Error when removing user's SCIM ID via API
Summary
Group owner gets an error mentioning they aren't part of the group when trying to delete SCIM ID via SCIM API.
Steps to reproduce
Example Project
What is the current bug behavior?
User was deployed via SCIM but with the wrong email address (Azure related). Owner wants to redeploy the user with the correct email address but they're unable to do do because they cannot delete the SCIM ID via SCIM API. SCIM ID seems to be already deleted on their end because no identities are shown for the user via Admin.
They get the error:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Could not remove [user] from [group]. User is not a group member.","status":412}
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com, GitLab Enterprise Edition 15.3.0-pre 0d272cb0
Possible fixes
Allow SCIM token tied to group that provisioned the SCIM identity to delete it even if user is no longer a member of the group.
Possible workaround
Use rails console to find the SCIM identity, then destroy it using .destroy!
.
Note: This will not change anything about the state of the user account, such as memberships, so this acts differently than deprovisioning.