Add nested Access List steps to test plans

.github/ISSUE_TEMPLATE/testplan.md

@@ -1563,13 +1563,21 @@ Docs: [IP Pinning](https://goteleport.com/docs/access-controls/guides/ip-pinning
   - [ ] Verify that users can run custom audit queries.
   - [ ] Verify that the Privileged Access Report is generated and periodically refreshed.
 
-- [ ] Access List
+- [ ] Access Lists
   - [ ] Verify Access List membership/ownership/expiration date.
-    - [ ] Verify permissions granted by Access List membership.
-    - [ ] Verify permissions granted by Access List ownership.
-    - [ ] Verify Access List Review.
-    - [ ] verify Access LIst Promotion.
-    - [ ] Verify that owners can only add/remove members and not change other properties.
+  - [ ] Verify permissions granted by Access List membership.
+  - [ ] Verify permissions granted by Access List ownership.
+  - [ ] Verify Access List Review.
+  - [ ] verify Access LIst Promotion.
+  - [ ] Verify that owners can only add/remove members and not change other properties.
+  - [ ] Nested Access Lists
+    - [ ] Verify that Access Lists can be added as members or owners of other Access Lists.
+    - [ ] Verify that member grants from ancestor lists are inherited by members of nested Access Lists added as members.
+    - [ ] Verify that owner grants from ancestor lists are inherited by members of nested Access Lists added as owners.
+    - [ ] Verify that Access List Review and Promotion work with nested Access Lists.
+    - [ ] Verify that manually deleting a nested Access List used as a member or owner does not break UserLoginState generation or listing Access Lists.
+    - [ ] Verify that an Access List can be added as a member or owner of another Access List using `tctl`.
+    - [ ] Verify that Access Lists added as members or owners of other Access Lists using `tctl` are validated (no circular references, no nesting > 10 levels).
 
 - [ ] Verify Okta Sync Service
   - [ ] Verify Okta Plugin configuration.
@@ -1579,6 +1587,7 @@ Docs: [IP Pinning](https://goteleport.com/docs/access-controls/guides/ip-pinning
     - [ ] Verify that users/apps/groups are synced from Okta to Teleport.
     - [ ] Verify the custom `okta_import_rule` rule configuration.
     - [ ] Verify that users/apps/groups are displayed in the Teleport Web UI.
+    - [ ] Verify that users/groups are flattened on import, and are not duplicated on sync when their membership is inherited via nested Access Lists.
   - [ ] Verify that a user is locked/removed from Teleport when the user is Suspended/Deactivated in Okta.
   - [ ] Verify access to Okta apps granted by access_list/access_request.
 

.github/ISSUE_TEMPLATE/webtestplan.md

@@ -478,6 +478,45 @@ With the previous role you created from `Strategy Reason`, change `request_acces
 
 - [ ] Verify after login, dashboard is rendered as normal
 
+## Access Lists
+
+Not available for OSS
+
+- Creating new Access List:
+  - [ ] Verify that traits/roles are not be required in order to create
+  - [ ] Verify that one can be created with members and owners
+  - [ ] Verify the web cache is updated (new list should appear under "Access Lists" page without reloading)
+- Deleting existing Access List:
+  - [ ] Verify the web cache is updated (deleted list should disappear from "Access Lists" page without reloading)
+  - [ ] Verify that an Access List used as a member or owner in other lists cannot be deleted (should show a warning)
+- Reviewing Access List:
+  - [ ] Verify that after reviewing, the web cache is updated (list cards should show any member/role changes)
+- Updating (renaming, removing members, adding members):
+  - [ ] Verify the web cache is updated (changes to name/members appear under "Access Lists" page without reloading)
+- [ ] Verify Access List search is preserved between sub-route navigation (clicking into specific List and navigating back)
+- Can manage members/owners for an existing Access List:
+  - [ ] Verify that existing Users:
+    - [ ] Can be enrolled as members and owners
+    - [ ] Enrolled as members or owners can be removed
+  - [ ] Verify that existing Access Lists:
+    - [ ] Can be enrolled as members and owners
+    - [ ] Enrolled as members or owners can be removed
+  - [ ] Verify that an Access List cannot be added as a member or owner:
+    - [ ] If it is already a member or owner
+    - [ ] If it would result in a circular reference (ACL A -> ACL B -> ACL A)
+    - [ ] If the depth of the inheritance would exceed 10 levels
+    - [ ] If it includes yourself (and you lack RBAC)
+  - [ ] Verify that non-existing Members and Owners can be enrolled in an existing List (e.g., SSO users)
+- Inherited grants are properly calculated and displayed:
+  - [ ] Verify that members of a nested Access List:
+    - [ ] Added as a member to another Access List inherit its Member grants
+    - [ ] Added as an owner to another Access List inherit its Owner grants
+    - [ ] That do not meet Membership Requirements in a Nested List do not inherit any Grants from Parent Lists
+    - [ ] That do not meet the Parent List's Membership/Ownership Requirements do not inherit its Member/Owner Grants
+  - [ ] Verify that owners of Access Lists added as Members/Owners to other Access Lists do *not* inherit any Grants
+  - [ ] Verify that inherited grants are updated on reload or navigating away from / back to Access List View/Edit route
+  - [ ] Verify that 'View More' exists and can be clicked under the 'Inherited Member Grants' section if inherited grants overflows the container
+
 ## Web Terminal (aka console)
 
 - [ ] Verify that top nav has a user menu (Main and Logout)