Expected behavior:

The access request resources search would not return resources that do not match search_as_roles for a user's roles.

Current behavior:

Users see all resources they have access to in the Access Request resource view, not just searchable ones. This makes it difficult to search for the request specific items since all resources are showing.

For example a user has two roles. One with just access to a set of resources with env: dev and another role with search_as_roles that match to env: prod. Both env: dev and env: prod nodes will show in a new resources request search. If the user attempts to submit an access request they will get an error like below since it's invalid.

Bug details:

• Teleport version: 16.2.0
• Recreation steps

1. Add two resources such as ssh nodes with one env: dev labeled and another env: prod
2. Define a role dev-access that has just ssh access to env: dev nodes
3. Define a role prod-access that has just ssh access to env: prod nodes
4. Define a role requester-access that allows requesting the prod role

spec:
  allow:
    request:
      roles:
      - prod-access
      search_as_roles:
      - prod-access

5. Assign a user to dev-access and requester-access
6. Attempt to create a new request. Both dev and prod node will show. Add the dev node and attempt to submit.