website/docs: Add note about single group per role

[pklaschka]

Details

This change adds an admonition to document the fact that every role can only ever be assigned to a single group at the same time. Since this is surprising based on a traditional understanding of role-based models, I've decided to make this a :::warning.

I'm undecided on the best place for this information, but for now, decided on putting it into the context of the action that can fail: assigning a role to a group.

While this does not close the issue, it documents this behavior to at least address the "needs documentation" aspect of #10983 .

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make website)

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	9791492
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/67433779f3578f0008f0f7af
😎 Deploy Preview	https://deploy-preview-12169--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	9791492
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/6743377997f17b000814d858
😎 Deploy Preview	https://deploy-preview-12169--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[tanberry]

Hi @pklaschka thanks so much for this PR. It also helped me catch the fact that I need to update the docs to use the new "dual-select" UI component that is now in the UI for selecting roles. I think we introduced it in version 2024.8, but I failed to update the docs about assigning roles to a group. Which version are you running?

On your point, though, about not being able to assign a single role (say Role X) to multiple groups... I don't think that is correct. I was able to assign a role called Multiple Group Role to two different Groups.

Maybe you mean "at the same time" as in during same action? That is true; one has to go to each Group separately, and assign the role.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.43%. Comparing base (3d5a189) to head (9791492).
Report is 18 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #12169      +/-   ##
==========================================
- Coverage   92.67%   92.43%   -0.24%     
==========================================
  Files         761      761              
  Lines       38025    38025              
==========================================
- Hits        35239    35149      -90     
- Misses       2786     2876      +90     

Flag	Coverage Δ
e2e	48.55% <ø> (-0.62%)	⬇️
integration	24.83% <ø> (ø)
unit	90.21% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pklaschka]

Hi @tanberry , thanks for your quick response!

On your point, though, about not being able to assign a single role (say Role X) to multiple groups... I don't think that is correct. I was able to assign a role called Multiple Group Role to two different Groups.

If I assign a role (Role X) to a group (Group 1) while it is already assigned to a different group (Group 2), I get a 400 Bad Request with the message

["Roles can only be used with a single group."]

in the underlying call to PATCH /api/v3/core/groups/[group-id]/. In the UI, it shows a non-descriptive error message (which this documentation is, at best, a band-aid for, but better than nothing):

When I unassign the role from its current group assignment (Group 2) and try the same thing again (assigning Role X to Group 1), it works.

This is the case in 2024.10.4, at least… So on my end, the behavior matches the behavior in #10983 (where @BeryJu confirmed that limitation).

[pklaschka]

My best guess would be that this limitation stems from this OneToOneField:

authentik/authentik/rbac/models.py

Lines 38 to 47 in 5e72ec9

	# Due to the way django and django-guardian work, this is somewhat of a hack.
	# Django and django-guardian allow for setting permissions on users and groups, but they
	# only allow for a custom user object, not a custom group object, which is why
	# we have both authentik and django groups. With this model, we use the inbuilt group system
	# for RBAC. This means that every Role needs a single django group that its assigned to
	# which will hold all of the actual permissions
	# The main advantage of that is that all the permission checking just works out of the box,
	# as these permissions are checked by default by django and most other libraries that build
	# on top of django
	group = models.OneToOneField("auth.Group", on_delete=models.CASCADE)

But I have no experience with Django, so this is nothing more than an educated guess by a non-Django dev (and also makes limited sense as it's technically a 1:n instead of a 1:1 relationship – whereas the expectation would be N:M) 😉 .

[tanberry]

Aha, I learned a ton here, including the fact that I need to do a search on the docs_needed label! :-)

I want to do a bit more research about exactly which version this changed in (I suspect it is above in your notes but I need more coffee), and see if Notes are needed about that.

But in meantime, let's merge your PR, and then I will open one to update the steps to use the dual-select component.

[tanberry]

Thanks again, you are welcome to comb over the docs and help us as much as you want! :-)