SCIM: fix the member types for /Roles

[fflorent]

Context

Quoting #1989:

When querying the GET /api/scim/v2/Roles endpoint, we see members of the Roles.

When a role is inherited (for example the roles of a doc inside a workspace), we expect the members of the Role of the document to include Roles of the workspace.

But we see Groups. For example:

    {
      "schemas": [
        "urn:ietf:params:scim:schemas:Grist:1.0:Role"
      ],
      "id": "2300",
      "meta": {
        "resourceType": "Role",
        "location": "/api/scim/v2/Roles/2300"
      },
      "displayName": "viewers",
      "members": [
        {
          "value": "336",
          "display": "viewers",
          "$ref": "/api/scim/v2/Groups/336",
          "type": "Group"
        }
      ],
    }

Proposed solution

Also the schema of the Role's "members" attribute had to be updated, as it accepts members that are Users, Groups but also other Roles.

Roles can contain other Roles members with the inheritance, for example when a doc inherits of all the roles from its workspace: then the owners Role of the doc contains the "owners" Role of the workspace.

Related issues

Fixes #1989

Has this been tested?

• 👍 yes, I added tests to the test suite
• 💭 no, because this PR is a draft and still needs work
• 🙅 no, because this is not relevant here
• 🙋 no, because I need help

[Copilot]

Pull request overview

This pull request fixes an issue where Role members in the SCIM API were being reported with incorrect types. When querying /api/scim/v2/Roles, Role members that were other Roles were being reported as type "Group" instead of type "Role".

Changes:

• Updated the Role schema to accept "Role" as a valid member reference type and canonical value
• Modified the member serialization logic to correctly distinguish between Group-type and Role-type members
• Added comprehensive tests to verify Roles can contain User, Group, and Role members with correct types

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
app/server/lib/scim/v2/ScimUtils.ts	Added SCIMMY_ROLE_TYPE constant and updated toSCIMMYMembers to filter and serialize Role-type members with correct type and reference paths
app/server/lib/scim/v2/roles/SCIMMYRoleSchema.ts	Updated Role schema definition to support Role members, with "Role" added to referenceTypes and canonicalValues, and improved description
test/server/lib/Scim.ts	Added test verifying that Roles can contain Group and Role members, with correct type identification and reference URIs in API responses

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hexaltation]

LGTM

[fflorent]

The error looks related to this fix:
https://github.com/gristlabs/grist-help/pull/593/files

[paulfitz]

Thanks @fflorent