returnapierrors.NewUnauthorized(fmt.Sprintf("attempt to grant extra privileges: %v user=%v ownerrules=%v ruleResolutionErrors=%v",missingRights,user,ownerRules,ruleResolutionErrors))
msg:=fmt.Sprintf("user %q (groups=%q) is attempting to grant RBAC permissions not currently held:\n%s",user.GetName(),user.GetGroups(),strings.Join(missingDescriptions.List(),"\n"))