feat: expose apis for org management

[loadez]

📝 Description

✅ Checklist

• I have tested this change
• This change requires documentation update

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4207363bfa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Gate project role changes with project permission

Project-scoped role assignment is currently guarded by authorize_manage_people (organization.people.manage), but the RBAC gRPC server authorizes project role changes with project.access.manage when project_id is present (checked ee/rbac/lib/rbac/grpc_servers/rbac_server.ex, @manage_project_roles). This means users who are allowed to manage project access but not org people will be incorrectly blocked at the HTTP layer, while users with org-people manage but no project-access manage will hit backend denial and get a generic failure path.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Align groups-manage check with backend authorization

The API layer requires organization.groups.manage, but the groups gRPC server authorizes mutating calls with organization.people.manage (checked ee/rbac/lib/rbac/grpc_servers/groups_server.ex, @manage_groups_permission). That mismatch creates inconsistent behavior: a caller with only groups-manage can pass this plug and then fail downstream, while a caller with only people-manage is blocked here even though backend would permit the operation.

Useful? React with 👍 / 👎.