In order to perform migration[1] for groups from inventory service(HBI) to workspace to RBAC service, inventory service needs service to service authentication to run this migration in jobs.

Migration includes workspace creation in RBAC service for each inventory group. This will be done by calling RBAC v2 workspace endpoint with service to service authentication which includes org id.

Posible solutions:

1. PSK [seems like this is the best option based on risk/changes to support spoofed identity, given that we already support this. it should just require a new PSK/client for HBI and confirming workspace API support]

RBAC currently support service to service authentication with PSK, with possibility to pass  
org id with by RH_RBAC_ORG_ID.
This would need to share PSK with inventory service.
 
2. Spoofing identity header

This option requires to build identity header[2] by inventory service at its minimal form.

This ticket needs decision which option will be used,  testing selected option in local and ephemeral environment for workspace creation and provide particular documentation or example of usage to HBI team.

Also there is possibility that some changes will be required in RBAC service to allow use any of option.

Question: 

Type of workspace which are being to created in migration is standard type ? [yes, standard] How inventory service will populate parent of this workspace ? [these should always be tied to the default since no hierarchy exists today, and HBI can call the workspace endpoint to get the default, per org, and supply that in the POST request (nothing needed from RBAC)] Possible solution is to add way how to automatically determine parent (default) workspace from org_id. [should be able to get this already, by org]

[1] https://docs.google.com/document/d/1hbQ3N0JN_rC2zXJJx5QJOod9q1M52FRnVED9uoN-g8Q/edit?tab=t.0#bookmark=id.s6gsfybbt6au

[2] https://github.com/RedHatInsights/identity-schemas