[PM-19022] Separate Manage Account Recovery and Manage Users custom role (#14629)

* Add SeparateCustomRolePermissions feature flag

* Allow 'Manage Account Recovery' to be configured separately from 'Manage Users'

apps/web/src/app/admin-console/organizations/members/components/member-dialog/member-dialog.component.ts

@@ -456,7 +456,13 @@ export class MemberDialogComponent implements OnDestroy {
     return Object.assign(p, partialPermissions);
   }
 
-  handleDependentPermissions() {
+  async handleDependentPermissions() {
+    const separateCustomRolePermissions = await this.configService.getFeatureFlag(
+      FeatureFlag.SeparateCustomRolePermissions,
+    );
+    if (separateCustomRolePermissions) {
+      return;
+    }
     // Manage Password Reset (Account Recovery) must have Manage Users enabled
     if (
       this.permissionsGroup.value.manageResetPassword &&

libs/common/src/enums/feature-flag.enum.ts

@@ -13,6 +13,7 @@ export enum FeatureFlag {
   LimitItemDeletion = "pm-15493-restrict-item-deletion-to-can-manage-permission",
   SsoExternalIdVisibility = "pm-18630-sso-external-id-visibility",
   AccountDeprovisioningBanner = "pm-17120-account-deprovisioning-admin-console-banner",
+  SeparateCustomRolePermissions = "pm-19917-separate-custom-role-permissions",
 
   /* Auth */
   PM9112_DeviceApprovalPersistence = "pm-9112-device-approval-persistence",
@@ -83,6 +84,7 @@ export const DefaultFeatureFlagValue = {
   [FeatureFlag.LimitItemDeletion]: FALSE,
   [FeatureFlag.SsoExternalIdVisibility]: FALSE,
   [FeatureFlag.AccountDeprovisioningBanner]: FALSE,
+  [FeatureFlag.SeparateCustomRolePermissions]: FALSE,
 
   /* Autofill */
   [FeatureFlag.BlockBrowserInjectionsByDomain]: FALSE,