Skip to content

[FF] self_managed_scim_group_sync -- SCIM group sync for self-managed instances

Summary

This issue is to roll out SCIM group sync for self-managed instances, that is currently behind the self_managed_scim_group_sync feature flag.

Owners

  • Most appropriate Slack channel to reach out to: #g_seat_management
  • Best individual to reach out to: @paulobarros

Expectations

What are we expecting to happen?

Self-managed customers will be able to use SCIM group sync in their instances. To be used together with SAML group links.

What can go wrong and how would we detect it?

Group membership mismatches and/or out of sync with the identity providers.

Rollout Steps

Release the feature with the feature flag

WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.

If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:

  • Create a merge request with the following changes.
    • If feature was enabled for various actors, ensure the feature has been enabled globally on production /chatops run feature get <feature-flag-name>. If the feature has not been globally enabled then enable the feature globally using: /chatops run feature set <feature-flag-name> true
    • Set the default_enabled attribute in the feature flag definition to true.
    • Decide which changelog entry is needed.
  • Ensure that the default-enabling MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post: /chatops run release check <merge-request-url> <milestone>
  • After the default-enabling MR has been deployed, clean up the feature flag from all environments by running these chatops command in the #production channel: /chatops run feature delete <feature-flag-name> --dev --pre --staging --staging-ref --production
  • Close the feature issue to indicate the feature will be released in the current milestone.
  • Set the next milestone to this rollout issue for scheduling the flag removal.
  • (Optional) You can create a separate issue for scheduling the steps below to Release the feature.
    • Link this rollout issue as a related issue.
    • Close this rollout issue.
Edited by Paulo Barros