/
Zitadel roles on groups

Zitadel roles on groups

Owned by Enerel Khuyag
Jan 20, 2025
2 min read

Unique Finance GPT offers the ability to define Zitadel roles on group level. This means each user that gets assigned to this group (including sub groups) will also gain its defined Zitadel roles.

Of course its also the other way around. If a user gets removed from one group which has a Zitadel role assigned and this user is not part of any other group with this role it will be revoked from the user.

Scenario

  • Group Chat has role chat.chat.basic as Zitadel role assigned.

  • Group Admin has role chat.admin.all as Zitadel role assigned and is a sub group of Group Chat.

  • Group Knowledge has role chat.knowledge.read as Zitadel role assigned and is a sub group of Group Chat.

  • Group Feedback has role chat.feedback.read as Zitadel role assigned.

  • User Reto gets assigned to Group CHAt. This grants his user automatically the role chat.chat.basic

  • User Peter gets assigned to Group Admin. This grants his user automatically the roles chat.chat.basic and chat.admin.all.

  • Peter now gets removed from Group Admin and added to the Group Feedback. Means the User Peter gets revoked the roles chat.chat.basic and chat.admin.all but gets new role chat.feedback.read.

 

Note: User authorisations (roles) can still be added or removed directly in Zitadel manually. This can cause data inconsistency and will not be detect from Unique FinanceGPT.

Means Unique does not consider such manual role assignments in Zitadel. This primary has an impact if a user looses in Unique FinanceGPT access to a role because the user was removed from a Group.

Example: User Harry has been granted the role chat.feedback.read in Zitadel. Now Harry gets removed from a Group which has this chat.feedback.read role assigned and does in Unique not have access to this role anymore. Results that this chat.feedback.read role will be revoked from Harry.

Configuration

These role assignments can be configured currently only via API. Please use the following curl template to change the role attribute on a group. Adjust the URL, token, groupId, and roles before sending. The user from which this token is needs to have the chat.admin.all role.

APIs & Integrations
curl --location 'https://gateway.<baseUrl>/scope-management/graphql' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer <yourToken>' \ --data '{"query":"mutation UpdateGroup($updateGroupId: String!, $input: GroupUpdateInput!) {\n updateGroup(id: $updateGroupId, input: $input) {\n \n }\n}","variables":{"updateGroupId":"<groupId>","input":{"roles":["chat.chat.basic","chat.feedback.read"]}}}'

 

Author

@Adrian Gugger

 

© 2024 Unique AG. All rights reserved. Privacy PolicyTerms of Service