// and group map and check the appropriate policy maps directly.
func (c *iamCache) policyDBGet(store *IAMStoreSys, name string, isGroup bool) ([]string, time.Time, error) {
	if isGroup {
		if store.getUsersSysType() == MinIOUsersSysType {
			g, ok := c.iamGroupsMap[name]
			if !ok {
				if err := store.loadGroup(context.Background(), name, c.iamGroupsMap); err != nil {
					return nil, time.Time{}, err
				}
				g, ok = c.iamGroupsMap[name]

// active on the server.
type UsersSysType string

// Types of users configured in the server.
const (
	// This mode uses the internal users system in MinIO.
	MinIOUsersSysType UsersSysType = "MinIOUsersSys"

	// This mode uses users and groups from a configured LDAP
	// server.
	LDAPUsersSysType UsersSysType = "LDAPUsersSys"
)

const (
	statusEnabled  = "enabled"

			return fmt.Errorf("unable to load the policy doc `%s`: %w", policyName, err)
		}
	}
	setDefaultCannedPolicies(cache.iamPolicyDocsMap)

	if iamOS.usersSysType == MinIOUsersSysType {
		bootstrapTraceMsg("loading regular IAM users")
		regUsersList := listedConfigItems[usersListKey]
		for _, item := range regUsersList {
			userName := path.Dir(item)

	requestorIsDerivedCredential := false
	if cred.IsServiceAccount() || cred.IsTemp() {
		requestorParentUser = cred.ParentUser
		requestorIsDerivedCredential = true
	}

	if globalIAMSys.GetUsersSysType() == MinIOUsersSysType && targetUser != cred.AccessKey {
		// For internal IDP, ensure that the targetUser's parent account exists.
		// It could be a regular user account or the root account.