Project Grants (Manager) - Bug or Intended?
Project grants manager - Bug or intended?
Im using ZITADEL currently from Scratch for setting up a IAM / IDP for us.
I made the construct with Projects and different organisations and run into an unexpected (for me at least) behaviour.
Use-case: ZITADEL as IAM/IDP Service
Environment: Self hosted
Version: 2.70.0 (and downgraded to 2.68.3 for verify)
Stack: Doesn't matter, happens all in the Console UI
What are you trying to do:
1. Create Org "Org A"
2. Create User "Admin A"
3. Create Project "Project A" with some roles
4. Create Org "Org B"
5. Create User "Manager B" in "Org B"
7. Create User "User B" in "Org B"
8. Grant the Project to "Org B" with the roles and define "Manager B" as "Manager"
9. Login as "Manager B"
10. Add Authorizations to "User B" in "Project A" within "Org B" as "Manager B"
What you expected to happen:
The "Manager B" can add "User B" and assign roles. See all assigned Roles from the granted one.
What went wrong:
The "Manager B" can add the "User B", BUT there are no visible Roles to select and the "User B" can be added without roles.
Screenshots:
- All listed grants to another Organization
- Listed manager for the Project grant organization
- Visible roles (or empty as you use) for the granted project
Thank you for your time and awesome product.
6 Replies
Unknown User•9mo ago
Message Not Public
Sign In & Join Server To View
Mhh also is it intended? But what if, when i only want to have that manager b have permission to the single project and not all projects?
I think it doesnt make sense, to set a manager for project grants, he have then access to everything but dont see any roles?
some toughts about that issue?
Anything new about my question:)?
hi @ICSharp apologies for the delay, I am looking into it
hi @HESS-BEA I think manager b should is not able to see the roles because of the way it has been designed, but this is based on my understanding, I will check with my team to confirm on it. Meanwhile you can read about how our [roles] (if it helps you somehow) (https://zitadel.com/docs/guides/manage/console/roles) work. And I will get back to you
ZITADEL Docs
If you would build out the POS use case example you would probably need an application for administration.
Hi @HESS-BEA from my understanding, what you are trying to achieve might not be possible with the available grants that we have(the closest one would be Org Project Permission Editor like flo mentioned) but as a workaround you can try something like this
Create a separate organization (e.g., Org C ) that only contains Project A and grant it to Org B . This way, Manager B’s permissions in Org B would implicitly align with the narrower scope of Org C’s projects. This is a workaround to simulate project-specific access for your case
but to be honest, this seems complete wrong to me... where is the benefit of giving a user the manager role for the project in the organisation?