new features

backend/src/services/permission.service.ts

@@ -390,6 +390,31 @@ class PermissionService {
     ]);
     return { groupHierarchy, permissionDeps };
   }
+
+  /**
+   * Returns users whose Authentik groups grant a specific permission,
+   * or who are dashboard_admin (always have all permissions).
+   */
+  async getUsersWithPermission(permissionId: string): Promise<Array<{ id: string; name: string }>> {
+    // Find all groups that have this permission
+    const groupsWithPerm: string[] = [];
+    for (const [group, perms] of this.groupPermissions.entries()) {
+      if (perms.has(permissionId)) {
+        groupsWithPerm.push(group);
+      }
+    }
+    // Always include dashboard_admin
+    groupsWithPerm.push('dashboard_admin');
+
+    const result = await pool.query(
+      `SELECT DISTINCT u.id, COALESCE(u.name, u.email) AS name
+       FROM users u
+       WHERE u.authentik_groups && $1::text[]
+       ORDER BY name ASC`,
+      [groupsWithPerm]
+    );
+    return result.rows;
+  }
 }
 
 export const permissionService = new PermissionService();