Problem: The UI needs a way to disable Service accounts that are already assigned to a specific RBAC group when adding service accounts to the group. Currently when a new SA needs to be added to a group, the IT service accounts API is used to fetch all existing service accounts for the modal. What we would need from the RBAC API is to have a way of flagging data coming from that endpoint as already assigned to a given group/not assigned yet.

Note: We want to avoid using RBAC as a proxy to pull all SAs so that we don’t break REST principles

• We currently have the API

  /groups/{uuid}/principals/?type=service-account

   API that will allow us to return all service accounts that belong to the specific group. However what we need is a way to return all service accounts that DO NOT belong to the group 

• We should implement a new query parameter that takes one or more service account client ids  

  /groups/{uuid}/principals/?service_account_client_id=ID&service_account_client_id=ID

   and return a response that makes it clear if the service account's client ID is in that specific group or not. 

  • We have the principal_username query parameter already
  • The frontend uses a similar api for inventory systems 

    /api/inventory/v1/hosts/a6da46d0-92b9-4307-99dc-7ae8583a183c,8e9899a2-c8d0-4712-99d3-11704303384b,bf7cfbbd-9cdd-4f9b-919b-84970ec05275?per_page=50&page=1 

    so lets consider separating the ids by comma ^

Acceptance criteria

The way to test this would be:

1. Create three service accounts.
2. Add two of them to an RABC group.
3. Send a "GET /gorups/

/principals/?service_account_client_ids=<cid_A>,<cid_B>" request.
4. Assert that two of the service accounts are flagged as present in the returning payload.