Skip to content

Newly created users should become Enterprise Users right away if they meet the condition

As per #388415 (closed) when group owners verify a domain, GitLab system will schedule a background job for that domain. That job will initiate the Enterprise Users Automatic Claim Process for users whose email domain matches the domain. Those users who meet the Enterprise User definition based on that domain would be associated with the related enterprise group.

Some users could start meeting the definition based on that domain after that automatic claim process is complete. For instance

  • user that was created before 2021-02-01
    • was added to group members or
    • has got SAML or SCIM identity tied to the group
  • user email changed from personal email to the email that belongs to the group
  • newly created user
  • etc ...

We have a universal solution to address all these edge cases. As per #388415 (closed), domain re-verification will also schedule the background job to initiate the Enterprise Users Automatic Claim Process for users who meet the definition based on the domain.

Domain re-verification happens every 7 days for each domain. That means that in some cases for users that started to meet the enterprise user definition for some group, it could take up to 7 days for the GitLab system to initiate the Enterprise Users Automatic Claim Process for that user. For rare cases, it is not a big concern. Creating new user accounts is not a rare case for some organizations. Group owners will definitely want newly created users who meet the definition to be associated with their enterprise group as soon as possible instead of waiting up to 7 days.

We can initiate the Enterprise Users Automatic Claim Process for newly created users.

Implementation details

Implement Groups::EnterpriseUsers::AssociateWorker that receives user_id. In that background job identify whether any group verified user's email domain. If there is a group that verified the domain, execute Groups::EnterpriseUsers::AssociateService.new(group: group, user: user).execute service class. That will associate the user with the enterprise group as per the Enterprise User definition.

Hooking into Users::CreateService to schedule Groups::EnterpriseUsers::AssociateWorker background job has been considered. However, that service class is not used for all sign-up flows the GitLab supports, and we use devise gem. To make sure this background job is scheduled for every newly created user, we should hook into User model directly via after_create callback. Since in that callback will only schedule a background job, it shouldn't cause any issues since it is not a heavy operation. Related to !125836 (comment 1466821934)

This change should be under enterprise_users_automatic_claim FF.

Additionally, enabling enterprise_users_automatic_claim FF should disable sending provisioned_member_access_granted_email since when a user is claimed as an enterprise user, they will receive new user_associated_with_enterprise_group_email. Also, enterprise_users_automatic_claim should enable sending member_access_granted_email to users, regardless they are provisioned or not, to inform them that they have been added or re-added to a group as a member the same way it is being sent to regular users. See !130735 (comment 1545308267)

Edited by Bogdan Denkovych