Technical Advisory 10007
Date and Version​
Version: Upcoming
Date: Upcoming
Affected Users​
This advisory applies to self-hosted ZITADEL installations with custom roles to permissions mappings in the InternalAuthZ.RolePermissionMappings configuration section.
Description​
In upcoming ZITADEL versions, RBAC also applies to system users defined in the ZITADEL runtime configuration. This enables fine grained access control to the system API as well as other APIs for system users. ZITADEL defines the new default roles SYSTEM_OWNER and SYSTEM_OWNER_VIEWER. System users without any memberships defined in the configuration will be assigned the SYSTEM_OWNER role. Self-hosting users who define their own custom mapping at the InternalAuthZ.RolePermissionMappings configuration section, have to define the SYSTEM_OWNER role in their configuration too to be able to access the system API with the default system user membership.
Statement​
This change is tracked in the following PR: feat: add SYSTEM_OWNER role. As soon as the release version is published, we will include the version here.
Mitigation​
If you have a custom role mapping configured, make sure you configure the new role SYSTEM_OWNER before migrating to upcoming ZITADEL versions. As a reference, these are the default mappings:
InternalAuthZ:
RolePermissionMappings:
- Role: "SYSTEM_OWNER"
Permissions:
- "system.instance.read"
- "system.instance.write"
- "system.instance.delete"
- "system.domain.read"
- "system.domain.write"
- "system.domain.delete"
- "system.debug.read"
- "system.debug.write"
- "system.debug.delete"
- "system.feature.write"
- "system.limits.write"
- "system.limits.delete"
- "system.quota.write"
- "system.quota.delete"
- "system.iam.member.read"
- Role: "SYSTEM_OWNER_VIEWER"
Permissions:
- "system.instance.read"
- "system.domain.read"
- "system.debug.read"
...
Impact​
If the system users don't have the correct memberships and roles which resolve to permissions, the system users lose access to the system API.