Enterprise Users - MVC: Automatic Claim of existing users that match a verified domain and are in the group
Release notes
Problem to solve
Enterprise customers on Gitlab.com want to be able to fully manage the entire lifecycle of users in their groups. This desire is both for efficiency and to protect their intellectual property. Typically, these customers will have centralized user management for their enterprise through an IdP like Okta or Azure and use GitLab SSO/SCIM. This issue will implement the ability to "claim" user accounts and deem them "enterprise". It will pave the way for future improvements to Enterprise users.
As part of &4786 we have started tying new users to groups and giving group administration rights to those users. We need to provide a way to provide the same administrative rights over users that were created before we started trying users to groups.
Proposal
We can allow group administrators to claim users that are part of their group and match a domain that they have verified. This is in-line with our subscription agreement and how competitors have tackled this problem.
This issue is for the following work:
Automatic Claim Process
- A user signs in via SAML, we check for verified domains and if the user matches we mark them as provisioned by the group (this is already complete)
- If provisioned by = nil, then check if any verified domain, if so, if user email's domain matches, mark them as provisioned by that group
- Send an e-mail notification to the user (via notification address, if one is set - if not, send to primary) letting them know that they have an Enterprise Account.
- If user matches a verified domain but is not a member of the top level group, do not mark them as an Enterprise User. This scenario will be tackled in future iterations where we provide a UI for the admin to see the unclaimed users.
Frequency/Schedule of Claims
- When this feature is released - for any domain that is already verified, claim the users if they are in the top level group. This is limited to the top level group only for the first iteration.
- When a new domain is added, claim the users if they are in the top level group
- When a new user is added, if not by provisioning, claim the user if they are in the top level group and match a domain
- When a user is removed from the top level group, we need to remove their "Enterprise User" status. If they come back in, they would be claimed under one of the methods above
Future considerations:
- Admin/group owner ability to see which users are not yet claimed and click a button to claim them (if the automatic claims process is problematic)
- Admin/group owner ability to view which users have been claimed and when (historical view)