}

func (c *iamCache) policyDBGetGroups(store *IAMStoreSys, userPolicyPresent bool, groups ...string) ([]string, error) {
	var policies []string
	for _, group := range groups {
		if store.getUsersSysType() == MinIOUsersSysType {
			g, ok := c.iamGroupsMap[group]
			if !ok {
				continue
			}

			// Group is disabled, so we return no policy - this
			// ensures the request is denied.
			if g.Status == statusDisabled {

// active on the server.
type UsersSysType string

// Types of users configured in the server.
const (
	// This mode uses the internal users system in MinIO.
	MinIOUsersSysType UsersSysType = "MinIOUsersSys"

	// This mode uses users and groups from a configured LDAP
	// server.
	LDAPUsersSysType UsersSysType = "LDAPUsersSys"
)

const (
	statusEnabled  = "enabled"

	}

	if took := time.Since(policyLoadStartTime); took > maxIAMLoadOpTime {
		logger.Info("Policy docs load took %.2fs (for %d items)", took.Seconds(), len(policiesList))
	}

	if iamOS.usersSysType == MinIOUsersSysType {
		bootstrapTraceMsgFirstTime("loading regular IAM users")
		regUsersLoadStartTime := UTCNow()
		regUsersList := listedConfigItems[usersListKey]

		for {
			if len(regUsersList) < count {

	requestorIsDerivedCredential := false
	if cred.IsServiceAccount() || cred.IsTemp() {
		requestorParentUser = cred.ParentUser
		requestorIsDerivedCredential = true
	}

	if globalIAMSys.GetUsersSysType() == MinIOUsersSysType && targetUser != cred.AccessKey {
		// For internal IDP, ensure that the targetUser's parent account exists.
		// It could be a regular user account or the root account.