added right-management to the rights of the first user.

src/main/java/de/avatic/lcc/config/LccOidcUser.java

@@ -7,6 +7,7 @@ import org.springframework.security.oauth2.core.oidc.OidcIdToken;
 import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
 import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
 
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
@@ -26,13 +27,27 @@ public class LccOidcUser extends DefaultOidcUser {
     public static User createDatabaseUser(String email, String firstName, String lastName, String workdayId, boolean isFirstUser) {
         User user = new User();
 
-        Group group = new Group();
+        var groups = new ArrayList<Group>();
-        group.setName(isFirstUser ? "service" : "none");
+
+        if(isFirstUser) {
+            var g = new Group();
+            g.setName("service");
+            groups.add(g);
+
+            g = new Group();
+            g.setName("right-management");
+            groups.add(g);
+        } else {
+            var g = new Group();
+            g.setName("none");
+            groups.add(g);
+        }
+
 
         user.setEmail(email);
         user.setFirstName(firstName == null ? "" : firstName);
         user.setLastName(lastName == null ? "" : lastName);
-        user.setGroups(List.of(group));
+        user.setGroups(groups);
         user.setWorkdayId(workdayId == null ? "" : workdayId);
         user.setActive(false);
 

src/main/java/de/avatic/lcc/config/SecurityConfig.java

@@ -292,21 +292,23 @@ public class SecurityConfig {
             }
 
             if (user != null) {
-                user.getGroups().forEach(g -> log.debug("Local group: {}", g.getName()));
-                user.getGroups().forEach(group -> mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + group.getName().toUpperCase())));
                 userId = user.getId();
             } else {
                 if (email != null && firstName != null && lastName != null && (ignoreWorkdayClaim || workdayId != null)) {
                     var isFirstUser = userRepository.count() == 0;
-                    userId = userRepository.update(LccOidcUser.createDatabaseUser(email, firstName, lastName, ignoreWorkdayClaim ? generateRandomWorkdayId() : workdayId, isFirstUser));
+                    user = LccOidcUser.createDatabaseUser(email, firstName, lastName, ignoreWorkdayClaim ? generateRandomWorkdayId() : workdayId, isFirstUser);
-                    mappedAuthorities.add(new SimpleGrantedAuthority(isFirstUser ? "ROLE_SERVICE" : "ROLE_NONE"));
+                    userId = userRepository.update(user);
+
                 } else {
                     log.debug("Unable to create user {} / {}", email, workdayId);
                     mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_NONE"));
                 }
             }
 
-
+            if (user != null) {
+                user.getGroups().forEach(g -> log.debug("Local group: {}", g.getName()));
+                user.getGroups().forEach(group -> mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + group.getName().toUpperCase())));
+            }
 
             return new LccOidcUser(
                     mappedAuthorities,