Error when removing user's SCIM ID via API

Summary

Group owner gets an error mentioning they aren't part of the group when trying to delete SCIM ID via SCIM API.

Steps to reproduce

Example Project

What is the current bug behavior?

User was deployed via SCIM but with the wrong email address (Azure related). Owner wants to redeploy the user with the correct email address but they're unable to do do because they cannot delete the SCIM ID via SCIM API. SCIM ID seems to be already deleted on their end because no identities are shown for the user via Admin.

They get the error:

{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Could not remove [user] from [group]. User is not a group member.","status":412}

What is the expected correct behavior?

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com, GitLab Enterprise Edition 15.3.0-pre 0d272cb0

Possible fixes

Allow SCIM token tied to group that provisioned the SCIM identity to delete it even if user is no longer a member of the group.

Possible workaround

Use rails console to find the SCIM identity, then destroy it using .destroy!.

Note: This will not change anything about the state of the user account, such as memberships, so this acts differently than deprovisioning.