RHIDP-5975 document the includeTransitiveGroupOwnership option (redhat-developer#989)

* RHIDP-5975 document the `includeTransitiveGroupOwnership` option

---------

Signed-off-by: Fabrice Flore-Thébault <[email protected]>
Co-authored-by: Jessica He <[email protected]>

Author: themr0c

assemblies/assembly-configuring-authorization-in-rhdh.adoc

@@ -49,6 +49,7 @@ include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1]
 
 include::modules/authorization/con-rbac-conditional-policies-rhdh.adoc[leveloffset=+1]
 
+include::modules/authorization/proc_enabling_transitive_parent_groups.adoc[leveloffset=+2]
 
 include::modules/authorization/ref-rbac-conditional-policy-definition.adoc[leveloffset=+2]
 

modules/authentication/proc-enabling-authentication-with-rhbk.adoc

@@ -152,6 +152,7 @@ After successful authentication, the user signing in must be resolved to an exis
 The authentication provider tries each sign-in resolver in order until it succeeds, and fails if none succeed.
 +
 WARNING: In production mode, only configure one resolver to ensure users are securely matched.
+
 `resolver`::::
 Enter the sign-in resolver name.
 Available values:

modules/authorization/proc_enabling_transitive_parent_groups.adoc

@@ -0,0 +1,22 @@
+= Enabling transitive parent groups
+
+By default, {product} does not resolve indirect parent groups during authentication.
+In this case, with the following group hierarchy, the `user_alice` user is only a member of the `group_developers` group:
+
+----
+group_admin
+  └── group_developers
+    └── user_alice
+----
+
+To support multi-level group hierarchies when using the $ownerRefs alias, you can configure {product-short} to include indirect parent groups in the user’s ownership entities.
+In that case the `user_alice` user is a member of both `group_developers` and `group_admin` groups.
+
+.Procedure
+
+* Enable the `includeTransitiveGroupOwnership` option in your `{my-app-config-file}` file.
++
+[source,yaml]
+----
+includeTransitiveGroupOwnership: true
+----