Revise automated dormant member features to deactivate enterprise users instead of removing them

Background

grouputilization recently introduced automated dormant member removal on GitLab.com (in beta as of 17.9).

With this feature, dormant users are removed from the top-level group - this is different from SM where dormant users move to a user state of deactivated. The reason for this difference is on .com a user could be part of other subscriptions too (since we have subscription on groups, or could be contributing to other free groups outside of subscription). Deactivation of a user could impact other subscriptions. Removing them from the group would just reduce their billable footprint from that specific group.

The problem with removing the user instead of de-activating them is that project, group, and history are lost when this feature is enabled and a dormant user logs back in they log back in. One Enterprise customer specifically found this feature unusable as a result.

Proposal

In order to be able to preserve project & group history for Enterprise users, we should update the current GitLab.com behavior to deactivate the user if their only login is via SAML or similar (assuming they just belong to one organization due to their login type).

Proposal details

Modify the feature to check if the user.user_details.enterprise_group_id is present, and deactivate the user instead of removing their memberships.

That would mean:

• Enterprise user/customers: their users get deactivated entirely rather than having memberships removed, which should be fine because enterprise users are technically "owned" by the organisation
  • We'd need to tweak the daily dormant check so we're not re-processing the same users every day
  • What if the enterprise user had created their own group and bought a subscription and continues to use that?
• Non-enterprise users/customers: the feature would remain as it currently is (user is removed from the group)

Additional work

• Update docs https://docs.gitlab.com/user/group/moderate_users/#automatically-remove-dormant-members to reflect this change

Result

Users that are part of an organization are able to retain project, group, and history when they log back in after being deactivated.