Synapse admin flag and policies

[matrixbot]

This issue was originally created by @hughns at https://github.com/matrix-org/matrix-authentication-service/issues/1582.

Currently a user can only allowed to be issued a urn:synapse:admin scope token from MAS by a setting in the YAML config.

It should be possible to be able to read and change this at runtime using the GraphQL API.

A simple flag stored against the user is sufficient rather than some group capability.

[matrixbot]

This comment was originally posted by @daniellekirkwood at https://github.com/matrix-org/matrix-authentication-service/issues/1582#issuecomment-1702413109.

A customer today was asking how one would make a user a Synapse Admin from within the Synapse Admin console -- this is possible when not using OIDC or when users are created not using OIDC. I think it's an extremely important feature (being able to toggle and control Synapse admin users from inside the synapse admin console).

Let me know how I can help here or what your expectations are of how we might handle this in the future (I'm not tied to a specific UI, just think it should be doable and today it isn't)

Thank you!

[matrixbot]

This comment was originally posted by @sandhose at https://github.com/matrix-org/matrix-authentication-service/issues/1582#issuecomment-1757589989.

Fixed by #1920