From ab9cbfc8971a33a5ffcb450e9d22eeb320aaa6cf Mon Sep 17 00:00:00 2001
From: chan <b24028@hanmaceng.co.kr>
Date: Wed, 25 Mar 2026 17:01:55 +0900
Subject: [PATCH] =?UTF-8?q?fix:=20=EA=B6=8C=ED=95=9C=EC=9D=B4=EB=82=98=20?=
 =?UTF-8?q?=EC=86=8C=EC=86=8D=EC=9D=B4=20=EB=B3=80=EA=B2=BD=EB=90=98?=
 =?UTF-8?q?=EC=A7=80=20=EC=95=8A=EC=95=98=EC=9D=84=20=EB=95=8C=20Keto=20?=
 =?UTF-8?q?=EA=B6=8C=ED=95=9C=20=EB=A6=B4=EB=A0=88=EC=9D=B4=EC=85=98?=
 =?UTF-8?q?=EC=9D=B4=20=EB=B6=88=ED=95=84=EC=9A=94=ED=95=98=EA=B2=8C=20?=
 =?UTF-8?q?=EC=82=AD=EC=A0=9C=20=ED=9B=84=20=EC=9E=AC=EC=83=9D=EC=84=B1?=
 =?UTF-8?q?=EB=90=98=EB=8A=94=20=EB=B2=84=EA=B7=B8=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 backend/internal/handler/user_handler.go | 52 ++++++++++++++----------
 1 file changed, 30 insertions(+), 22 deletions(-)

diff --git a/backend/internal/handler/user_handler.go b/backend/internal/handler/user_handler.go
index 89d68177..40d101f1 100644
--- a/backend/internal/handler/user_handler.go
+++ b/backend/internal/handler/user_handler.go
@@ -1404,20 +1404,31 @@ func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole
 	newRole = domain.NormalizeRole(newRole)
 	oldRole = domain.NormalizeRole(oldRole)
 
+	newTID := ""
+	if newTenantID != nil {
+		newTID = *newTenantID
+	}
+
 	if h.KetoOutboxRepo == nil {
 		return
 	}
 
+	if oldRole == newRole && oldTenantID == newTID {
+		return // Nothing changed
+	}
+
 	// 1. Handle Role Changes
-	// Remove old roles
 	if oldRole == domain.RoleSuperAdmin {
-		_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
-			Namespace: "System",
-			Object:    "global",
-			Relation:  "super_admins",
-			Subject:   "User:" + userID,
-			Action:    domain.KetoOutboxActionDelete,
-		})
+		// Only remove super_admin if the role actually changed (tenant change doesn't matter for global roles)
+		if oldRole != newRole {
+			_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
+				Namespace: "System",
+				Object:    "global",
+				Relation:  "super_admins",
+				Subject:   "User:" + userID,
+				Action:    domain.KetoOutboxActionDelete,
+			})
+		}
 	} else if oldRole == domain.RoleTenantAdmin && oldTenantID != "" {
 		_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
 			Namespace: "Tenant",
@@ -1430,17 +1441,19 @@ func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole
 
 	// Add new roles
 	if newRole == domain.RoleSuperAdmin {
-		_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
-			Namespace: "System",
-			Object:    "global",
-			Relation:  "super_admins",
-			Subject:   "User:" + userID,
-			Action:    domain.KetoOutboxActionCreate,
-		})
-	} else if newRole == domain.RoleTenantAdmin && newTenantID != nil {
+		if oldRole != newRole {
+			_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
+				Namespace: "System",
+				Object:    "global",
+				Relation:  "super_admins",
+				Subject:   "User:" + userID,
+				Action:    domain.KetoOutboxActionCreate,
+			})
+		}
+	} else if newRole == domain.RoleTenantAdmin && newTID != "" {
 		_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
 			Namespace: "Tenant",
-			Object:    *newTenantID,
+			Object:    newTID,
 			Relation:  "admins",
 			Subject:   "User:" + userID,
 			Action:    domain.KetoOutboxActionCreate,
@@ -1448,11 +1461,6 @@ func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole
 	}
 
 	// 2. Handle Tenant Membership (for count)
-	newTID := ""
-	if newTenantID != nil {
-		newTID = *newTenantID
-	}
-
 	if oldTenantID != newTID {
 		// Remove from old tenant
 		if oldTenantID != "" {