the groups of sso are global on LAIN

[wchaoyi]

For now, the authorization of LAIN's app (eg. console) is based on groups of sso, i.e. some user in the group having the competence which can be understood as different permission for all clients using this group, which is hardly to have the user‘s consent. The authorization depends on who is the user, not what the user authorizes.

So, the SSO's admin should be careful for the clients of sso, since some evil client will using the user's potential authority such as undeploy a app and get the secret files of a app.