Restricted admins unable to see Assign Global Roles button in Users & Authentication -> Groups

[gaktive]

Internal reference: SURE-3819

Issue description:

When logged in as a user with restricted administrator role, the "Assign Global Roles" button is missing from the UI. Customer is seeing this when Azure AD is enabled. Can also reproduce on an environment with GitHub authentication enabled. According to docs at [https://rancher.com/docs/rancher/v2.6/en/admin-settings/rbac/global-permissions/#restricted-admin] the restricted admin should have this permission:
Assign Global role to groups with settings Yes/No/Yes/As Allowed by the Webhook

Business impact:

Customers using Hosted Rancher (which use Restricted Administrator users) cannot use the functionality to assign a global role to an auth provider group.

Troubleshooting steps:

On support.rancher.cloud, logged in as a GitHub user with Administrator role) and compare with a GitHub user with Restricted Administator role. The restricted admin user did not have the Assign Global Roles button.

Repro steps:

• Install Rancher with restricted admin helm chart option turned on.
• Enable auth provider such as Azure AD or GitHub
• Navigate to Users & Authentication -> Group

Workaround:
Is workaround available and implemented? no

Actual behavior:
Restricted admin users cannot assign global roles.

Expected behavior:
Restricted admin users can assign global roles (as stated in https://rancher.com/docs/rancher/v2.6/en/admin-settings/rbac/global-permissions/#restricted-admin)

From the Ember UI, as a (restricted admin) if they navigate to /g/security/accounts/groups they can see the button and create a group assignment. So appears to be a "new UI" issue.

[ronhorton]

Thus far, I've tested this with a restricted admin local user and verified I see the assignment button. I don't, however, have a restricted admin I can use with Azure AD. checking with @richard-cox regarding further testing - need a restricted admin azure ad user or an alternative.

[dnoland1]

FYI - I'm able to reproduce using GItHub auth, so you might give that a try since it might be easier to configure than Azure AD.

[richard-cox]

@ronhorton I think you've identified a separate issue. The feature is only applicable when a non-local auth provider is configured (the local auth provider i don't think will ever return groups to assign to). I'll create something in GH to track this. In terms of testing, as per David's suggestion, using the Github Auth provider would work. That should ensure no groups are returned in the request to /v3/principals and the new way of showing the button works correctly.

Update - The other issue is tracked in #4897

[ronhorton]

PASS Verified in 2.6-head Commit ID cd3c9d7

1. added AzureAD as auth provider
2. added a second user from AzureAD
3. edited the config on that user to 'restricted admin'
4. Navigated to Users & Authentication > Groups
5. Confirmed Assign Global Rules button present