initial changes to show elevated roles

Author: ashleysmithTTD

src/api/routers/managementRouter.ts

@@ -1,8 +1,10 @@
 import express, { Response } from 'express';
 import { z } from 'zod';
 
+import { getKcAdminClient } from '../keycloakAdminClient';
 import { isSuperUserCheck } from '../middleware/userRoleMiddleware';
 import { GetUserAuditTrail } from '../services/auditTrailService';
+import { getElevatedRoleByEmail } from '../services/kcUsersService';
 import { getAllUsersList, getUserById, updateUserLock } from '../services/managementService';
 import { getUserParticipants, ParticipantRequest } from '../services/participantsService';
 
@@ -20,7 +22,22 @@ const handleGetUserAuditTrail = async (req: ParticipantRequest, res: Response) =
 const handleGetUserParticipants = async (req: ParticipantRequest, res: Response) => {
   const { userId } = z.object({ userId: z.coerce.number() }).parse(req.params);
   const participants = await getUserParticipants(userId);
-  return res.status(200).json(participants ?? []);
+  const list = participants ?? [];
+
+  let elevatedRole: 'SuperUser' | 'UID2 Support' | null = null;
+  if (list.length === 0) {
+    const user = await getUserById(userId);
+    if (user?.email) {
+      try {
+        const kcAdminClient = await getKcAdminClient();
+        elevatedRole = await getElevatedRoleByEmail(kcAdminClient, user.email);
+      } catch {
+        // Keycloak unavailable or user not found; keep elevatedRole null
+      }
+    }
+  }
+
+  return res.status(200).json({ participants: list, elevatedRole });
 };
 
 const handleChangeUserLock = async (req: ParticipantRequest, res: Response) => {

src/api/services/kcUsersService.ts

@@ -6,6 +6,42 @@ import { SSP_KK_API_CLIENT_ID, SSP_KK_SSL_RESOURCE, SSP_WEB_BASE_URL } from '../
 
 export const API_PARTICIPANT_MEMBER_ROLE_NAME = 'api-participant-member';
 
+// Same group names as userRoleMiddleware (from JWT payload / Keycloak attributes.groups)
+const developerElevatedRole = 'developer-elevated';
+const developerRole = 'developer';
+const uid2SupportRole = 'prod-uid2.0-support';
+
+export type ElevatedRole = 'SuperUser' | 'UID2 Support';
+
+/**
+ * Resolves elevated role from Keycloak user attributes (key "groups"), not realm Groups.
+ * Used when the viewed user has no portal participants but may have SuperUser/UID2 Support in IdP.
+ */
+export const getElevatedRoleByEmail = async (
+  kcAdminClient: KeycloakAdminClient,
+  email: string
+): Promise<ElevatedRole | null> => {
+  const users = await queryKeycloakUsersByEmail(kcAdminClient, email);
+  if (!users.length) return null;
+
+  const attrs = users[0].attributes;
+  const groupsRaw = attrs?.groups;
+  const groups: string[] = Array.isArray(groupsRaw)
+    ? groupsRaw
+    : typeof groupsRaw === 'string'
+      ? [groupsRaw]
+      : [];
+
+  if (groups.includes(developerElevatedRole)) return 'SuperUser';
+  if (
+    groups.includes(developerRole) ||
+    groups.includes(uid2SupportRole)
+  ) {
+    return 'UID2 Support';
+  }
+  return null;
+};
+
 export const queryKeycloakUsersByEmail = async (
   kcAdminClient: KeycloakAdminClient,
   email: string

src/web/components/UserManagement/UserPartcipantsTable.tsx

@@ -1,6 +1,7 @@
 import { ParticipantDTO } from '../../../api/entities/Participant';
 import { UserDTO } from '../../../api/entities/User';
 import { UserRoleId } from '../../../api/entities/UserRole';
+import { ElevatedRole } from '../../services/participant';
 import { SortableProvider } from '../../contexts/SortableTableProvider';
 import { TableNoDataPlaceholder } from '../Core/Tables/TableNoDataPlaceholder';
 
@@ -20,12 +21,27 @@ function UserParticipantRow({ participantName, roleName }: UserParticipantRowPro
   );
 }
 
-type UserParticipantsTableProps = Readonly<{
+export type UserParticipantsTableProps = Readonly<{
   user: UserDTO;
   userParticipants: ParticipantDTO[];
+  elevatedRole?: ElevatedRole | null;
 }>;
 
-function UserParticipantsTableComponent({ user, userParticipants }: UserParticipantsTableProps) {
+function getEmptyParticipantsMessage(elevatedRole: ElevatedRole | null | undefined): string {
+  if (elevatedRole === 'SuperUser') {
+    return 'This user has SuperUser role and has access to all participants.';
+  }
+  if (elevatedRole === 'UID2 Support') {
+    return 'This user has UID2 Support role and has access to all participants.';
+  }
+  return 'This user does not belong to any participant.';
+}
+
+function UserParticipantsTableComponent({
+  user,
+  userParticipants,
+  elevatedRole,
+}: UserParticipantsTableProps) {
   return (
     <div className='users-participants-table-container'>
       <table className='users-participants-table'>
@@ -52,7 +68,7 @@ function UserParticipantsTableComponent({ user, userParticipants }: UserParticip
           icon={<img src='/document.svg' alt='email-icon' />}
           title='No Participants'
         >
-          <span>This user does not belong to any participant.</span>
+          <span>{getEmptyParticipantsMessage(elevatedRole)}</span>
         </TableNoDataPlaceholder>
       )}
     </div>

src/web/components/UserManagement/UserParticipantsDialog.tsx

@@ -2,7 +2,7 @@ import { useEffect, useState } from 'react';
 
 import { ParticipantDTO } from '../../../api/entities/Participant';
 import { UserDTO } from '../../../api/entities/User';
-import { GetUserParticipants } from '../../services/participant';
+import { ElevatedRole, GetUserParticipants } from '../../services/participant';
 import { Dialog } from '../Core/Dialog/Dialog';
 import { Loading } from '../Core/Loading/Loading';
 import UserParticipantsTable from './UserPartcipantsTable';
@@ -14,12 +14,14 @@ type UserParticipantsDialogProps = Readonly<{
 
 function UserParticipantsDialog({ user, onOpenChange }: UserParticipantsDialogProps) {
   const [userParticipants, setUserParticipants] = useState<ParticipantDTO[]>();
+  const [elevatedRole, setElevatedRole] = useState<ElevatedRole | null>(null);
   const [isLoading, setIsLoading] = useState<boolean>(true);
 
   useEffect(() => {
     const getParticipants = async () => {
-      const participants = await GetUserParticipants(user.id);
+      const { participants, elevatedRole: role } = await GetUserParticipants(user.id);
       setUserParticipants(participants);
+      setElevatedRole(role);
       setIsLoading(false);
     };
     getParticipants();
@@ -35,7 +37,11 @@ function UserParticipantsDialog({ user, onOpenChange }: UserParticipantsDialogPr
         <Loading message='Loading participants...' />
       ) : (
         <div>
-          <UserParticipantsTable user={user} userParticipants={userParticipants ?? []} />
+          <UserParticipantsTable
+            user={user}
+            userParticipants={userParticipants ?? []}
+            elevatedRole={elevatedRole}
+          />
         </div>
       )}
     </Dialog>

src/web/services/participant.ts

@@ -44,9 +44,16 @@ export async function GetAllParticipants() {
   }
 }
 
-export async function GetUserParticipants(userId: number) {
+export type ElevatedRole = 'SuperUser' | 'UID2 Support';
+
+export type GetUserParticipantsResponse = {
+  participants: ParticipantDTO[];
+  elevatedRole: ElevatedRole | null;
+};
+
+export async function GetUserParticipants(userId: number): Promise<GetUserParticipantsResponse> {
   try {
-    const result = await axios.get<ParticipantDTO[]>(`/manage/${userId}/participants`, {
+    const result = await axios.get<GetUserParticipantsResponse>(`/manage/${userId}/participants`, {
       validateStatus: (status) => status === 200,
     });
     return result.data;