feat: sync Google Group owners as C1 resource owners

[c1-dev-bot]

Summary

• Adds an ownership entitlement (owner) to Google Workspace group resources using the SDK's NewOwnershipEntitlement with PURPOSE_VALUE_OWNERSHIP
• Grants the ownership entitlement to group members whose Google Workspace role is OWNER (user type only, not nested groups)
• Existing member entitlement and grants remain unchanged — all group members still receive the membership grant regardless of role

Details

Google Workspace allows admins to assign an "Owner" role to group members via the Admin Directory API. The member.Role field returns OWNER, MANAGER, or MEMBER. Previously, the connector ignored this field entirely — all members received identical membership grants.

This change introduces a new owner entitlement on group resources so that ConductorOne can:

• Identify who owns each Google Group
• Apply Resource Owner policies based on group ownership
• Display ownership information in the ConductorOne UI

Test plan

• Verify that groups still sync correctly with both member and owner entitlements
• Verify that users with OWNER role in Google Workspace receive both member and owner grants
• Verify that users with MEMBER or MANAGER role receive only the member grant
• Verify that nested groups (type GROUP) with OWNER role do NOT receive an ownership grant (ownership is user-only)
• Verify that existing sync data is not disrupted

Fixes: CXH-1555

---

Automated PR Notice

This PR was automatically created by c1-dev-bot as a potential implementation.

This code requires:

• Human review of the implementation approach
• Manual testing to verify correctness
• Approval from the appropriate team before merging

[linear-code]

CXH-1555

[github-actions]

🟡 Suggestion: The Grant() and Revoke() methods below don't distinguish between the member and owner entitlements — Grant() always calls InsertMember with a default role and returns a grant tagged groupMemberEntitlement. If ConductorOne routes a provisioning request for the owner entitlement, it would silently add a regular member instead of setting the OWNER role. Consider either handling the owner entitlement slug in Grant()/Revoke() (updating the member's role via the API), or removing WithGrantableTo from the ownership entitlement if it's intended to be sync-only.

[github-actions]

Connector PR Review: feat: sync Google Group owners as C1 resource owners

Blocking Issues: 0 | Suggestions: 1 | Threads Resolved: 0
Review mode: full
View review run

Review Summary

This PR adds a new owner ownership entitlement to group resources and grants it to group members whose Google Workspace role is OWNER (user-type only). The sync-side logic is clean and correct — the role/type check is appropriately case-insensitive, the entitlement uses NewOwnershipEntitlement with PURPOSE_VALUE_OWNERSHIP, and the existing member entitlement/grants are unchanged (safe per B9). One suggestion was raised about provisioning behavior for the new entitlement.

Security Issues

None found.

Correctness Issues

None found.

Suggestions

• pkg/connector/group.go:159-162: Grant/Revoke methods don't handle the owner entitlement — provisioning would silently add a regular member instead of setting the OWNER role.

Prompt for AI agents

Verify each finding against the current code and only fix it if needed.

## Suggestions

In `pkg/connector/group.go`:
- Around lines 159-162: The owner grant is created in Grants() with the `owner` entitlement slug,
  and WithGrantableTo(resourceTypeUser) is set on the ownership entitlement. However, the Grant()
  method (around line 175) always calls InsertMember with a default-role member and hardcodes the
  groupMemberEntitlement slug in the returned grant, regardless of which entitlement is being
  provisioned. Similarly, Revoke() (around line 205) always calls DeleteMember, which would remove
  the user from the group entirely rather than just demoting from OWNER. Either:
  (a) Add entitlement slug checks in Grant/Revoke to call the Google API's member update endpoint
      to set/unset the OWNER role when the owner entitlement is being provisioned, or
  (b) Remove WithGrantableTo from the ownership entitlement if it is intended to be sync/display-only
      and not provisionable.

[github-actions]

No blocking issues found.

[c1-dev-bot]

Checking: connector-test failed but is not a required check. Let me check if this is a pre-existing flake or related to this PR's changes.