2023-10-19 Support Readiness - Enterprise User criteria change and email lock
What is happening
The product criteria of Enterprise User will change in https://gitlab.com/gitlab-org/gitlab/-/issues/396384 to match the definition we have in the support workflows.
An email is being sent to group owners (up to 5 per group) to notify them that they need to add a verified domain for Enterprise User features to continue working. Individual users were also notified that if their group has a verified domain, their account may be considered an Enterprise User and the primary email will not be changeable to a non-verified domain.
Status / What actions have been taken so far
- Email send for owners to set up verified domain
- Dev work in progress
Timeline / Important Dates
- 2023-05-18: sendout for owners to verify domain
- 2023-06-21: reminder email sent
- 2023-07-05/11: primary email lock sendout
- Targeted outreach to CSMs via #4699 (closed)
- 2023-10-19: anticipated change date
- 2023-10-31: Release post entry merged
- 2023-11-03: members badging updated / 2FA updated
Related Issues/MRs/Epics
Criteria change and domain verification
- Email send: https://gitlab.com/gitlab-com/marketing/marketing-operations/-/issues/7935
- Auto-claim Epic: gitlab-org&9675
- Group domain verification epic: gitlab-org&5299
- Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/396384 | turned epic: https://gitlab.com/groups/gitlab-org/-/epics/11886
- Docs: https://docs.gitlab.com/ee/user/enterprise_user/#set-up-a-verified-domain
primary email lock for enterprise users
- Email send: https://gitlab.com/gitlab-com/marketing/marketing-operations/-/issues/8342
- Issue: gitlab-org/gitlab#412968 (closed)
- Docs: https://docs.gitlab.com/ee/user/enterprise_user/#automatic-claims-of-enterprise-users
What impact will this have on users?
The email send is a notification. Sometime after the change date, customers may notice users who were previously marked as an Enterprise user are no longer marked as such if they did not add the relevant verified domain.
Enterprise Users will also no longer be able to change their primary email to an email that isn't a group verified domain.
What this may look like for Support
Anticipated Support Impact: Low
What workarounds/solutions are available?: Customers should add one or more verified domain for users with matching primary email address to be considered an Enterprise user.
Enterprise users can still change their primary email if it matches a group's verified domain. Other emails at this time can still be added as secondary emails, but we do have plans to lock those down too.
DRIs/Contacts for questions and approvals for communications/action items
-
Slack Channel:
#g_manage_auth
-
Product or Development DRI: @hsutor
-
Engineering Manager: @adil.farrukh
-
Support DRI: @cynthia
Support Resources
Release post: Until 16.6 release post is made, the related release post entry is available in https://about.gitlab.com/releases/gitlab-com/
Changes:
- Merged: UI text MR to add that domain verification must be completed within 7 days: gitlab-org/gitlab!124393 (merged)
- Merged: Docs MR to add further clarification on why a project is necessary: gitlab-org/gitlab!121176 (merged)
- Fix merged: 500 error when trying to "Edit" verified domain bug issue: gitlab-org/gitlab#412233 (closed) (if verified, should not need to edit though)
- Fix merged: 500 error when adding new domain if SSO session expired: gitlab-org/gitlab#412343 (closed)
- Merged: Docs MR to add note that cert errors are okay to ignore: gitlab-org/gitlab!121584 (merged)
FAQ
See also the ZD wording in the next section.
- When and what is happening?
-
We do not have a specific date at the moment.Rolled out 2023-10-20It will happen no earlier than 2023-08-01.Update: Due to various delays, the change is now no earlier than 2023-10-15. - For list of changes, see gitlab-org/gitlab#421407 (closed)
- On 2022-11-03, gitlab-org/gitlab!135335 (merged) was merged which updated Enterprise badging on the top-level group's Members page, and enabled 2FA.
-
- Exactly what will the customer lose if they don't verify the domain?
- Once gitlab-org/gitlab!135335 (merged) is merged:
- Enterprise badge next to members' names will "disappear".
- They will not be able to disable 2FA for members (though they can still write into support for manual intervention if necessary).
- Other Enterprise User features will be tied to verified domain as well, but no date on change. Being tracked in relevant issues, such as gitlab-org/gitlab#412898 (closed) and gitlab-org/gitlab#391453 (closed)
- Will it change anything else about SSO/SAML? What about how users access projects?
- No effect.
- Can the customer have a mix of users with/without matching domain? What happens to users without matching domain?
- Yes. Users who do not have a primary email with a matching verified domain will not be considered Enterprise Users. See question 2 for more details.
- If the user is an Enterprise user, they can change their primary email but it must be one with a verified domain. The user can add and change secondary emails without this restriction at this time.
- Users who are not members are getting welcome emails. Does this increase seat count? Can they be managed?
- There are no changes to how seat count is calculated.
- Managing non-member Enterprise Users is being planned. Please see gitlab-org/gitlab#375991 (comment 1346637781)
- Does that mean group owners will now be able to pull the list of emails for users?
- That is a related but different, new feature. It is being prioritized. gitlab-org/gitlab#391453 (closed)
Zendesk Macros
Add Zendesk tag: com_gitlab_396384
Possible macro wording
Hi,
Thanks for contacting GitLab Support.
As mentioned in the email, [Enterprise Users](https://docs.gitlab.com/ee/user/enterprise_user/) are now identified by their _primary_ email address matching a group's verified domain.
If you haven't yet, you should [follow our documentation on setting up a verified domain](https://docs.gitlab.com/ee/user/enterprise_user/#set-up-a-verified-domain). Please note that the domain must match exactly, so if you have a subdomain, such as `subdomain.company.org`, for some emails, the subdomain needs to be verified as well.
If you choose not to verify your domain, you will begin losing [user management features](https://docs.gitlab.com/ee/user/enterprise_user/#manage-enterprise-users-in-a-namespace).
You can also provide feedback in the [relevant feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/416117).
If you have any issues, please let us know.
Primary email
Hi,
Thanks for contacting GitLab Support.
With the recent changes, [Enterprise Users](https://docs.gitlab.com/ee/user/enterprise_user/) are identified by their _primary_ email address matching a group's verified domain. If you are identified as an Enterprise User, you should receive a welcome email and can only change your _primary_ email to another that matches your group's verified domain(s).
You can still add other emails as secondary emails on the account. However, please note that these are planned to be put under the same restrictions in the future.
If you have any issues, please let us know.
To find new tickets that may not be tagged, use: domain form:saas order_by:created_at sort:desc -status:closed -tags:com_gitlab_396384 -tags:lost_email_access_free_user
or enterprise form:saas -status:closed -tags:com_gitlab_396384 -tags:lost_email_access_free_user order_by:created_at sort:desc
ZenDesk & Support-focused GitLab changes
-
Expose new Enterprise user attributes via API: gitlab-org/gitlab#416657 (closed) -
Expose new Enterprise user attributes in admin user details page: gitlab-org/gitlab!132938 (merged) -
MR to update User lookup in ZD app: https://gitlab.com/gitlab-com/support/support-ops/zendesk-global/zendesk-apps/gitlab-super-app/-/merge_requests/13
Communication to Support team
- Announced to team in
-
#support_gitlab-com
or#support_self-managed
or#support_team-chat
-
SWIR
-
Rollout action items
Auto claim rollout
- Comms (see below for wording)
-
#support_gitlab-com
-
Cross-post to #spt_pod_auth
-
SWIR
-
- Update macros: see #4699 (closed)
-
Update handbook to include Enterprise user attribute references (instead of just provisioned by) | see gitlab-com/content-sites/handbook!733 (merged)
Auto claim comms
:one: :gitlab: :cloud: :roll-out: [Enterprise Users rollout] The first iteration is here!
*Summary*: With the feature flag on, Enterprise Users are identified and auto-claimed based on verified domain. Users once "claimed" will receive a welcome email, and their primary email will be "locked" to verified domain(s). See https://gitlab.com/gitlab-org/gitlab/-/issues/421407#what-are-we-expecting-to-happen for details. Changes to user management features, namely 2FA disabling, and things like badging are coming soon. Meaning, there's no substantial changes for group owners at this time. [Documentation has been updated](https://docs.gitlab.com/ee/user/enterprise_user/#automatic-claims-of-enterprise-users)
Support can see the new Enterprise Users' attributes (`enterprise_group_id` and ` enterprise_group_associated_at`) in admin UI and via the API. This includes the ZenDesk User Lookup app. Handbook has been updated to [mention new enterprise user attributes](https://gitlab.com/gitlab-com/content-sites/handbook/-/merge_requests/733).
The meta issue should cover everything you need to know, especially the [FAQ](https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/5114#faq), which has template wording. Please continue to add the Zendesk tag `com_gitlab_396384` for related tickets.
Authn group will post about the [feature flag](https://gitlab.com/gitlab-org/gitlab/-/issues/421407) rollout in the issue and in Slack. Any questions, please let me or the #g_govern_auth team know.
2023-11-02: Badging and 2FA rollout
- Comms (see below for wording)
-
#support_gitlab-com
-
Cross-post to #customer-success
,#spt_pod_auth
,#g_govern_auth
-
SWIR
-
Further comms
:name_badge: :gitlab: :cloud: :roll-out: [Enterprise Users rollout] Badging and 2FA are updated!
*Summary*: The `Enterprise` badging in the Members list, and 2FA functionality, has been updated to the new definition. With that, our rollout is complete! :tada:
Note: [Documentation](https://docs.gitlab.com/ee/user/enterprise_user/) was not updated as we're making it true again :sweat_smile:
The meta issue should cover everything you need to know, especially the [FAQ](https://gitlab.com/gitlab-com/support/support-team-meta/-/issues/5114#faq), which has template wording. Please continue to add the Zendesk tag `com_gitlab_396384` for related tickets.
Any questions, please let me or the #g_govern_authentication team know.