Proto changes to add support for cross-org group delegation.

[mayank-singla001]

For #17

[acevedohulk]

Any updates or comments from the other Vendors?

@haussli , is this the model that we all will be implementing?

[haussli]

Any updates or comments from the other Vendors?

@haussli , is this the model that we all will be implementing?

Yes, I expect those supporting 3rd party delegation to support this for us to use their products in the scenarios that 3rd party delegation is intended to address.

Others should respond, but afaik you are the only vendor opposed at this point. The concerns of others have been addressed, either on github or privately.

This PR needs to be resolved asap, preferably by EoD. While no one wishes to force it upon you, there is consensus among the other 4.

I believe the arguments opposing your Upsert method to be valid and I do not perceive advantages to it. Perhaps you have accepted this?

AFAICT, that leaves the handling of automatic deletions is your other concern; avoiding accidental deletions. These occur either when an org is 1) removed from a group's delegation list or 2) a user is removed from an org (or changes orgs).

While my preference is not to protect people from themselves, I am ok with the approach suggested for the 1, where all members of a group belonging to an org must be removed from the group before the org can be removed.

I do not think there is another reasonable way to address 2. If a user of an org, to which a group has been delegated, is deleted from that org (ie: leaves the organization or changes organizations), the ovgs MUST automatically remove that user from all those groups. Otherwise, there is potential for unintended latent permissions (for that user in the new org or a new user in the old with the same username). It is not clear to me if you also oppose this.

Are there other concerns?

[haussli]

I think that we are done here. I will ask for a review.