Project Grant Deactivation Access Restriction
Hello, I'm looking to confirm if the following behavior is expected:
Deactivating a project grant for an organization does NOT remove access to that project for all users in the organization.
- If the above statement is true, is there another way to holistically remove access to a project for all users of an organization without having to deactivate every user's grant?
- Is the intended way to do this by removing the project grant altogether?
7 Replies
hey @vf-tyler to holistically remove access to a project for all users in a granted organization, the intended method is to remove the project grant entirely.
It will delete the project grant and Automatically remove all associated user grants.
https://zitadel.com/docs/apis/resources/project_service_v2/project-service-delete-project-grant
"All user grants for this project grant will also be removed"
ZITADEL Docs
Delete a project grant. All user grants for this project grant will also be removed.
hi @Rajat thanks for the quick reply. i was hoping there would be a more efficient way to do this without removing all of the user grants.
i have a use case where an organization could have thousands of user grants to remove. this also means that restoring access means re-adding thousands of user grants back to ZITADEL.
just checking that you don't know of a more efficient solution for the above use case?
hey @vf-tyler allow me some time,I will get back to you
hey @vf-tyler for now, you can do the following for the bulk delete.
1. Retrieving all user grants associated with the project grant.
2. Iteratively deactivate each user grant using the API calls.
so basically
search the user grant
https://zitadel.com/docs/apis/resources/mgmt/management-service-list-user-grants
and then deactivate them(you can run a loop here for bulk deactivation)
https://zitadel.com/docs/apis/resources/mgmt/management-service-deactivate-user-grant
and the reactivate them when needed? (same for loop for bulk reactivation)
https://zitadel.com/docs/apis/resources/mgmt/management-service-reactivate-user-grant
ZITADEL Docs
Returns a list of user grants that match the search queries. User grants are the roles users have for a specific project and organization.
ZITADEL Docs
Deactivate the user grant. The user will not be able to use the granted project anymore. Also, the roles will not be included in the tokens when requested. An error will be returned if the user grant is already deactivated.
ZITADEL Docs
Reactivate a deactivated user grant. The user will be able to use the granted project again. An error will be returned if the user grant is not deactivated.
Thanks for looking into this @Rajat
🎉 Looks like you just helped out another community member! Thanks for being so helpful <@1346540274674827395>! You're now one step closer to leveling up—keep up the amazing peer support! 🚀