doc: Add warning about service user scopes

README.md

@@ -9,6 +9,12 @@ Currently supported sources:
 
 ## Configuration
 
+> [!WARNING]
+>
+> When creating a service user, limit them to the specific project and
+> organization scope that they are intended to sync. `famedly-sync`
+> currently does not separately limit the scope of the sync, see #103.
+
 The tool expects a configuration file located at `./config.yaml`. See example configuration at [config.sample.yaml](./config.sample.yaml).
 
 The default path can be changed by setting the new path to the environment variable `FAMEDLY_SYNC_CONFIG`.

sample-configs/csv-config.sample.yaml

@@ -9,6 +9,10 @@ zitadel:
   # The project to grant users access to.
   project_id: 278274945274880004
   # The identity provider ID to enable SSO login for
+  #
+  # WARNING: This user *must* be scoped to the specific org/project,
+  # as famedly-sync does not limit syncs to the configured org/project
+  # by itself.
   idp_id: 281430143275106308
 
 feature_flags:

sample-configs/ldap-config.sample.yaml

@@ -9,6 +9,10 @@ zitadel:
   # The project to grant users access to.
   project_id: 278274945274880004
   # The identity provider ID to enable SSO login for
+  #
+  # WARNING: This user *must* be scoped to the specific org/project,
+  # as famedly-sync does not limit syncs to the configured org/project
+  # by itself.
   idp_id: 281430143275106308
 
 feature_flags:

sample-configs/ukt-config.sample.yaml

@@ -9,6 +9,10 @@ zitadel:
   # The project to grant users access to.
   project_id: 278274945274880004
   # The identity provider ID to enable SSO login for
+  #
+  # WARNING: This user *must* be scoped to the specific org/project,
+  # as famedly-sync does not limit syncs to the configured org/project
+  # by itself.
   idp_id: 281430143275106308
 
 feature_flags: