Merge branch 'main' into docs-oidc-playground-rel

cmd/setup/setup.go

@@ -180,33 +180,6 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 	err = projection.Create(ctx, dbClient, eventstoreClient, config.Projections, nil, nil, nil)
 	logging.OnError(err).Fatal("unable to start projections")
 
-	repeatableSteps := []migration.RepeatableMigration{
-		&externalConfigChange{
-			es:             eventstoreClient,
-			ExternalDomain: config.ExternalDomain,
-			ExternalPort:   config.ExternalPort,
-			ExternalSecure: config.ExternalSecure,
-			defaults:       config.SystemDefaults,
-		},
-		&projectionTables{
-			es:      eventstoreClient,
-			Version: build.Version(),
-		},
-		&DeleteStaleOrgFields{
-			eventstore: eventstoreClient,
-		},
-		&FillFieldsForInstanceDomains{
-			eventstore: eventstoreClient,
-		},
-		&SyncRolePermissions{
-			eventstore:             eventstoreClient,
-			rolePermissionMappings: config.InternalAuthZ.RolePermissionMappings,
-		},
-		&RiverMigrateRepeatable{
-			client: dbClient,
-		},
-	}
-
 	for _, step := range []migration.Migration{
 		steps.s14NewEventsTable,
 		steps.s40InitPushFunc,
@@ -214,6 +187,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 		steps.s2AssetsTable,
 		steps.s28AddFieldTable,
 		steps.s31AddAggregateIndexToFields,
+		steps.s46InitPermissionFunctions,
 		steps.FirstInstance,
 		steps.s5LastFailed,
 		steps.s6OwnerRemoveColumns,
@@ -238,7 +212,6 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 		steps.s38BackChannelLogoutNotificationStart,
 		steps.s44ReplaceCurrentSequencesIndex,
 		steps.s45CorrectProjectOwners,
-		steps.s46InitPermissionFunctions,
 		steps.s47FillMembershipFields,
 		steps.s49InitPermittedOrgsFunction,
 		steps.s50IDPTemplate6UsePKCE,
@@ -246,6 +219,36 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 		mustExecuteMigration(ctx, eventstoreClient, step, "migration failed")
 	}
 
+	commands, _, _, _ := startCommandsQueries(ctx, eventstoreClient, eventstoreV4, dbClient, masterKey, config)
+
+	repeatableSteps := []migration.RepeatableMigration{
+		&externalConfigChange{
+			es:             eventstoreClient,
+			ExternalDomain: config.ExternalDomain,
+			ExternalPort:   config.ExternalPort,
+			ExternalSecure: config.ExternalSecure,
+			defaults:       config.SystemDefaults,
+		},
+		&projectionTables{
+			es:      eventstoreClient,
+			Version: build.Version(),
+		},
+		&DeleteStaleOrgFields{
+			eventstore: eventstoreClient,
+		},
+		&FillFieldsForInstanceDomains{
+			eventstore: eventstoreClient,
+		},
+		&SyncRolePermissions{
+			commands:               commands,
+			eventstore:             eventstoreClient,
+			rolePermissionMappings: config.InternalAuthZ.RolePermissionMappings,
+		},
+		&RiverMigrateRepeatable{
+			client: dbClient,
+		},
+	}
+
 	for _, repeatableStep := range repeatableSteps {
 		mustExecuteMigration(ctx, eventstoreClient, repeatableStep, "unable to migrate repeatable step")
 	}
@@ -271,11 +274,6 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 		initProjections(
 			ctx,
 			eventstoreClient,
-			eventstoreV4,
-			dbClient,
-			dbClient,
-			masterKey,
-			config,
 		)
 	}
 }
@@ -336,18 +334,20 @@ func readStatements(fs embed.FS, folder, typ string) ([]statement, error) {
 	return statements, nil
 }
 
-func initProjections(
+func startCommandsQueries(
 	ctx context.Context,
 	eventstoreClient *eventstore.Eventstore,
 	eventstoreV4 *es_v4.EventStore,
-	queryDBClient,
-	projectionDBClient *database.DB,
+	dbClient *database.DB,
 	masterKey string,
 	config *Config,
+) (
+	*command.Commands,
+	*query.Queries,
+	*admin_view.View,
+	*auth_view.View,
 ) {
-	logging.Info("init-projections is currently in beta")
-
-	keyStorage, err := cryptoDB.NewKeyStorage(queryDBClient, masterKey)
+	keyStorage, err := cryptoDB.NewKeyStorage(dbClient, masterKey)
 	logging.OnError(err).Fatal("unable to start key storage")
 
 	keys, err := encryption.EnsureEncryptionKeys(ctx, config.EncryptionKeys, keyStorage)
@@ -355,7 +355,7 @@ func initProjections(
 
 	err = projection.Create(
 		ctx,
-		queryDBClient,
+		dbClient,
 		eventstoreClient,
 		projection.Config{
 			RetryFailedAfter: config.InitProjections.RetryFailedAfter,
@@ -367,19 +367,15 @@ func initProjections(
 		config.SystemAPIUsers,
 	)
 	logging.OnError(err).Fatal("unable to start projections")
-	for _, p := range projection.Projections() {
-		err := migration.Migrate(ctx, eventstoreClient, p)
-		logging.WithFields("name", p.String()).OnError(err).Fatal("migration failed")
-	}
 
-	staticStorage, err := config.AssetStorage.NewStorage(queryDBClient.DB)
+	staticStorage, err := config.AssetStorage.NewStorage(dbClient.DB)
 	logging.OnError(err).Fatal("unable to start asset storage")
 
-	adminView, err := admin_view.StartView(queryDBClient)
+	adminView, err := admin_view.StartView(dbClient)
 	logging.OnError(err).Fatal("unable to start admin view")
 	admin_handler.Register(ctx,
 		admin_handler.Config{
-			Client:                queryDBClient,
+			Client:                dbClient,
 			Eventstore:            eventstoreClient,
 			BulkLimit:             config.InitProjections.BulkLimit,
 			FailureCountUntilSkip: uint64(config.InitProjections.MaxFailureCount),
@@ -387,22 +383,18 @@ func initProjections(
 		adminView,
 		staticStorage,
 	)
-	for _, p := range admin_handler.Projections() {
-		err := migration.Migrate(ctx, eventstoreClient, p)
-		logging.WithFields("name", p.String()).OnError(err).Fatal("migration failed")
-	}
 
 	sessionTokenVerifier := internal_authz.SessionTokenVerifier(keys.OIDC)
 
-	cacheConnectors, err := connector.StartConnectors(config.Caches, queryDBClient)
+	cacheConnectors, err := connector.StartConnectors(config.Caches, dbClient)
 	logging.OnError(err).Fatal("unable to start caches")
 
 	queries, err := query.StartQueries(
 		ctx,
 		eventstoreClient,
 		eventstoreV4.Querier,
-		queryDBClient,
-		projectionDBClient,
+		dbClient,
+		dbClient,
 		cacheConnectors,
 		config.Projections,
 		config.SystemDefaults,
@@ -424,11 +416,11 @@ func initProjections(
 	)
 	logging.OnError(err).Fatal("unable to start queries")
 
-	authView, err := auth_view.StartView(queryDBClient, keys.OIDC, queries, eventstoreClient)
+	authView, err := auth_view.StartView(dbClient, keys.OIDC, queries, eventstoreClient)
 	logging.OnError(err).Fatal("unable to start admin view")
 	auth_handler.Register(ctx,
 		auth_handler.Config{
-			Client:                queryDBClient,
+			Client:                dbClient,
 			Eventstore:            eventstoreClient,
 			BulkLimit:             config.InitProjections.BulkLimit,
 			FailureCountUntilSkip: uint64(config.InitProjections.MaxFailureCount),
@@ -436,16 +428,13 @@ func initProjections(
 		authView,
 		queries,
 	)
-	for _, p := range auth_handler.Projections() {
-		err := migration.Migrate(ctx, eventstoreClient, p)
-		logging.WithFields("name", p.String()).OnError(err).Fatal("migration failed")
-	}
 
-	authZRepo, err := authz.Start(queries, eventstoreClient, queryDBClient, keys.OIDC, config.ExternalSecure)
+	authZRepo, err := authz.Start(queries, eventstoreClient, dbClient, keys.OIDC, config.ExternalSecure)
 	logging.OnError(err).Fatal("unable to start authz repo")
 	permissionCheck := func(ctx context.Context, permission, orgID, resourceID string) (err error) {
 		return internal_authz.CheckPermission(ctx, authZRepo, config.InternalAuthZ.RolePermissionMappings, permission, orgID, resourceID)
 	}
+
 	commands, err := command.StartCommands(ctx,
 		eventstoreClient,
 		cacheConnectors,
@@ -477,6 +466,7 @@ func initProjections(
 		config.DefaultInstance.SecretGenerators,
 	)
 	logging.OnError(err).Fatal("unable to start commands")
+
 	notify_handler.Register(
 		ctx,
 		config.Projections.Customizations["notifications"],
@@ -498,8 +488,33 @@ func initProjections(
 		keys.SMS,
 		keys.OIDC,
 		config.OIDC.DefaultBackChannelLogoutLifetime,
-		queryDBClient,
+		dbClient,
 	)
+
+	return commands, queries, adminView, authView
+}
+
+func initProjections(
+	ctx context.Context,
+	eventstoreClient *eventstore.Eventstore,
+) {
+	logging.Info("init-projections is currently in beta")
+
+	for _, p := range projection.Projections() {
+		err := migration.Migrate(ctx, eventstoreClient, p)
+		logging.WithFields("name", p.String()).OnError(err).Fatal("migration failed")
+	}
+
+	for _, p := range admin_handler.Projections() {
+		err := migration.Migrate(ctx, eventstoreClient, p)
+		logging.WithFields("name", p.String()).OnError(err).Fatal("migration failed")
+	}
+
+	for _, p := range auth_handler.Projections() {
+		err := migration.Migrate(ctx, eventstoreClient, p)
+		logging.WithFields("name", p.String()).OnError(err).Fatal("migration failed")
+	}
+
 	for _, p := range notify_handler.Projections() {
 		err := migration.Migrate(ctx, eventstoreClient, p)
 		logging.WithFields("name", p.String()).OnError(err).Fatal("migration failed")

cmd/setup/sync_role_permissions.go

@@ -2,29 +2,22 @@ package setup
 
 import (
 	"context"
-	"database/sql"
 	_ "embed"
 	"fmt"
-	"strings"
 
 	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
-	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/instance"
-	"github.com/zitadel/zitadel/internal/repository/permission"
-)
-
-var (
-	//go:embed sync_role_permissions.sql
-	getRolePermissionOperationsQuery string
 )
 
 // SyncRolePermissions is a repeatable step which synchronizes the InternalAuthZ
 // RolePermissionMappings from the configuration to the database.
 // This is needed until role permissions are manageable over the API.
 type SyncRolePermissions struct {
+	commands               *command.Commands
 	eventstore             *eventstore.Eventstore
 	rolePermissionMappings []authz.RoleMapping
 }
@@ -38,18 +31,11 @@ func (mig *SyncRolePermissions) Execute(ctx context.Context, _ eventstore.Event)
 
 func (mig *SyncRolePermissions) executeSystem(ctx context.Context) error {
 	logging.WithFields("migration", mig.String()).Info("prepare system role permission sync events")
-
-	target := rolePermissionMappingsToDatabaseMap(mig.rolePermissionMappings, true)
-	cmds, err := mig.synchronizeCommands(ctx, "SYSTEM", target)
+	details, err := mig.commands.SynchronizeRolePermission(ctx, "SYSTEM", mig.rolePermissionMappings)
 	if err != nil {
 		return err
 	}
-	events, err := mig.eventstore.Push(ctx, cmds...)
-	if err != nil {
-		return err
-	}
-
-	logging.WithFields("migration", mig.String(), "pushed_events", len(events)).Info("pushed system role permission sync events")
+	logging.WithFields("migration", mig.String(), "sequence", details.Sequence).Info("pushed system role permission sync events")
 	return nil
 }
 
@@ -70,51 +56,17 @@ func (mig *SyncRolePermissions) executeInstances(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	target := rolePermissionMappingsToDatabaseMap(mig.rolePermissionMappings, false)
 	for i, instanceID := range instances {
 		logging.WithFields("instance_id", instanceID, "migration", mig.String(), "progress", fmt.Sprintf("%d/%d", i+1, len(instances))).Info("prepare instance role permission sync events")
-		cmds, err := mig.synchronizeCommands(ctx, instanceID, target)
+		details, err := mig.commands.SynchronizeRolePermission(ctx, instanceID, mig.rolePermissionMappings)
 		if err != nil {
 			return err
 		}
-		events, err := mig.eventstore.Push(ctx, cmds...)
-		if err != nil {
-			return err
-		}
-		logging.WithFields("instance_id", instanceID, "migration", mig.String(), "pushed_events", len(events)).Info("pushed instance role permission sync events")
+		logging.WithFields("instance_id", instanceID, "migration", mig.String(), "sequence", details.Sequence).Info("pushed instance role permission sync events")
 	}
 	return nil
 }
 
-// synchronizeCommands checks the current state of role permissions in the eventstore for the aggregate.
-// It returns the commands required to reach the desired state passed in target.
-// For system level permissions aggregateID must be set to `SYSTEM`,
-// else it is the instance ID.
-func (mig *SyncRolePermissions) synchronizeCommands(ctx context.Context, aggregateID string, target database.Map[[]string]) (cmds []eventstore.Command, err error) {
-	aggregate := permission.NewAggregate(aggregateID)
-	err = mig.eventstore.Client().QueryContext(ctx, func(rows *sql.Rows) error {
-		for rows.Next() {
-			var operation, role, perm string
-			if err := rows.Scan(&operation, &role, &perm); err != nil {
-				return err
-			}
-			logging.WithFields("aggregate_id", aggregateID, "migration", mig.String(), "operation", operation, "role", role, "permission", perm).Debug("sync role permission")
-			switch operation {
-			case "add":
-				cmds = append(cmds, permission.NewAddedEvent(ctx, aggregate, role, perm))
-			case "remove":
-				cmds = append(cmds, permission.NewRemovedEvent(ctx, aggregate, role, perm))
-			}
-		}
-		return rows.Close()
-
-	}, getRolePermissionOperationsQuery, aggregateID, target)
-	if err != nil {
-		return nil, err
-	}
-	return cmds, err
-}
-
 func (*SyncRolePermissions) String() string {
 	return "repeatable_sync_role_permissions"
 }
@@ -122,13 +74,3 @@ func (*SyncRolePermissions) String() string {
 func (*SyncRolePermissions) Check(lastRun map[string]interface{}) bool {
 	return true
 }
-
-func rolePermissionMappingsToDatabaseMap(mappings []authz.RoleMapping, system bool) database.Map[[]string] {
-	out := make(database.Map[[]string], len(mappings))
-	for _, m := range mappings {
-		if system == strings.HasPrefix(m.Role, "SYSTEM") {
-			out[m.Role] = m.Permissions
-		}
-	}
-	return out
-}

console/src/assets/i18n/bg.json

@@ -511,11 +511,13 @@
     "ORG_OWNER": "Има разрешение за цялата организация",
     "ORG_USER_MANAGER": "Има разрешение да създава и управлява потребители на организацията",
     "ORG_OWNER_VIEWER": "Има разрешение за преглед на цялата организация",
+    "ORG_SETTINGS_MANAGER": "Има разрешение за управление на настройките на организацията",
     "ORG_USER_PERMISSION_EDITOR": "Има разрешение за управление на потребителски безвъзмездни средства",
     "ORG_PROJECT_PERMISSION_EDITOR": "Има разрешение за управление на грантове по проекти",
     "ORG_PROJECT_CREATOR": "Има разрешение да създава свои собствени проекти и основни настройки",
     "ORG_ADMIN_IMPERSONATOR": "Има разрешение да се представя за администратор и крайни потребители от организацията",
     "ORG_END_USER_IMPERSONATOR": "Има разрешение да се представя за крайни потребители от организацията",
+    "ORG_USER_SELF_MANAGER": "Има разрешение да управлява собствените си потребители",
     "PROJECT_OWNER": "Има разрешение върху целия проект",
     "PROJECT_OWNER_VIEWER": "Има разрешение за преглед на целия проект",
     "PROJECT_OWNER_GLOBAL": "Има разрешение върху целия проект",

console/src/assets/i18n/cs.json

@@ -512,11 +512,13 @@
     "ORG_OWNER": "Má oprávnění nad celou organizací",
     "ORG_USER_MANAGER": "Má oprávnění vytvářet a spravovat uživatele organizace",
     "ORG_OWNER_VIEWER": "Má oprávnění prohlížet celou organizaci",
+    "ORG_SETTINGS_MANAGER": "Má oprávnění spravovat nastavení organizace",
     "ORG_USER_PERMISSION_EDITOR": "Má oprávnění spravovat uživatelská pověření",
     "ORG_PROJECT_PERMISSION_EDITOR": "Má oprávnění spravovat pověření projektu",
     "ORG_PROJECT_CREATOR": "Má oprávnění vytvářet své vlastní projekty a podřízená nastavení",
     "ORG_ADMIN_IMPERSONATOR": "Má oprávnění vydávat se za správce a koncové uživatele z organizace",
     "ORG_END_USER_IMPERSONATOR": "Má oprávnění vydávat se za koncové uživatele z organizace",
+    "ORG_USER_SELF_MANAGER": "Má oprávnění spravovat svůj vlastní uživatelský účet",
     "PROJECT_OWNER": "Má oprávnění nad celým projektem",
     "PROJECT_OWNER_VIEWER": "Má oprávnění prohlížet celý projekt",
     "PROJECT_OWNER_GLOBAL": "Má oprávnění nad celým projektem",

console/src/assets/i18n/de.json

@@ -512,11 +512,13 @@
     "ORG_OWNER": "Hat die Berechtigung für die gesamte Organisation",
     "ORG_USER_MANAGER": "Hat die Berechtigung, Benutzer der Organisation zu erstellen und zu verwalten",
     "ORG_OWNER_VIEWER": "Hat die Leseberechtigung, die gesamte Organisation zu überprüfen",
+    "ORG_SETTINGS_MANAGER": "Hat die Berechtigung, die Einstellungen der Organisation zu verwalten",
     "ORG_USER_PERMISSION_EDITOR": "Verfügt über die Berechtigung zum Verwalten von User grants",
     "ORG_PROJECT_PERMISSION_EDITOR": "Hat die Berechtigung, Projektberechtigungen für externe Organisationen zu verwalten",
     "ORG_PROJECT_CREATOR": "Hat die Berechtigung, seine eigenen Projekte und dessen Einstellungen zu erstellen",
     "ORG_ADMIN_IMPERSONATOR": "Hat die Berechtigung, sich als Administrator und Endbenutzer der Organisation auszugeben",
     "ORG_END_USER_IMPERSONATOR": "Hat die Berechtigung, sich als Endbenutzer der Organisation auszugeben",
+    "ORG_USER_SELF_MANAGER": "Hat die Berechtigung, seinen eigenen Benutzer zu verwalten",
     "PROJECT_OWNER": "Hat die Berechtigung für das gesamte Projekt",
     "PROJECT_OWNER_VIEWER": "Hat die Leseberechtigung, das gesamte Projekt zu überprüfen",
     "PROJECT_OWNER_GLOBAL": "Hat die Berechtigung für das gesamte Projekt",

console/src/assets/i18n/en.json

@@ -512,11 +512,13 @@
     "ORG_OWNER": "Has permission over the whole organization",
     "ORG_USER_MANAGER": "Has permission to create and manage users of the organization",
     "ORG_OWNER_VIEWER": "Has permission to review the whole organization",
+    "ORG_SETTINGS_MANAGER": "Has permission to manage organization settings",
     "ORG_USER_PERMISSION_EDITOR": "Has permission to manage user grants",
     "ORG_PROJECT_PERMISSION_EDITOR": "Has permission to manage project grants",
     "ORG_PROJECT_CREATOR": "Has permission to create his own projects and underlying settings",
     "ORG_ADMIN_IMPERSONATOR": "Has permission to impersonate admin and end users from the organization",
     "ORG_END_USER_IMPERSONATOR": "Has permission to impersonate end users from the organization",
+    "ORG_USER_SELF_MANAGER": "Has permission to manage their own user",
     "PROJECT_OWNER": "Has permission over the whole project",
     "PROJECT_OWNER_VIEWER": "Has permission to review the whole project",
     "PROJECT_OWNER_GLOBAL": "Has permission over the whole project",

console/src/assets/i18n/es.json

@@ -512,11 +512,13 @@
     "ORG_OWNER": "Tiene permisos sobre toda la organización",
     "ORG_USER_MANAGER": "Tiene permiso para crear y gestionar usuarios de la organización",
     "ORG_OWNER_VIEWER": "TIene permiso para revisar toda la organización",
+    "ORG_SETTINGS_MANAGER": "Tiene permiso para gestionar las configuraciones de la organización",
     "ORG_USER_PERMISSION_EDITOR": "Tiene permiso para gestionar concesiones de usuario",
     "ORG_PROJECT_PERMISSION_EDITOR": "Tiene permiso para gestionar concesiones de proyecto",
     "ORG_PROJECT_CREATOR": "Tiene permiso para crear sus propios proyectos y ajustes subyacentes",
     "ORG_ADMIN_IMPERSONATOR": "Tiene permiso para hacerse pasar por administradores y usuarios finales de la organización",
     "ORG_END_USER_IMPERSONATOR": "Tiene permiso para hacerse pasar por usuarios finales de la organización",
+    "ORG_USER_SELF_MANAGER": "Tiene permiso para gestionar su propio usuario",
     "PROJECT_OWNER": "Tiene permiso sobre todo el proyecto",
     "PROJECT_OWNER_VIEWER": "Tiene permiso para revisar todo el proyecto",
     "PROJECT_OWNER_GLOBAL": "Tiene permiso sobre todo el proyecto",

console/src/assets/i18n/fr.json

@@ -512,11 +512,13 @@
     "ORG_OWNER": "A le droit de contrôler l'ensemble de l'organisation",
     "ORG_USER_MANAGER": "A le droit de créer et de gérer les utilisateurs de l'organisation",
     "ORG_OWNER_VIEWER": "A le droit de passer en revue l'ensemble de l'organisation",
+    "ORG_SETTINGS_MANAGER": "A le droit de gérer les paramètres de l'organisation",
     "ORG_USER_PERMISSION_EDITOR": "A le droit d'octroyer des droits aux utilisateurs",
     "ORG_PROJECT_PERMISSION_EDITOR": "A le droit d'octroyer des droits aux projets",
     "ORG_PROJECT_CREATOR": "A le droit de créer ses propres projets et leurs paramètres sous-jacents.",
     "ORG_ADMIN_IMPERSONATOR": "A l'autorisation de se faire passer pour l'administrateur et les utilisateurs finaux de l'organisation",
     "ORG_END_USER_IMPERSONATOR": "Est autorisé à usurper l'identité des utilisateurs finaux de l'organisation",
+    "ORG_USER_SELF_MANAGER": "A le droit de gérer ses propres utilisateurs",
     "PROJECT_OWNER": "A le droit de gérer l'ensemble du projet",
     "PROJECT_OWNER_VIEWER": "A le droit de passer en revue l'ensemble du projet",
     "PROJECT_OWNER_GLOBAL": "A le droit d'accéder à l'ensemble du projet",

console/src/assets/i18n/hu.json

@@ -512,11 +512,13 @@
     "ORG_OWNER": "Engedélye van az egész szervezet fölött",
     "ORG_USER_MANAGER": "Engedélye van a szervezet felhasználóinak létrehozására és kezelésére",
     "ORG_OWNER_VIEWER": "Engedélye van az egész szervezet áttekintésére",
+    "ORG_SETTINGS_MANAGER": "Engedélye van a szervezet beállításainak kezelésére",
     "ORG_USER_PERMISSION_EDITOR": "Engedélye van a felhasználói jogok kezelésére",
     "ORG_PROJECT_PERMISSION_EDITOR": "Engedélye van a projektjogosultságok kezelésére",
     "ORG_PROJECT_CREATOR": "Engedélye van saját projektek és alapbeállítások létrehozására",
     "ORG_ADMIN_IMPERSONATOR": "Engedélye van a szervezet adminisztrátorainak és véghasználóinak megszemélyesítésére",
     "ORG_END_USER_IMPERSONATOR": "Engedélye van a szervezet véghasználóinak megszemélyesítésére",
+    "ORG_USER_SELF_MANAGER": "Engedélye van a saját felhasználói fiókjaidat kezelésére",
     "PROJECT_OWNER": "Engedélye van az egész projekt fölött",
     "PROJECT_OWNER_VIEWER": "Jogosultságod van a teljes projekt átnézésére.",
     "PROJECT_OWNER_GLOBAL": "Jogosultságod van a teljes projektre.",

console/src/assets/i18n/id.json

@@ -479,11 +479,13 @@
     "ORG_OWNER": "Memiliki izin atas seluruh organisasi",
     "ORG_USER_MANAGER": "Memiliki izin untuk membuat dan mengelola pengguna organisasi",
     "ORG_OWNER_VIEWER": "Memiliki izin untuk meninjau seluruh organisasi",
+    "ORG_SETTINGS_MANAGER": "Memiliki izin untuk mengelola pengaturan organisasi",
     "ORG_USER_PERMISSION_EDITOR": "Memiliki izin untuk mengelola izin pengguna",
     "ORG_PROJECT_PERMISSION_EDITOR": "Memiliki izin untuk mengelola hibah proyek",
     "ORG_PROJECT_CREATOR": "Memiliki izin untuk membuat proyeknya sendiri dan pengaturan yang mendasarinya",
     "ORG_ADMIN_IMPERSONATOR": "Memiliki izin untuk menyamar sebagai admin dan pengguna akhir dari organisasi",
     "ORG_END_USER_IMPERSONATOR": "Memiliki izin untuk meniru identitas pengguna akhir dari organisasi",
+    "ORG_USER_SELF_MANAGER": "Memiliki izin untuk mengelola pengguna sendiri",
     "PROJECT_OWNER": "Memiliki izin atas keseluruhan proyek",
     "PROJECT_OWNER_VIEWER": "Memiliki izin untuk meninjau keseluruhan proyek",
     "PROJECT_OWNER_GLOBAL": "Memiliki izin atas keseluruhan proyek",

console/src/assets/i18n/it.json

@@ -511,11 +511,13 @@
     "ORG_OWNER": "Ha il permesso su tutta l'organizzazione",
     "ORG_USER_MANAGER": "Ha l'autorizzazione per creare e gestire gli utenti dell'organizzazione",
     "ORG_OWNER_VIEWER": "Ha il permesso di esaminare l'intera organizzazione",
+    "ORG_SETTINGS_MANAGER": "Ha il permesso di gestire le impostazioni dell'organizzazione",
     "ORG_USER_PERMISSION_EDITOR": "Ha l'autorizzazione per gestire le autorizzazioni degli utenti",
     "ORG_PROJECT_PERMISSION_EDITOR": "Ha il permesso di gestire le sovvenzioni di progetto (Project Grant)",
     "ORG_PROJECT_CREATOR": "Ha il permesso di creare propri progetti e le impostazioni sottostanti",
     "ORG_ADMIN_IMPERSONATOR": "Ha il permesso per rappresentare l'amministratore e gli utenti finali dell'organizzazione",
     "ORG_END_USER_IMPERSONATOR": "Ha il permesso per rappresentare gli utenti finali dell'organizzazione",
+    "ORG_USER_SELF_MANAGER": "Ha il permesso per gestire il proprio account utente",
     "PROJECT_OWNER": "Ha il permesso per l'intero progetto",
     "PROJECT_OWNER_VIEWER": "Ha il permesso di esaminare l'intero progetto",
     "PROJECT_OWNER_GLOBAL": "Ha il permesso per l'intero progetto",

console/src/assets/i18n/ja.json

@@ -512,11 +512,13 @@
     "ORG_OWNER": "組織全体に対する権限を持ちます",
     "ORG_USER_MANAGER": "組織のユーザーを作成および管理する権限を持ちます",
     "ORG_OWNER_VIEWER": "組織全体を閲覧する権限を持ちます",
+    "ORG_SETTINGS_MANAGER": "組織の設定を管理する権限を持ちます",
     "ORG_USER_PERMISSION_EDITOR": "ユーザーグラントを管理する権限を持ちます",
     "ORG_PROJECT_PERMISSION_EDITOR": "プロジェクトグラントを管理する権限を持ちます",
     "ORG_PROJECT_CREATOR": "所有するプロジェクトと配下の設定を作成する権限を持ちます",
     "ORG_ADMIN_IMPERSONATOR": "組織の管理者およびエンドユーザーになりすます権限がある",
     "ORG_END_USER_IMPERSONATOR": "組織のエンドユーザーになりすます権限がある",
+    "ORG_USER_SELF_MANAGER": "自身を管理する権限がある",
     "PROJECT_OWNER": "特定のプロジェクト全体を管理する権限を持ちます",
     "PROJECT_OWNER_VIEWER": "特定のプロジェクト全体を閲覧する権限を持ちます",
     "PROJECT_OWNER_GLOBAL": "全てのプロジェクトを管理する権限を持ちます",

console/src/assets/i18n/ko.json

@@ -512,11 +512,13 @@
     "ORG_OWNER": "조직에 대한 전체 권한이 있습니다",
     "ORG_USER_MANAGER": "조직의 사용자를 생성하고 관리할 수 있는 권한이 있습니다",
     "ORG_OWNER_VIEWER": "조직 전체를 검토할 수 있는 권한이 있습니다",
+    "ORG_SETTINGS_MANAGER": "조직 설정을 관리할 수 있는 권한이 있습니다",
     "ORG_USER_PERMISSION_EDITOR": "사용자 권한을 관리할 수 있는 권한이 있습니다",
     "ORG_PROJECT_PERMISSION_EDITOR": "프로젝트 권한을 관리할 수 있는 권한이 있습니다",
     "ORG_PROJECT_CREATOR": "자신의 프로젝트와 하위 설정을 생성할 수 있는 권한이 있습니다",
     "ORG_ADMIN_IMPERSONATOR": "조직의 관리자 및 최종 사용자를 대리할 수 있는 권한이 있습니다",
     "ORG_END_USER_IMPERSONATOR": "조직의 최종 사용자를 대리할 수 있는 권한이 있습니다",
+    "ORG_USER_SELF_MANAGER": "자신의 사용자 계정을 관리할 수 있는 권한이 있습니다",
     "PROJECT_OWNER": "프로젝트에 대한 전체 권한이 있습니다",
     "PROJECT_OWNER_VIEWER": "프로젝트 전체를 검토할 수 있는 권한이 있습니다",
     "PROJECT_OWNER_GLOBAL": "프로젝트에 대한 전체 권한이 있습니다",

console/src/assets/i18n/mk.json

@@ -512,11 +512,13 @@
     "ORG_OWNER": "Има дозвола врз целата организација",
     "ORG_USER_MANAGER": "Има дозвола за креирање и менаџирање на корисници во организацијата",
     "ORG_OWNER_VIEWER": "Има дозвола за преглед на целата организација",
+    "ORG_SETTINGS_MANAGER": "Има дозвола за менаџирање на подесувањата на организацијата",
     "ORG_USER_PERMISSION_EDITOR": "Има дозвола за менаџирање на овластувања на корисници",
     "ORG_PROJECT_PERMISSION_EDITOR": "Има дозвола за менаџирање на овластувања на проекти",
     "ORG_PROJECT_CREATOR": "Има дозвола за креирање на сопствени проекти и нивни подесувања",
     "ORG_ADMIN_IMPERSONATOR": "Има дозвола да имитира администратор и крајни корисници од организацијата",
     "ORG_END_USER_IMPERSONATOR": "Има дозвола да ги имитира крајните корисници од организацијата",
+    "ORG_USER_SELF_MANAGER": "Има дозвола за менаџирање на своите корисници",
     "PROJECT_OWNER": "Има дозвола врз целиот проект",
     "PROJECT_OWNER_VIEWER": "Има дозвола за преглед на целиот проект",
     "PROJECT_OWNER_GLOBAL": "Има дозвола врз целиот проект",

console/src/assets/i18n/nl.json

@@ -512,11 +512,13 @@
     "ORG_OWNER": "Heeft toestemming over de hele organisatie",
     "ORG_USER_MANAGER": "Heeft toestemming om gebruikers van de organisatie aan te maken en te beheren",
     "ORG_OWNER_VIEWER": "Heeft toestemming om de hele organisatie te bekijken",
+    "ORG_SETTINGS_MANAGER": "Heeft toestemming om de instellingen van de organisatie te beheren",
     "ORG_USER_PERMISSION_EDITOR": "Heeft toestemming om gebruikerstoegang te beheren",
     "ORG_PROJECT_PERMISSION_EDITOR": "Heeft toestemming om projecttoegang te beheren",
     "ORG_PROJECT_CREATOR": "Heeft toestemming om zijn eigen projecten en onderliggende instellingen aan te maken",
     "ORG_ADMIN_IMPERSONATOR": "Heeft toestemming om de beheerder en eindgebruikers van de organisatie na te bootsen",
     "ORG_END_USER_IMPERSONATOR": "Heeft toestemming om eindgebruikers van de organisatie na te bootsen",
+    "ORG_USER_SELF_MANAGER": "Heeft toestemming om zijn eigen gebruiker te beheren",
     "PROJECT_OWNER": "Heeft toestemming over het hele project",
     "PROJECT_OWNER_VIEWER": "Heeft toestemming om het hele project te bekijken",
     "PROJECT_OWNER_GLOBAL": "Heeft toestemming over het hele project",

console/src/assets/i18n/pl.json

@@ -511,11 +511,13 @@
     "ORG_OWNER": "Ma uprawnienie nad całą organizacją",
     "ORG_USER_MANAGER": "Ma uprawnienie do tworzenia i zarządzania użytkownikami organizacji",
     "ORG_OWNER_VIEWER": "Ma uprawnienie do przeglądania całej organizacji",
+    "ORG_SETTINGS_MANAGER": "Ma uprawnienie do zarządzania ustawieniami organizacji",
     "ORG_USER_PERMISSION_EDITOR": "Ma uprawnienie do zarządzania uprawnieniami użytkowników",
     "ORG_PROJECT_PERMISSION_EDITOR": "Ma uprawnienie do zarządzania uprawnieniami projektu",
     "ORG_PROJECT_CREATOR": "Ma uprawnienie do tworzenia własnych projektów i podstawowych ustawień",
     "ORG_ADMIN_IMPERSONATOR": "Ma uprawnienia do podszywania się pod administratora i użytkowników końcowych z organizacji",
     "ORG_END_USER_IMPERSONATOR": "Ma uprawnienia do podszywania się pod użytkowników końcowych z organizacji",
+    "ORG_USER_SELF_MANAGER": "Ma uprawnienie do zarządzania swoim własnym kontem użytkownika",
     "PROJECT_OWNER": "Ma uprawnienie nad całym projektem",
     "PROJECT_OWNER_VIEWER": "Ma uprawnienie do przeglądania całego projektu",
     "PROJECT_OWNER_GLOBAL": "Ma uprawnienia do całego projektu",

console/src/assets/i18n/pt.json

@@ -512,11 +512,13 @@
     "ORG_OWNER": "Tem permissão sobre toda a organização",
     "ORG_USER_MANAGER": "Tem permissão para criar e gerenciar usuários da organização",
     "ORG_OWNER_VIEWER": "Tem permissão para revisar toda a organização",
+    "ORG_SETTINGS_MANAGER": "Tem permissão para gerenciar as configurações da organização",
     "ORG_USER_PERMISSION_EDITOR": "Tem permissão para gerenciar concessões de usuários",
     "ORG_PROJECT_PERMISSION_EDITOR": "Tem permissão para gerenciar concessões de projetos",
     "ORG_PROJECT_CREATOR": "Tem permissão para criar seus próprios projetos e configurações subjacentes",
     "ORG_ADMIN_IMPERSONATOR": "Tem permissão para se passar por administradores e usuários finais da organização",
     "ORG_END_USER_IMPERSONATOR": "Tem permissão para se passar por usuários finais da organização",
+    "ORG_USER_SELF_MANAGER": "Tem permissão para gerenciar seu próprio usuário",
     "PROJECT_OWNER": "Tem permissão sobre todo o projeto",
     "PROJECT_OWNER_VIEWER": "Tem permissão para revisar todo o projeto",
     "PROJECT_OWNER_GLOBAL": "Tem permissão sobre todo o projeto",

console/src/assets/i18n/ru.json

@@ -511,11 +511,13 @@
     "ORG_OWNER": "Имеет разрешение на всю организацию",
     "ORG_USER_MANAGER": "Имеет разрешение на создание и управление пользователями организации",
     "ORG_OWNER_VIEWER": "Имеет разрешение на просмотр всей организации",
+    "ORG_SETTINGS_MANAGER": "Имеет разрешение на управление настройками организации",
     "ORG_USER_PERMISSION_EDITOR": "Имеет разрешение на управление допусками пользователей",
     "ORG_PROJECT_PERMISSION_EDITOR": "Имеет разрешение на управление допусками проекта",
     "ORG_PROJECT_CREATOR": "Имеет разрешение на создание собственных проектов и базовых настроек",
     "ORG_ADMIN_IMPERSONATOR": "Имеет разрешение выдавать себя за администратора и конечных пользователей организации",
     "ORG_END_USER_IMPERSONATOR": "Имеет разрешение выдавать себя за конечных пользователей организации",
+    "ORG_USER_SELF_MANAGER": "Имеет разрешение на управление своим собственным пользователем",
     "PROJECT_OWNER": "Имеет разрешение на весь проект",
     "PROJECT_OWNER_VIEWER": "Имеет разрешение на просмотр всего проекта",
     "PROJECT_OWNER_GLOBAL": "Имеет разрешение на весь проект",

console/src/assets/i18n/sv.json

@@ -512,11 +512,13 @@
     "ORG_OWNER": "Har behörighet över hela organisationen",
     "ORG_USER_MANAGER": "Har behörighet att skapa och hantera användare i organisationen",
     "ORG_OWNER_VIEWER": "Har behörighet att granska hela organisationen",
+    "ORG_SETTINGS_MANAGER": "Har behörighet att hantera organisationens inställningar",
     "ORG_USER_PERMISSION_EDITOR": "Har behörighet att hantera användarbehörigheter",
     "ORG_PROJECT_PERMISSION_EDITOR": "Har behörighet att hantera projektbehörigheter",
     "ORG_PROJECT_CREATOR": "Har behörighet att skapa egna projekt och underliggande inställningar",
     "ORG_ADMIN_IMPERSONATOR": "Har behörighet att imitera administratörer och slutanvändare från organisationen",
     "ORG_END_USER_IMPERSONATOR": "Har behörighet att imitera slutanvändare från organisationen",
+    "ORG_USER_SELF_MANAGER": "Har behörighet att hantera sin egen användare",
     "PROJECT_OWNER": "Har behörighet över hela projektet",
     "PROJECT_OWNER_VIEWER": "Har behörighet att granska hela projektet",
     "PROJECT_OWNER_GLOBAL": "Har behörighet över hela projektet",

console/src/assets/i18n/zh.json

@@ -512,11 +512,13 @@
     "ORG_OWNER": "拥有整个组织的权限",
     "ORG_USER_MANAGER": "有权创建和管理组织的用户",
     "ORG_OWNER_VIEWER": "有权审查整个组织",
+    "ORG_SETTINGS_MANAGER": "有权管理组织的设置",
     "ORG_USER_PERMISSION_EDITOR": "有权管理用户授权",
     "ORG_PROJECT_PERMISSION_EDITOR": "有权管理项目授权",
     "ORG_PROJECT_CREATOR": "有权创建自己的项目和基础设置",
     "ORG_ADMIN_IMPERSONATOR": "有权模拟组织的管理员和最终用户",
     "ORG_END_USER_IMPERSONATOR": "有权模拟组织的最终用户",
+    "ORG_USER_SELF_MANAGER": "有权管理自己的用户",
     "PROJECT_OWNER": "拥有整个项目的权限",
     "PROJECT_OWNER_VIEWER": "有权审查整个项目",
     "PROJECT_OWNER_GLOBAL": "拥有整个项目的权限",

internal/api/grpc/user/v2/integration_test/user_test.go

@@ -10,15 +10,14 @@ import (
 	"testing"
 	"time"
 
-	"github.com/zitadel/logging"
-	"google.golang.org/protobuf/types/known/structpb"
-
 	"github.com/brianvoe/gofakeit/v6"
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/zitadel/logging"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/structpb"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/zitadel/zitadel/internal/api/grpc"

internal/command/command.go

@@ -218,6 +218,33 @@ func (c *Commands) pushAppendAndReduce(ctx context.Context, object AppendReducer
 	return AppendAndReduce(object, events...)
 }
 
+// pushChunked pushes the commands in chunks of size to the eventstore.
+// This can be used to reduce the amount of events in a single transaction.
+// When an error occurs, the events that have been pushed so far will be returned.
+//
+// Warning: chunks are pushed in separate transactions.
+// Successful pushes will not be rolled back if a later chunk fails.
+// Only use this function when the caller is able to handle partial success
+// and is able to consolidate the state on errors.
+func (c *Commands) pushChunked(ctx context.Context, size uint16, cmds ...eventstore.Command) (_ []eventstore.Event, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	events := make([]eventstore.Event, 0, len(cmds))
+	for i := 0; i < len(cmds); i += int(size) {
+		end := i + int(size)
+		if end > len(cmds) {
+			end = len(cmds)
+		}
+		chunk, err := c.eventstore.Push(ctx, cmds[i:end]...)
+		if err != nil {
+			return events, err
+		}
+		events = append(events, chunk...)
+	}
+	return events, nil
+}
+
 type AppendReducerDetails interface {
 	AppendEvents(...eventstore.Event)
 	// TODO: Why is it allowed to return an error here?

internal/command/command_test.go

@@ -2,6 +2,7 @@ package command
 
 import (
 	"context"
+	"fmt"
 	"io"
 	"os"
 	"testing"
@@ -13,6 +14,7 @@ import (
 
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/i18n"
+	"github.com/zitadel/zitadel/internal/repository/permission"
 	"github.com/zitadel/zitadel/internal/repository/user"
 )
 
@@ -29,6 +31,93 @@ func TestMain(m *testing.M) {
 	os.Exit(m.Run())
 }
 
+func TestCommands_pushChunked(t *testing.T) {
+	aggregate := permission.NewAggregate("instanceID")
+	cmds := make([]eventstore.Command, 100)
+	for i := 0; i < 100; i++ {
+		cmds[i] = permission.NewAddedEvent(context.Background(), aggregate, "role", fmt.Sprintf("permission%d", i))
+	}
+	type args struct {
+		size uint16
+	}
+	tests := []struct {
+		name       string
+		args       args
+		eventstore func(*testing.T) *eventstore.Eventstore
+		wantEvents int
+		wantErr    error
+	}{
+		{
+			name: "push error",
+			args: args{
+				size: 100,
+			},
+			eventstore: expectEventstore(
+				expectPushFailed(io.ErrClosedPipe, cmds...),
+			),
+			wantEvents: 0,
+			wantErr:    io.ErrClosedPipe,
+		},
+		{
+			name: "single chunk",
+			args: args{
+				size: 100,
+			},
+			eventstore: expectEventstore(
+				expectPush(cmds...),
+			),
+			wantEvents: len(cmds),
+		},
+		{
+			name: "aligned chunks",
+			args: args{
+				size: 50,
+			},
+			eventstore: expectEventstore(
+				expectPush(cmds[0:50]...),
+				expectPush(cmds[50:100]...),
+			),
+			wantEvents: len(cmds),
+		},
+		{
+			name: "odd chunks",
+			args: args{
+				size: 30,
+			},
+			eventstore: expectEventstore(
+				expectPush(cmds[0:30]...),
+				expectPush(cmds[30:60]...),
+				expectPush(cmds[60:90]...),
+				expectPush(cmds[90:100]...),
+			),
+			wantEvents: len(cmds),
+		},
+		{
+			name: "partial error",
+			args: args{
+				size: 30,
+			},
+			eventstore: expectEventstore(
+				expectPush(cmds[0:30]...),
+				expectPush(cmds[30:60]...),
+				expectPushFailed(io.ErrClosedPipe, cmds[60:90]...),
+			),
+			wantEvents: len(cmds[0:60]),
+			wantErr:    io.ErrClosedPipe,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore: tt.eventstore(t),
+			}
+			gotEvents, err := c.pushChunked(context.Background(), tt.args.size, cmds...)
+			require.ErrorIs(t, err, tt.wantErr)
+			assert.Len(t, gotEvents, tt.wantEvents)
+		})
+	}
+}
+
 func TestCommands_asyncPush(t *testing.T) {
 	// make sure the test terminates on deadlock
 	background := context.Background()

internal/command/converter.go

@@ -15,6 +15,9 @@ func writeModelToObjectDetails(writeModel *eventstore.WriteModel) *domain.Object
 }
 
 func pushedEventsToObjectDetails(events []eventstore.Event) *domain.ObjectDetails {
+	if len(events) == 0 {
+		return &domain.ObjectDetails{}
+	}
 	return &domain.ObjectDetails{
 		Sequence:      events[len(events)-1].Sequence(),
 		EventDate:     events[len(events)-1].CreatedAt(),

internal/command/instance.go

@@ -233,21 +233,25 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup) (str
 		return "", "", nil, nil, err
 	}
 
-	events, err := c.eventstore.Push(ctx, cmds...)
+	_, err = c.eventstore.Push(ctx, cmds...)
 	if err != nil {
 		return "", "", nil, nil, err
 	}
 
+	// RolePermissions need to be pushed in separate transaction.
+	// https://github.com/zitadel/zitadel/issues/9293
+	details, err := c.SynchronizeRolePermission(ctx, setup.zitadel.instanceID, setup.RolePermissionMappings)
+	if err != nil {
+		return "", "", nil, nil, err
+	}
+	details.ResourceOwner = setup.zitadel.orgID
+
 	var token string
 	if pat != nil {
 		token = pat.Token
 	}
 
-	return setup.zitadel.instanceID, token, machineKey, &domain.ObjectDetails{
-		Sequence:      events[len(events)-1].Sequence(),
-		EventDate:     events[len(events)-1].CreatedAt(),
-		ResourceOwner: setup.zitadel.orgID,
-	}, nil
+	return setup.zitadel.instanceID, token, machineKey, details, nil
 }
 
 func contextWithInstanceSetupInfo(ctx context.Context, instanceID, projectID, consoleAppID, externalDomain string) context.Context {
@@ -380,7 +384,6 @@ func setupInstanceElements(instanceAgg *instance.Aggregate, setup *InstanceSetup
 			setup.LabelPolicy.ThemeMode,
 		),
 		prepareAddDefaultEmailTemplate(instanceAgg, setup.EmailTemplate),
-		prepareAddRolePermissions(instanceAgg, setup.RolePermissionMappings),
 	}
 }
 

internal/command/instance_permissions.go

@@ -1,29 +0,0 @@
-package command
-
-import (
-	"context"
-	"strings"
-
-	"github.com/zitadel/zitadel/internal/api/authz"
-	"github.com/zitadel/zitadel/internal/command/preparation"
-	"github.com/zitadel/zitadel/internal/eventstore"
-	"github.com/zitadel/zitadel/internal/repository/instance"
-	"github.com/zitadel/zitadel/internal/repository/permission"
-)
-
-func prepareAddRolePermissions(a *instance.Aggregate, roles []authz.RoleMapping) preparation.Validation {
-	return func() (preparation.CreateCommands, error) {
-		return func(ctx context.Context, _ preparation.FilterToQueryReducer) (cmds []eventstore.Command, _ error) {
-			aggregate := permission.NewAggregate(a.InstanceID)
-			for _, r := range roles {
-				if strings.HasPrefix(r.Role, "SYSTEM") {
-					continue
-				}
-				for _, p := range r.Permissions {
-					cmds = append(cmds, permission.NewAddedEvent(ctx, aggregate, r.Role, p))
-				}
-			}
-			return cmds, nil
-		}, nil
-	}
-}

internal/command/instance_role_permissions.go

@@ -0,0 +1,101 @@
+package command
+
+import (
+	"context"
+	"database/sql"
+	_ "embed"
+	"strings"
+
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/permission"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+const (
+	CockroachRollPermissionChunkSize uint16 = 50
+)
+
+// SynchronizeRolePermission checks the current state of role permissions in the eventstore for the aggregate.
+// It pushes the commands required to reach the desired state passed in target.
+// For system level permissions aggregateID must be set to `SYSTEM`, else it is the instance ID.
+//
+// In case cockroachDB is used, the commands are pushed in chunks of CockroachRollPermissionChunkSize.
+func (c *Commands) SynchronizeRolePermission(ctx context.Context, aggregateID string, target []authz.RoleMapping) (_ *domain.ObjectDetails, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	cmds, err := synchronizeRolePermissionCommands(ctx, c.eventstore.Client(), aggregateID,
+		rolePermissionMappingsToDatabaseMap(target, aggregateID == "SYSTEM"),
+	)
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "COMMA-Iej2r", "Errors.Internal")
+	}
+	var events []eventstore.Event
+	if c.eventstore.Client().Database.Type() == "cockroach" {
+		events, err = c.pushChunked(ctx, CockroachRollPermissionChunkSize, cmds...)
+	} else {
+		events, err = c.eventstore.Push(ctx, cmds...)
+	}
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "COMMA-AiV3u", "Errors.Internal")
+	}
+	return pushedEventsToObjectDetails(events), nil
+}
+
+func rolePermissionMappingsToDatabaseMap(mappings []authz.RoleMapping, system bool) database.Map[[]string] {
+	out := make(database.Map[[]string], len(mappings))
+	for _, m := range mappings {
+		if system == strings.HasPrefix(m.Role, "SYSTEM") {
+			out[m.Role] = m.Permissions
+		}
+	}
+	return out
+}
+
+var (
+	//go:embed instance_role_permissions_sync.sql
+	instanceRolePermissionsSyncQuery string
+)
+
+// synchronizeRolePermissionCommands checks the current state of role permissions in the eventstore for the aggregate.
+// It returns the commands required to reach the desired state passed in target.
+// For system level permissions aggregateID must be set to `SYSTEM`, else it is the instance ID.
+func synchronizeRolePermissionCommands(ctx context.Context, db *database.DB, aggregateID string, target database.Map[[]string]) (cmds []eventstore.Command, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	err = db.QueryContext(ctx,
+		rolePermissionScanner(ctx, permission.NewAggregate(aggregateID), &cmds),
+		instanceRolePermissionsSyncQuery,
+		aggregateID, target)
+	if err != nil {
+		return nil, err
+	}
+	return cmds, nil
+}
+
+func rolePermissionScanner(ctx context.Context, aggregate *eventstore.Aggregate, cmds *[]eventstore.Command) func(rows *sql.Rows) error {
+	return func(rows *sql.Rows) error {
+		for rows.Next() {
+			var operation, role, perm string
+			if err := rows.Scan(&operation, &role, &perm); err != nil {
+				return err
+			}
+			logging.WithFields("aggregate_id", aggregate.ID, "operation", operation, "role", role, "permission", perm).Debug("sync role permission")
+			switch operation {
+			case "add":
+				*cmds = append(*cmds, permission.NewAddedEvent(ctx, aggregate, role, perm))
+			case "remove":
+				*cmds = append(*cmds, permission.NewRemovedEvent(ctx, aggregate, role, perm))
+			}
+		}
+		return rows.Close()
+
+	}
+}

internal/command/instance_role_permissions_test.go

@@ -0,0 +1,139 @@
+package command
+
+import (
+	"context"
+	"database/sql"
+	"database/sql/driver"
+	_ "embed"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/database/mock"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/permission"
+)
+
+func Test_rolePermissionMappingsToDatabaseMap(t *testing.T) {
+	type args struct {
+		mappings []authz.RoleMapping
+		system   bool
+	}
+	tests := []struct {
+		name string
+		args args
+		want database.Map[[]string]
+	}{
+		{
+			name: "instance",
+			args: args{
+				mappings: []authz.RoleMapping{
+					{Role: "role1", Permissions: []string{"permission1", "permission2"}},
+					{Role: "role2", Permissions: []string{"permission3", "permission4"}},
+					{Role: "SYSTEM_ROLE", Permissions: []string{"permission5", "permission6"}},
+				},
+				system: false,
+			},
+			want: database.Map[[]string]{
+				"role1": []string{"permission1", "permission2"},
+				"role2": []string{"permission3", "permission4"},
+			},
+		},
+		{
+			name: "system",
+			args: args{
+				mappings: []authz.RoleMapping{
+					{Role: "role1", Permissions: []string{"permission1", "permission2"}},
+					{Role: "role2", Permissions: []string{"permission3", "permission4"}},
+					{Role: "SYSTEM_ROLE", Permissions: []string{"permission5", "permission6"}},
+				},
+				system: true,
+			},
+			want: database.Map[[]string]{
+				"SYSTEM_ROLE": []string{"permission5", "permission6"},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := rolePermissionMappingsToDatabaseMap(tt.args.mappings, tt.args.system)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func Test_synchronizeRolePermissionCommands(t *testing.T) {
+	const aggregateID = "aggregateID"
+	aggregate := permission.NewAggregate(aggregateID)
+	target := database.Map[[]string]{
+		"role1": []string{"permission1", "permission2"},
+		"role2": []string{"permission3", "permission4"},
+	}
+	tests := []struct {
+		name     string
+		mock     func(*testing.T) *mock.SQLMock
+		wantCmds []eventstore.Command
+		wantErr  error
+	}{
+		{
+			name: "query error",
+			mock: func(t *testing.T) *mock.SQLMock {
+				return mock.NewSQLMock(t,
+					mock.ExpectQuery(instanceRolePermissionsSyncQuery,
+						mock.WithQueryArgs(aggregateID, target),
+						mock.WithQueryErr(sql.ErrConnDone),
+					),
+				)
+			},
+			wantErr: sql.ErrConnDone,
+		},
+		{
+			name: "no rows",
+			mock: func(t *testing.T) *mock.SQLMock {
+				return mock.NewSQLMock(t,
+					mock.ExpectQuery(instanceRolePermissionsSyncQuery,
+						mock.WithQueryArgs(aggregateID, target),
+						mock.WithQueryResult([]string{"operation", "role", "permission"}, [][]driver.Value{}),
+					),
+				)
+			},
+		},
+		{
+			name: "add and remove operations",
+			mock: func(t *testing.T) *mock.SQLMock {
+				return mock.NewSQLMock(t,
+					mock.ExpectQuery(instanceRolePermissionsSyncQuery,
+						mock.WithQueryArgs(aggregateID, target),
+						mock.WithQueryResult([]string{"operation", "role", "permission"}, [][]driver.Value{
+							{"add", "role1", "permission1"},
+							{"add", "role1", "permission2"},
+							{"remove", "role3", "permission5"},
+							{"remove", "role3", "permission6"},
+						}),
+					),
+				)
+			},
+			wantCmds: []eventstore.Command{
+				permission.NewAddedEvent(context.Background(), aggregate, "role1", "permission1"),
+				permission.NewAddedEvent(context.Background(), aggregate, "role1", "permission2"),
+				permission.NewRemovedEvent(context.Background(), aggregate, "role3", "permission5"),
+				permission.NewRemovedEvent(context.Background(), aggregate, "role3", "permission6"),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mock := tt.mock(t)
+			defer mock.Assert(t)
+			db := &database.DB{
+				DB: mock.DB,
+			}
+			gotCmds, err := synchronizeRolePermissionCommands(context.Background(), db, aggregateID, target)
+			require.ErrorIs(t, err, tt.wantErr)
+			assert.Equal(t, tt.wantCmds, gotCmds)
+		})
+	}
+}

internal/eventstore/handler/v2/handler.go

@@ -263,12 +263,16 @@ func (h *Handler) triggerInstances(ctx context.Context, instances []string, trig
 
 		// simple implementation of do while
 		_, err := h.Trigger(instanceCtx, triggerOpts...)
-		h.log().WithField("instance", instance).OnError(err).Debug("trigger failed")
+		// skip retry if everything is fine
+		if err == nil {
+			continue
+		}
+		h.log().WithField("instance", instance).WithError(err).Debug("trigger failed")
 		time.Sleep(h.retryFailedAfter)
 		// retry if trigger failed
 		for ; err != nil; _, err = h.Trigger(instanceCtx, triggerOpts...) {
 			time.Sleep(h.retryFailedAfter)
-			h.log().WithField("instance", instance).OnError(err).Debug("trigger failed")
+			h.log().WithField("instance", instance).WithError(err).Debug("trigger failed")
 		}
 	}
 }

internal/integration/sink/server.go

@@ -15,6 +15,7 @@ import (
 	"sync/atomic"
 	"time"
 
+	crewjam_saml "github.com/crewjam/saml"
 	"github.com/go-chi/chi/v5"
 	"github.com/gorilla/websocket"
 	"github.com/sirupsen/logrus"
@@ -23,8 +24,6 @@ import (
 	"golang.org/x/oauth2"
 	"golang.org/x/text/language"
 
-	crewjam_saml "github.com/crewjam/saml"
-
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/idp/providers/ldap"