User cannot be added as member when SCIM identity inactive (!128588) · Merge requests · GitLab.org / GitLab

Jessie Young requested to merge jy-issue-413079 into master Aug 07, 2023

What does this MR do and why?

With the feature flag skip_saml_identity_destroy_during_scim_deprovision disabled, a user's SCIM identity is deleted when they are SCIM deprovisioned.
As as result, the GroupSaml::Membership enforcer works as expected and does not let a user be added to a subgroup or project after they have been SCIM deprovisioned.
When the feature flag is enabled, however, we keep the SCIM identity when the user is SCIM deprovisioned.
As a result, a user could be added to a subgrou or project.
To remediate this, we are adding logic that also checks for any inactive SCIM identities for the root group when looking at whether a user can be added to a subgroup or project.
Fixes #413079 (closed)

Numbered steps to set up and validate the change are strongly suggested.