Can't remove roles or identities from a group

[huwshimi]

When doing a DELETE to /groups/group1/roles/role1 or /groups/group1/identities/identity1 to remove the role or identity from a group I get a 403 response with this error:

{"data":null,"message":"insufficient permissions to execute operation","status":403,"_meta":null}

I'm on latest main (commit: 0cc2bcece295d2014a269ab5c78154aeac71b383).

I have reset my tuples to those from the seeding doc and appear to have delete permissions (I'm passing the token johndoe as the auth header):

$ fga query check --store-id=$STORE_ID user:johndoe can_delete identity:global --model-id=$MODEL_ID
{
  "allowed":true,
  "resolution":""
}
$ fga query check --store-id=$STORE_ID user:johndoe can_delete role:global --model-id=$MODEL_ID
{
  "allowed":true,
  "resolution":""
}

I can DELETE entitlements from the group (/groups/group1/entitlements/entitlement1).

[syncronize-issues-to-jira[bot]]

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/IAM-863.

This message was autogenerated

[huwshimi]

It looks like these were two somewhat related issues, but not bugs:

• In our current testing setup we're not using real identities so we don't have permission to view those non-existent identities when we try and remove them from a group (unlike when adding a user to the group where it doesn't need to exist).
• When removing a role from a group the role has to actually exist otherwise we don't have permission to view it (again, like the user case above, it doesn't need to exist when adding it to the group).