ROX-14473: require user org_id to match ACS owner org_id (#751)

Co-authored-by: dhaus67 <[email protected]>

Author: ivan-degtiarenko

fleetshard/pkg/central/reconciler/init_auth.go

@@ -64,6 +64,19 @@ var (
 				RoleName: "Admin",
 			}
 		},
+		func(providerId string, auth private.ManagedCentralAllOfSpecAuth) *storage.Group {
+			return &storage.Group{
+				Props: &storage.GroupProperties{
+					AuthProviderId: providerId,
+					Key:            "rh_is_org_admin",
+					Value:          "true",
+					Traits: &storage.Traits{
+						MutabilityMode: storage.Traits_ALLOW_MUTATE_FORCED,
+					},
+				},
+				RoleName: "Admin",
+			}
+		},
 	}
 )
 
@@ -163,9 +176,17 @@ func createAuthProviderRequest(central private.ManagedCentral) *storage.AuthProv
 		},
 		ClaimMappings: map[string]string{
 			"realm_access.roles": "groups",
+			"org_id":             "rh_org_id",
+			"is_org_admin":       "rh_is_org_admin",
 		},
 		// TODO: for testing purposes only; remove once host is correctly specified in fleet-manager
 		ExtraUiEndpoints: []string{"localhost:8443"},
+		RequiredAttributes: []*storage.AuthProvider_RequiredAttribute{
+			{
+				AttributeKey:   "rh_org_id",
+				AttributeValue: central.Spec.Auth.OwnerOrgId,
+			},
+		},
 		Traits: &storage.Traits{
 			MutabilityMode: storage.Traits_ALLOW_MUTATE_FORCED,
 		},