Allow LDAP role override for inherited members
In #299179 (closed) we fixed the UI because it was not possible to set a role override for an LDAP member that was inherited. This is because the member record doesn't exist for the group where the override intended to be set.
Some customers would still like the ability to set role overrides for inherited LDAP members.
Possible solution
Copy the member record from the ancestor to the group where the override is being set. Then the override can be properly attributed to the member for that group.
We will need to see if this is possible with database constraints (I think it is) and LDAP Group Sync will also need to be updates to handle the case. There are two considerations:
- Sync should not remove the overridden member since they won't match any Group Links at the lower level. As long as they are valid in the ancestor group, it's OK to leave them.
- When the Sync indicates the user should be removed from the ancestor we will have to re-check the lower level member to see if they should also be removed. They will no longer be 'protected' by the ancestor.