SCIM de-provisioning: remove user from subgroups even if already removed from parent group
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
When a user is not part of the parent group any more, but part of subgroups, SCIM de-provisioning should remove the user also from the subgroups. For example, if a user gets manually removed from the parent group on the GitLab side without clicking the box to also remove direct memberships within subgroups, it would be good if SCIM de-provisioning the user removed them from the subgroups as well, which is what happens when the user is found in the parent group when the de-provisioning happens.
Example scenario:
- User gets provisioned via SCIM
- An admin adds them manually as a
directmember to a subgroup - An admin manually removes the user from the parent group on the GitLab side without clicking the box to also remove
directmemberships within subgroups - The user now gets removed on the IDP side from the SCIM application
- The provisioning cycle runs
- Result: the user will still be part of the subgroups where they have the
directmembership.
It would be good if SCIM would tidy this up, and remove all the subgroup membership in this scenario as well.
Problem to solve
See above: make sure that SCIM de-provisioning also removes the user from subgroups if they are not part of the parent group any more.
Proposal
When SCIM de-provisioning, also remove the user from the subgroups when the user is not part of the parent group any more.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.