Add policies for handling custom roles
What does this MR do and why?
It adds policies for handling custom roles. Until now we checked permissions for admin_group
or admin_group_member
but we didn't specify what should we actually check and also admin_group
or admin_group_member
gets insufficient with introduction of member roles on instance level.
We decided (see the related issue) that group owners should be able to read and admin member roles on the group level and instance admins should be able to read & admin roles on the instance level.
This MR adds the respective policy rules & changes the current permission checks.
How to set up and validate locally
This is just a background change, no change in functionality. But you can check everything is working by playing around with member roles of a (root) group (eg.https://gdk.test:3443/groups/flightjs/-/settings/roles_and_permissions).
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #429455 (closed)