working on some code

backend/internal/common/database/migrations/008_add_user_groups.sql

@@ -0,0 +1,45 @@
+-- Add user groups feature
+-- Groups table
+CREATE TABLE IF NOT EXISTS groups (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    name VARCHAR(255) NOT NULL UNIQUE,
+    description TEXT,
+    is_system BOOLEAN NOT NULL DEFAULT false,
+    created_at TIMESTAMP NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMP NOT NULL DEFAULT NOW()
+);
+
+-- User groups junction table
+CREATE TABLE IF NOT EXISTS user_groups (
+    user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    group_id UUID NOT NULL REFERENCES groups(id) ON DELETE CASCADE,
+    assigned_at TIMESTAMP NOT NULL DEFAULT NOW(),
+    assigned_by UUID REFERENCES users(id),
+    PRIMARY KEY (user_id, group_id)
+);
+
+-- Group roles junction table (groups can have roles)
+CREATE TABLE IF NOT EXISTS group_roles (
+    group_id UUID NOT NULL REFERENCES groups(id) ON DELETE CASCADE,
+    role_id UUID NOT NULL REFERENCES roles(id) ON DELETE CASCADE,
+    granted_at TIMESTAMP NOT NULL DEFAULT NOW(),
+    PRIMARY KEY (group_id, role_id)
+);
+
+-- Indexes
+CREATE INDEX IF NOT EXISTS idx_groups_name ON groups(name);
+CREATE INDEX IF NOT EXISTS idx_user_groups_user_id ON user_groups(user_id);
+CREATE INDEX IF NOT EXISTS idx_user_groups_group_id ON user_groups(group_id);
+CREATE INDEX IF NOT EXISTS idx_group_roles_group_id ON group_roles(group_id);
+CREATE INDEX IF NOT EXISTS idx_group_roles_role_id ON group_roles(role_id);
+
+-- Insert default system groups
+INSERT INTO groups (name, description, is_system) VALUES
+    ('wheel', 'System administrators group', true),
+    ('operators', 'System operators group', true),
+    ('backup', 'Backup operators group', true),
+    ('auditors', 'Auditors group', true),
+    ('storage_admins', 'Storage administrators group', true),
+    ('services', 'Service accounts group', true)
+ON CONFLICT (name) DO NOTHING;
+

backend/internal/common/router/router.go

@@ -258,16 +258,32 @@ func NewRouter(cfg *config.Config, db *database.DB, log *logger.Logger) *gin.Eng
 				systemGroup.GET("/interfaces", systemHandler.ListNetworkInterfaces)
 			}
 
-			// IAM (admin only)
+			// IAM routes - GetUser can be accessed by user viewing own profile or admin
 			iamHandler := iam.NewHandler(db, cfg, log)
+			protected.GET("/iam/users/:id", iamHandler.GetUser)
+
+			// IAM admin routes
 			iamGroup := protected.Group("/iam")
 			iamGroup.Use(requireRole("admin"))
 			{
 				iamGroup.GET("/users", iamHandler.ListUsers)
-				iamGroup.GET("/users/:id", iamHandler.GetUser)
 				iamGroup.POST("/users", iamHandler.CreateUser)
 				iamGroup.PUT("/users/:id", iamHandler.UpdateUser)
 				iamGroup.DELETE("/users/:id", iamHandler.DeleteUser)
+				iamGroup.GET("/roles", iamHandler.ListRoles)
+				iamGroup.POST("/users/:id/roles", iamHandler.AssignRoleToUser)
+				iamGroup.DELETE("/users/:id/roles", iamHandler.RemoveRoleFromUser)
+				iamGroup.POST("/users/:id/groups", iamHandler.AssignGroupToUser)
+				iamGroup.DELETE("/users/:id/groups", iamHandler.RemoveGroupFromUser)
+
+				// Groups routes
+				iamGroup.GET("/groups", iamHandler.ListGroups)
+				iamGroup.GET("/groups/:id", iamHandler.GetGroup)
+				iamGroup.POST("/groups", iamHandler.CreateGroup)
+				iamGroup.PUT("/groups/:id", iamHandler.UpdateGroup)
+				iamGroup.DELETE("/groups/:id", iamHandler.DeleteGroup)
+				iamGroup.POST("/groups/:id/users", iamHandler.AddUserToGroup)
+				iamGroup.DELETE("/groups/:id/users/:user_id", iamHandler.RemoveUserFromGroup)
 			}
 
 			// Monitoring