOWINFO": "Nie możesz odwiedzić profilu tego użytkownika, ponieważ nie jesteś członkiem organizacji, do której należy ten użytkownik"
     },
     "DIALOG": {
       "DELETE_TITLE": "Usuń autoryzację",
diff --git a/console/src/assets/i18n/pt.json b/console/src/assets/i18n/pt.json
index c82290ba89..159bb13ab4 100644
--- a/console/src/assets/i18n/pt.json
+++ b/console/src/assets/i18n/pt.json
@@ -2232,7 +2232,8 @@
     "TOAST": {
       "UPDATED": "Autorização atualizada.",
       "REMOVED": "Autorização removida",
-      "BULKREMOVED": "Autorizações removidas."
+      "BULKREMOVED": "Autorizações removidas.",
+      "CANTSHOWINFO": "Você não pode visitar o perfil deste usuário porque não é membro da organização à qual esse usuário pertence"
     },
     "DIALOG": {
       "DELETE_TITLE": "Excluir autorização",
diff --git a/console/src/assets/i18n/ru.json b/console/src/assets/i18n/ru.json
index ad8ecb96dc..7f503e1acf 100644
--- a/console/src/assets/i18n/ru.json
+++ b/console/src/assets/i18n/ru.json
@@ -2226,7 +2226,8 @@
     "TOAST": {
       "UPDATED": "Авторизация обновлена.",
       "REMOVED": "Авторизация удалена",
-      "BULKREMOVED": "Авторизации удалены."
+      "BULKREMOVED": "Авторизации удалены.",
+      "CANTSHOWINFO": "Вы не можете посетить профиль этого пользователя, поскольку вы не являетесь членом организации, к которой принадлежит этот пользователь."
     },
     "DIALOG": {
       "DELETE_TITLE": "Удалить авторизацию",
diff --git a/console/src/assets/i18n/zh.json b/console/src/assets/i18n/zh.json
index bc9d35b1a7..5dc705bb59 100644
--- a/console/src/assets/i18n/zh.json
+++ b/console/src/assets/i18n/zh.json
@@ -2236,7 +2236,8 @@
     "TOAST": {
       "UPDATED": "授权已更新。",
       "REMOVED": "已移除授权。",
-      "BULKREMOVED": "已移除授权。"
+      "BULKREMOVED": "已移除授权。",
+      "CANTSHOWINFO": "您无法访问该用户的个人资料，因为您不是该用户所属组织的成员"
     },
     "DIALOG": {
       "DELETE_TITLE": "删除授权",
diff --git a/internal/api/grpc/user/user_grant.go b/internal/api/grpc/user/user_grant.go
index 52d75326ea..f4dd099409 100644
--- a/internal/api/grpc/user/user_grant.go
+++ b/internal/api/grpc/user/user_grant.go
@@ -39,6 +39,9 @@ func UserGrantToPb(assetPrefix string, grant *query.UserGrant) *user_pb.UserGran
 		AvatarUrl:          domain.AvatarURL(assetPrefix, grant.UserResourceOwner, grant.AvatarURL),
 		PreferredLoginName: grant.PreferredLoginName,
 		UserType:           TypeToPb(grant.UserType),
+		GrantedOrgId:       grant.GrantedOrgID,
+		GrantedOrgName:     grant.GrantedOrgName,
+		GrantedOrgDomain:   grant.GrantedOrgDomain,
 		Details: object.ToViewDetailsPb(
 			grant.Sequence,
 			grant.CreationDate,
diff --git a/internal/query/user_grant.go b/internal/query/user_grant.go
index d33fb6ba46..a6d92c3eaf 100644
--- a/internal/query/user_grant.go
+++ b/internal/query/user_grant.go
@@ -48,6 +48,10 @@ type UserGrant struct {
 
 	ProjectID   string `json:"project_id,omitempty"`
 	ProjectName string `json:"project_name,omitempty"`
+
+	GrantedOrgID     string `json:"granted_org_id,omitempty"`
+	GrantedOrgName   string `json:"granted_org_name,omitempty"`
+	GrantedOrgDomain string `json:"granted_org_domain,omitempty"`
 }
 
 type UserGrants struct {
@@ -209,6 +213,23 @@ var (
 		name:  projection.UserGrantState,
 		table: userGrantTable,
 	}
+	GrantedOrgsTable = table{
+		name:          projection.OrgProjectionTable,
+		alias:         "granted_orgs",
+		instanceIDCol: projection.OrgColumnInstanceID,
+	}
+	GrantedOrgColumnId = Column{
+		name:  projection.OrgColumnID,
+		table: GrantedOrgsTable,
+	}
+	GrantedOrgColumnName = Column{
+		name:  projection.OrgColumnName,
+		table: GrantedOrgsTable,
+	}
+	GrantedOrgColumnDomain = Column{
+		name:  projection.OrgColumnDomain,
+		table: GrantedOrgsTable,
+	}
 )
 
 func (q *Queries) UserGrant(ctx context.Context, shouldTriggerBulk bool, queries ...SearchQuery) (grant *UserGrant, err error) {
@@ -301,12 +322,17 @@ func prepareUserGrantQuery(ctx context.Context, db prepareDatabase) (sq.SelectBu
 
 			UserGrantProjectID.identifier(),
 			ProjectColumnName.identifier(),
+
+			GrantedOrgColumnId.identifier(),
+			GrantedOrgColumnName.identifier(),
+			GrantedOrgColumnDomain.identifier(),
 		).
 			From(userGrantTable.identifier()).
 			LeftJoin(join(UserIDCol, UserGrantUserID)).
 			LeftJoin(join(HumanUserIDCol, UserGrantUserID)).
 			LeftJoin(join(OrgColumnID, UserGrantResourceOwner)).
 			LeftJoin(join(ProjectColumnID, UserGrantProjectID)).
+			LeftJoin(join(GrantedOrgColumnId, UserResourceOwnerCol)).
 			LeftJoin(join(LoginNameUserIDCol, UserGrantUserID) + db.Timetravel(call.Took(ctx))).
 			Where(
 				sq.Eq{LoginNameIsPrimaryCol.identifier(): true},
@@ -329,6 +355,10 @@ func prepareUserGrantQuery(ctx context.Context, db prepareDatabase) (sq.SelectBu
 				orgDomain sql.NullString
 
 				projectName sql.NullString
+
+				grantedOrgID     sql.NullString
+				grantedOrgName   sql.NullString
+				grantedOrgDomain sql.NullString
 			)
 
 			err := row.Scan(
@@ -357,6 +387,10 @@ func prepareUserGrantQuery(ctx context.Context, db prepareDatabase) (sq.SelectBu
 
 				&g.ProjectID,
 				&projectName,
+
+				&grantedOrgID,
+				&grantedOrgName,
+				&grantedOrgDomain,
 			)
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
@@ -377,7 +411,9 @@ func prepareUserGrantQuery(ctx context.Context, db prepareDatabase) (sq.SelectBu
 			g.OrgName = orgName.String
 			g.OrgPrimaryDomain = orgDomain.String
 			g.ProjectName = projectName.String
-
+			g.GrantedOrgID = grantedOrgID.String
+			g.GrantedOrgName = grantedOrgName.String
+			g.GrantedOrgDomain = grantedOrgDomain.String
 			return g, nil
 		}
 }
@@ -410,6 +446,10 @@ func prepareUserGrantsQuery(ctx context.Context, db prepareDatabase) (sq.SelectB
 			UserGrantProjectID.identifier(),
 			ProjectColumnName.identifier(),
 
+			GrantedOrgColumnId.identifier(),
+			GrantedOrgColumnName.identifier(),
+			GrantedOrgColumnDomain.identifier(),
+
 			countColumn.identifier(),
 		).
 			From(userGrantTable.identifier()).
@@ -417,6 +457,7 @@ func prepareUserGrantsQuery(ctx context.Context, db prepareDatabase) (sq.SelectB
 			LeftJoin(join(HumanUserIDCol, UserGrantUserID)).
 			LeftJoin(join(OrgColumnID, UserGrantResourceOwner)).
 			LeftJoin(join(ProjectColumnID, UserGrantProjectID)).
+			LeftJoin(join(GrantedOrgColumnId, UserResourceOwnerCol)).
 			LeftJoin(join(LoginNameUserIDCol, UserGrantUserID) + db.Timetravel(call.Took(ctx))).
 			Where(
 				sq.Eq{LoginNameIsPrimaryCol.identifier(): true},
@@ -441,6 +482,10 @@ func prepareUserGrantsQuery(ctx context.Context, db prepareDatabase) (sq.SelectB
 					orgName   sql.NullString
 					orgDomain sql.NullString
 
+					grantedOrgID     sql.NullString
+					grantedOrgName   sql.NullString
+					grantedOrgDomain sql.NullString
+
 					projectName sql.NullString
 				)
 
@@ -471,6 +516,10 @@ func prepareUserGrantsQuery(ctx context.Context, db prepareDatabase) (sq.SelectB
 					&g.ProjectID,
 					&projectName,
 
+					&grantedOrgID,
+					&grantedOrgName,
+					&grantedOrgDomain,
+
 					&count,
 				)
 				if err != nil {
@@ -489,6 +538,9 @@ func prepareUserGrantsQuery(ctx context.Context, db prepareDatabase) (sq.SelectB
 				g.OrgName = orgName.String
 				g.OrgPrimaryDomain = orgDomain.String
 				g.ProjectName = projectName.String
+				g.GrantedOrgID = grantedOrgID.String
+				g.GrantedOrgName = grantedOrgName.String
+				g.GrantedOrgDomain = grantedOrgDomain.String
 
 				userGrants = append(userGrants, g)
 			}
diff --git a/internal/query/user_grant_test.go b/internal/query/user_grant_test.go
index fc09ca3196..5e6ac79875 100644
--- a/internal/query/user_grant_test.go
+++ b/internal/query/user_grant_test.go
@@ -37,11 +37,15 @@ var (
 			", projections.orgs1.primary_domain" +
 			", projections.user_grants4.project_id" +
 			", projections.projects4.name" +
+			", granted_orgs.id" +
+			", granted_orgs.name" +
+			", granted_orgs.primary_domain" +
 			" FROM projections.user_grants4" +
 			" LEFT JOIN projections.users10 ON projections.user_grants4.user_id = projections.users10.id AND projections.user_grants4.instance_id = projections.users10.instance_id" +
 			" LEFT JOIN projections.users10_humans ON projections.user_grants4.user_id = projections.users10_humans.user_id AND projections.user_grants4.instance_id = projections.users10_humans.instance_id" +
 			" LEFT JOIN projections.orgs1 ON projections.user_grants4.resource_owner = projections.orgs1.id AND projections.user_grants4.instance_id = projections.orgs1.instance_id" +
 			" LEFT JOIN projections.projects4 ON projections.user_grants4.project_id = projections.projects4.id AND projections.user_grants4.instance_id = projections.projects4.instance_id" +
+			" LEFT JOIN projections.orgs1 AS granted_orgs ON projections.users10.resource_owner = granted_orgs.id AND projections.users10.instance_id = granted_orgs.instance_id" +
 			" LEFT JOIN projections.login_names3 ON projections.user_grants4.user_id = projections.login_names3.user_id AND projections.user_grants4.instance_id = projections.login_names3.instance_id" +
 			` AS OF SYSTEM TIME '-1 ms' ` +
 			" WHERE projections.login_names3.is_primary = $1")
@@ -67,7 +71,10 @@ var (
 		"name",           //org name
 		"primary_domain",
 		"project_id",
-		"name", //project name
+		"name",           // project name
+		"id",             // granted org id
+		"name",           // granted org name
+		"primary_domain", // granted org domain
 	}
 	userGrantsStmt = regexp.QuoteMeta(
 		"SELECT projections.user_grants4.id" +
@@ -92,12 +99,16 @@ var (
 			", projections.orgs1.primary_domain" +
 			", projections.user_grants4.project_id" +
 			", projections.projects4.name" +
+			", granted_orgs.id" +
+			", granted_orgs.name" +
+			", granted_orgs.primary_domain" +
 			", COUNT(*) OVER ()" +
 			" FROM projections.user_grants4" +
 			" LEFT JOIN projections.users10 ON projections.user_grants4.user_id = projections.users10.id AND projections.user_grants4.instance_id = projections.users10.instance_id" +
 			" LEFT JOIN projections.users10_humans ON projections.user_grants4.user_id = projections.users10_humans.user_id AND projections.user_grants4.instance_id = projections.users10_humans.instance_id" +
 			" LEFT JOIN projections.orgs1 ON projections.user_grants4.resource_owner = projections.orgs1.id AND projections.user_grants4.instance_id = projections.orgs1.instance_id" +
 			" LEFT JOIN projections.projects4 ON projections.user_grants4.project_id = projections.projects4.id AND projections.user_grants4.instance_id = projections.projects4.instance_id" +
+			" LEFT JOIN projections.orgs1 AS granted_orgs ON projections.users10.resource_owner = granted_orgs.id AND projections.users10.instance_id = granted_orgs.instance_id" +
 			" LEFT JOIN projections.login_names3 ON projections.user_grants4.user_id = projections.login_names3.user_id AND projections.user_grants4.instance_id = projections.login_names3.instance_id" +
 			` AS OF SYSTEM TIME '-1 ms' ` +
 			" WHERE projections.login_names3.is_primary = $1")
@@ -166,6 +177,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 						"primary-domain",
 						"project-id",
 						"project-name",
+						"granted-org-id",
+						"granted-org-name",
+						"granted-org-domain",
 					},
 				),
 			},
@@ -192,6 +206,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 				OrgPrimaryDomain:   "primary-domain",
 				ProjectID:          "project-id",
 				ProjectName:        "project-name",
+				GrantedOrgID:       "granted-org-id",
+				GrantedOrgName:     "granted-org-name",
+				GrantedOrgDomain:   "granted-org-domain",
 			},
 		},
 		{
@@ -224,6 +241,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 						"primary-domain",
 						"project-id",
 						"project-name",
+						"granted-org-id",
+						"granted-org-name",
+						"granted-org-domain",
 					},
 				),
 			},
@@ -250,6 +270,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 				OrgPrimaryDomain:   "primary-domain",
 				ProjectID:          "project-id",
 				ProjectName:        "project-name",
+				GrantedOrgID:       "granted-org-id",
+				GrantedOrgName:     "granted-org-name",
+				GrantedOrgDomain:   "granted-org-domain",
 			},
 		},
 		{
@@ -282,6 +305,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 						nil,
 						"project-id",
 						"project-name",
+						"granted-org-id",
+						"granted-org-name",
+						"granted-org-domain",
 					},
 				),
 			},
@@ -308,6 +334,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 				OrgPrimaryDomain:   "",
 				ProjectID:          "project-id",
 				ProjectName:        "project-name",
+				GrantedOrgID:       "granted-org-id",
+				GrantedOrgName:     "granted-org-name",
+				GrantedOrgDomain:   "granted-org-domain",
 			},
 		},
 		{
@@ -340,6 +369,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 						"primary-domain",
 						"project-id",
 						nil,
+						"granted-org-id",
+						"granted-org-name",
+						"granted-org-domain",
 					},
 				),
 			},
@@ -366,6 +398,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 				OrgPrimaryDomain:   "primary-domain",
 				ProjectID:          "project-id",
 				ProjectName:        "",
+				GrantedOrgID:       "granted-org-id",
+				GrantedOrgName:     "granted-org-name",
+				GrantedOrgDomain:   "granted-org-domain",
 			},
 		},
 		{
@@ -398,6 +433,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 						"primary-domain",
 						"project-id",
 						"project-name",
+						"granted-org-id",
+						"granted-org-name",
+						"granted-org-domain",
 					},
 				),
 			},
@@ -424,6 +462,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 				OrgPrimaryDomain:   "primary-domain",
 				ProjectID:          "project-id",
 				ProjectName:        "project-name",
+				GrantedOrgID:       "granted-org-id",
+				GrantedOrgName:     "granted-org-name",
+				GrantedOrgDomain:   "granted-org-domain",
 			},
 		},
 		{
@@ -486,6 +527,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 							"primary-domain",
 							"project-id",
 							"project-name",
+							"granted-org-id",
+							"granted-org-name",
+							"granted-org-domain",
 						},
 					},
 				),
@@ -518,6 +562,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 						OrgPrimaryDomain:   "primary-domain",
 						ProjectID:          "project-id",
 						ProjectName:        "project-name",
+						GrantedOrgID:       "granted-org-id",
+						GrantedOrgName:     "granted-org-name",
+						GrantedOrgDomain:   "granted-org-domain",
 					},
 				},
 			},
@@ -553,6 +600,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 							"primary-domain",
 							"project-id",
 							"project-name",
+							"granted-org-id",
+							"granted-org-name",
+							"granted-org-domain",
 						},
 					},
 				),
@@ -585,6 +635,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 						OrgPrimaryDomain:   "primary-domain",
 						ProjectID:          "project-id",
 						ProjectName:        "project-name",
+						GrantedOrgID:       "granted-org-id",
+						GrantedOrgName:     "granted-org-name",
+						GrantedOrgDomain:   "granted-org-domain",
 					},
 				},
 			},
@@ -620,6 +673,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 							nil,
 							"project-id",
 							"project-name",
+							"granted-org-id",
+							"granted-org-name",
+							"granted-org-domain",
 						},
 					},
 				),
@@ -652,6 +708,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 						OrgPrimaryDomain:   "",
 						ProjectID:          "project-id",
 						ProjectName:        "project-name",
+						GrantedOrgID:       "granted-org-id",
+						GrantedOrgName:     "granted-org-name",
+						GrantedOrgDomain:   "granted-org-domain",
 					},
 				},
 			},
@@ -687,6 +746,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 							"primary-domain",
 							"project-id",
 							nil,
+							"granted-org-id",
+							"granted-org-name",
+							"granted-org-domain",
 						},
 					},
 				),
@@ -719,6 +781,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 						OrgPrimaryDomain:   "primary-domain",
 						ProjectID:          "project-id",
 						ProjectName:        "",
+						GrantedOrgID:       "granted-org-id",
+						GrantedOrgName:     "granted-org-name",
+						GrantedOrgDomain:   "granted-org-domain",
 					},
 				},
 			},
@@ -754,6 +819,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 							"primary-domain",
 							"project-id",
 							"project-name",
+							"granted-org-id",
+							"granted-org-name",
+							"granted-org-domain",
 						},
 					},
 				),
@@ -786,6 +854,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 						OrgPrimaryDomain:   "primary-domain",
 						ProjectID:          "project-id",
 						ProjectName:        "project-name",
+						GrantedOrgID:       "granted-org-id",
+						GrantedOrgName:     "granted-org-name",
+						GrantedOrgDomain:   "granted-org-domain",
 					},
 				},
 			},
@@ -821,6 +892,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 							"primary-domain",
 							"project-id",
 							"project-name",
+							"granted-org-id",
+							"granted-org-name",
+							"granted-org-domain",
 						},
 						{
 							"id",
@@ -845,6 +919,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 							"primary-domain",
 							"project-id",
 							"project-name",
+							"granted-org-id",
+							"granted-org-name",
+							"granted-org-domain",
 						},
 					},
 				),
@@ -877,6 +954,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 						OrgPrimaryDomain:   "primary-domain",
 						ProjectID:          "project-id",
 						ProjectName:        "project-name",
+						GrantedOrgID:       "granted-org-id",
+						GrantedOrgName:     "granted-org-name",
+						GrantedOrgDomain:   "granted-org-domain",
 					},
 					{
 						ID:                 "id",
@@ -901,6 +981,9 @@ func Test_UserGrantPrepares(t *testing.T) {
 						OrgPrimaryDomain:   "primary-domain",
 						ProjectID:          "project-id",
 						ProjectName:        "project-name",
+						GrantedOrgID:       "granted-org-id",
+						GrantedOrgName:     "granted-org-name",
+						GrantedOrgDomain:   "granted-org-domain",
 					},
 				},
 			},
diff --git a/proto/zitadel/user.proto b/proto/zitadel/user.proto
index 40d89cb2f0..09dc74ab5f 100644
--- a/proto/zitadel/user.proto
+++ b/proto/zitadel/user.proto
@@ -786,6 +786,21 @@ message UserGrant {
             description: "type of the user (human / machine)"
         }
     ];
+    string granted_org_id = 20 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "\"69629023906488334\""
+        }
+    ];
+    string granted_org_name = 21 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "\"ZITADEL\"";
+        }
+    ];
+    string granted_org_domain = 22 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "\"zitadel.cloud\"";
+        }
+    ];
 }
 
 enum UserGrantState {