The access for new users in an existing org relies on UMB only, because their Tenant already exists. We may want to check that if the user does not have a user_id, we update the user using the bootstrap service.

Scenario:

Given a new organization that has already been bootstrapped (because the original admin user already visited console or because their UMB message has already been processed)
And a second user joins the same organization (through administrative action or through auto-user registration)
When they go to utilize a service protected by Kessel
They should have default access

Currently they may not, if the UMB message has not yet been processed, and in some cases (if the user is not "full") they may never .

Note: We can't necessarily guarantee that they'll be some interaction with RBAC control plane before a user uses some other service. So the proposed "fix" above is not necessarily a guarantee unless all services protected by Kessel share a common API gateway which may not be the case.

Note: This is another, potentially related scenario, which may warrant a separate issue. If the org type is not yet known, there won't be any UMB events sent out so the user in RBAC will be out of sync with IT, see [discussion|slack] here. This is maybe more relevant to the lazy initialization architecture in general, since if any user in the org visits console, their org type will be upgraded as part of the login process. The above, original scenario is for users who do have an org type.