Problem Statement
Users have no visual way to browse organizational teams, understand who holds which permissions, and see what K8s RBAC is actually deployed for their team. Greenhouse Teams with SCIM integration already know their members (via the Team status), and Greenhouse deploys K8s permissions via TeamRoles and TeamRoleBindings — but there is no UI to explore this information.
Related Epics
This Epic is part of a cross-repo initiative to visualize permissions end-to-end:
Context
Greenhouse manages two categories of Teams:
- Organizational Teams — represent real HR/organizational units (teams, departments, support groups). These are the teams users identify with and want to browse.
- Technical Teams — created by automation for internal wiring (e.g., per-AccessLevel teams for TeamRoleBindings). These are not relevant for most users by default.
The UI uses well-known labels to identify organizational teams:
| Label |
Meaning |
greenhouse.sap/org-team |
Organizational team (HR team, department) |
greenhouse.sap/support-group |
Support group (always an organizational profile) |
By default, the view is prefiltered to show only Teams with these labels. Technical teams (without these labels) are hidden by default but can be revealed via a filter toggle (exact UX needs refinement).
Additionally, Greenhouse provides a native way to deploy K8s permissions via TeamRoles and TeamRoleBindings. These resources define what K8s RBAC is deployed to which clusters for which teams. The UI should visualize this deployed state alongside team membership.
There is also a relationship between Permission Manager Profiles and Greenhouse Teams. By linking a Profile to a Team, we can answer "Who holds these permissions?" — since the Team's SCIM integration populates .status.members with the actual team members.
Solution Approach
Extend the Greenhouse organizational UI to:
- List Greenhouse Teams, prefiltered by
greenhouse.sap/org-team and greenhouse.sap/support-group labels by default
- Allow users to remove the filter to see all teams (including technical)
- Show team members from the Team's status (populated via SCIM)
- Show TeamRoles and TeamRoleBindings associated with a team — the actual K8s RBAC deployed
- Link to associated Permission Manager Profiles to show what permissions team members hold
User Stories
US1: Browse Organizational Teams
As a user or manager,
I want to browse organizational teams and support groups in the organizational UI,
So that I can understand the organizational structure and find my team.
Acceptance Criteria (preliminary):
US2: View Team Members
As a user or manager,
I want to see who is a member of a given team,
So that I know who belongs to which organizational unit.
Acceptance Criteria (preliminary):
US3: View Deployed K8s Permissions
As a team member or platform engineer,
I want to see which TeamRoles and TeamRoleBindings are associated with my team,
So that I understand what K8s RBAC is deployed to which clusters for my team.
Acceptance Criteria (preliminary):
US4: View Team Permissions via Permission Manager ("Who holds these permissions?")
As a manager or auditor,
I want to see which Permission Manager Profiles are associated with a Team,
So that I understand what permissions team members hold beyond K8s RBAC.
Acceptance Criteria (preliminary):
Dependencies
- Permission Manager CRDs published in the open source (for the Profile ↔ Team relationship in US4)
Problem Statement
Users have no visual way to browse organizational teams, understand who holds which permissions, and see what K8s RBAC is actually deployed for their team. Greenhouse Teams with SCIM integration already know their members (via the Team status), and Greenhouse deploys K8s permissions via TeamRoles and TeamRoleBindings — but there is no UI to explore this information.
Related Epics
This Epic is part of a cross-repo initiative to visualize permissions end-to-end:
Context
Greenhouse manages two categories of Teams:
The UI uses well-known labels to identify organizational teams:
greenhouse.sap/org-teamgreenhouse.sap/support-groupBy default, the view is prefiltered to show only Teams with these labels. Technical teams (without these labels) are hidden by default but can be revealed via a filter toggle (exact UX needs refinement).
Additionally, Greenhouse provides a native way to deploy K8s permissions via TeamRoles and TeamRoleBindings. These resources define what K8s RBAC is deployed to which clusters for which teams. The UI should visualize this deployed state alongside team membership.
There is also a relationship between Permission Manager Profiles and Greenhouse Teams. By linking a Profile to a Team, we can answer "Who holds these permissions?" — since the Team's SCIM integration populates
.status.memberswith the actual team members.Solution Approach
Extend the Greenhouse organizational UI to:
greenhouse.sap/org-teamandgreenhouse.sap/support-grouplabels by defaultUser Stories
US1: Browse Organizational Teams
As a user or manager,
I want to browse organizational teams and support groups in the organizational UI,
So that I can understand the organizational structure and find my team.
Acceptance Criteria (preliminary):
greenhouse.sap/org-teamorgreenhouse.sap/support-groupUS2: View Team Members
As a user or manager,
I want to see who is a member of a given team,
So that I know who belongs to which organizational unit.
Acceptance Criteria (preliminary):
.status.members(SCIM-populated)US3: View Deployed K8s Permissions
As a team member or platform engineer,
I want to see which TeamRoles and TeamRoleBindings are associated with my team,
So that I understand what K8s RBAC is deployed to which clusters for my team.
Acceptance Criteria (preliminary):
US4: View Team Permissions via Permission Manager ("Who holds these permissions?")
As a manager or auditor,
I want to see which Permission Manager Profiles are associated with a Team,
So that I understand what permissions team members hold beyond K8s RBAC.
Acceptance Criteria (preliminary):
Dependencies