fix: align UserGroup ReBAC syncing with Tenant namespace design

2026-03-04 15:01:53 +09:00
parent 6506bd192d
commit e97c5418b9
2 changed files with 9 additions and 9 deletions
--- a/backend/internal/service/org_chart_service.go
+++ b/backend/internal/service/org_chart_service.go
@@ -130,9 +130,9 @@ func (s *orgChartService) ImportCSV(ctx context.Context, tenantID string, r io.R

 		// 3. Sync Membership to Keto via Outbox
 		if s.ketoOutboxRepo != nil {
-			// Add as member of UserGroup
+			// Add as member of UserGroup (which is a Tenant namespace object)
 			_ = s.ketoOutboxRepo.Create(ctx, &domain.KetoOutbox{
-				Namespace: "UserGroup",
+				Namespace: "Tenant",
 				Object:    leafID,
 				Relation:  "members",
 				Subject:   "User:" + kratosID,
@@ -142,7 +142,7 @@ func (s *orgChartService) ImportCSV(ctx context.Context, tenantID string, r io.R
 			// Add as owner if applicable
 			if isOwner {
 				_ = s.ketoOutboxRepo.Create(ctx, &domain.KetoOutbox{
-					Namespace: "UserGroup",
+					Namespace: "Tenant",
 					Object:    leafID,
 					Relation:  "owners",
 					Subject:   "User:" + kratosID,
--- a/backend/internal/service/tenant_service.go
+++ b/backend/internal/service/tenant_service.go
@@ -133,9 +133,9 @@ func (s *tenantService) RegisterTenant(ctx context.Context, name, slug, tenantTy
 				// Sync group to Keto via Outbox
 				if s.outboxRepo != nil {
 					_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
-						Namespace: "UserGroup",
+						Namespace: "Tenant",
 						Object:    newGroup.ID,
-						Relation:  "tenants",
+						Relation:  "parents",
 						Subject:   "Tenant:" + tenant.ID,
 						Action:    domain.KetoOutboxActionCreate,
 					})
@@ -143,9 +143,9 @@ func (s *tenantService) RegisterTenant(ctx context.Context, name, slug, tenantTy
 					// If this is the 'admins' group and we have a creatorID, add creator to this group
 					if g.Slug == "admins" && creatorID != "" {
 						_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
-							Namespace: "UserGroup",
+							Namespace: "Tenant",
 							Object:    newGroup.ID,
-							Relation:  "members",
+							Relation:  "owners",
 							Subject:   "User:" + creatorID,
 							Action:    domain.KetoOutboxActionCreate,
 						})
@@ -276,9 +276,9 @@ func (s *tenantService) ApproveTenant(ctx context.Context, id string) error {
 			if err := s.userGroupRepo.Create(ctx, newGroup); err == nil {
 				if s.outboxRepo != nil {
 					_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
-						Namespace: "UserGroup",
+						Namespace: "Tenant",
 						Object:    newGroup.ID,
-						Relation:  "tenants",
+						Relation:  "parents",
 						Subject:   "Tenant:" + tenant.ID,
 						Action:    domain.KetoOutboxActionCreate,
 					})