Add "GET /groups/:id/enterprise_users" API endpoint

What does this MR do and why?

This MR adds "GET /groups/:id/enterprise_users" API endpoint that allows top-level group Owners to get list of their enterprise users and see their private attributes, like email, two_factor_enabled, etc.

See the following issue for more details #438366 (closed).

References

Please include cross links to any resources that are relevant to this MR This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

• #438366 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

1. Make sure the GitLab instance simulates or a SaaS instance since Enterprise Users is a SaaS feature
2. Configure "Automatic claims of enterprise users". For testing purposes on the local environment you can claim the user manually from the Rails console:

User.find_by_username('USERNAME').user_detail.update(enterprise_group_id: GROUP_ID)

3. Request the API endpoint as a group Owner. The enterprise user should be listed in the response with attributes as per the docs.

• curl --header "PRIVATE-TOKEN: <your_access_token>" https://gitlab.example.com/api/v4/groups/GROUP_ID/enterprise_users

assigned to @bdenkovych

added groupauthentication sectionsec typefeature labels

added pipelinetier-1 label

changed the description

removed pipelinetier-1 label

added backend database databasereview pending documentation labels

	3 Warnings
	This merge request is quite big (671 lines changed), please consider splitting it into multiple merge requests.
	571f2418: Commits that change 30 or more lines across at least 3 files should describe these changes in the commit body. For more information, take a look at our Commit message guidelines.
	e50c8409: The commit subject may not be longer than 72 characters. For more information, take a look at our Commit message guidelines.

	1 Message
	This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge.

Documentation review

The following files require a review from a technical writer:

• doc/api/group_enterprise_users.md (Link to current live version)
• doc/user/enterprise_user/index.md (Link to current live version)

The review does not need to block merging this merge request. See the:

• Metadata for the *.md files that you've changed. The first few lines of each *.md file identify the stage and group most closely associated with your docs change.
• The Technical Writer assigned for that stage and group.
• Documentation workflows for information on when to assign a merge request for review.

Reviewer roulette

Category	Reviewer	Maintainer
backend	@Quintasan (UTC+1, 1 hour behind author)	@fabiopitino (UTC+0, 2 hours behind author)
database	@bmarjanovic (UTC+1, 1 hour behind author)	@OmarQunsulGitlab (UTC+1, 1 hour behind author)

Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.

If needed, you can retry the danger-review job that generated this comment.

Generated by Danger

changed milestone to %17.6

added Deliverable Enterprise Users GitLab Premium customer devopsgovern featureenhancement release post itemin review workflowin dev labels

removed release post itemin review label

added gitlab.com label

removed Deliverable label

added 1 commit

• a5e05613 - Add "GET /groups/:id/enterprise_users" API endpoint

Compare with previous version

marked this merge request as draft

@jglassman1 While I am still complementing the MR, adding tests, the documentation should be ready for review. Could you please review it?

requested review from @jglassman1

added 1 commit

• a64f6226 - Add "GET /groups/:id/enterprise_users" API endpoint

Compare with previous version

changed milestone to %17.7

added 1 commit

• 1c65e7a2 - Apply 2 suggestion(s) to 1 file(s)

Compare with previous version

added Technical Writing label

approved this merge request

added pipeline:mr-approved label

added pipelinetier-2 label

removed review request for @jglassman1

added 1 commit

• 2badcdd0 - Test Authn::EnterpriseUsersFinder class

Compare with previous version

added 1 commit

• e50c8409 - Cosmetic changes for ee/spec/finders/authn/enterprise_users_finder_spec.rb

Compare with previous version

E2E Test Result Summary

allure-report-publisher generated test report!

e2e-test-on-gdk: test report for 08e14bf6

expand test summary

+------------------------------------------------------------------+
|                          suites summary                          |
+-------------+--------+--------+---------+-------+-------+--------+
|             | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| Create      | 4      | 0      | 0       | 0     | 4     | ✅     |
| Fulfillment | 1      | 0      | 0       | 0     | 1     | ✅     |
| Govern      | 3      | 0      | 0       | 0     | 3     | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+
| Total       | 8      | 0      | 0       | 0     | 8     | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+

e2e-test-on-cng: test report for 08e14bf6

expand test summary

+------------------------------------------------------------------+
|                          suites summary                          |
+-------------+--------+--------+---------+-------+-------+--------+
|             | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| Govern      | 84     | 0      | 9       | 1     | 93    | ✅     |
| Create      | 140    | 0      | 20      | 0     | 160   | ✅     |
| Plan        | 86     | 0      | 8       | 0     | 94    | ✅     |
| Monitor     | 8      | 0      | 12      | 0     | 20    | ✅     |
| Ai-powered  | 0      | 0      | 2       | 0     | 2     | ➖     |
| Verify      | 49     | 0      | 16      | 0     | 65    | ✅     |
| Data Stores | 33     | 0      | 10      | 0     | 43    | ✅     |
| Configure   | 0      | 0      | 3       | 0     | 3     | ➖     |
| Package     | 24     | 0      | 14      | 0     | 38    | ✅     |
| Secure      | 2      | 0      | 5       | 0     | 7     | ✅     |
| Fulfillment | 2      | 0      | 7       | 1     | 9     | ✅     |
| Release     | 5      | 0      | 1       | 0     | 6     | ✅     |
| Manage      | 1      | 0      | 9       | 0     | 10    | ✅     |
| Analytics   | 2      | 0      | 0       | 1     | 2     | ✅     |
| ModelOps    | 0      | 0      | 1       | 0     | 1     | ➖     |
| Growth      | 0      | 0      | 2       | 0     | 2     | ➖     |
+-------------+--------+--------+---------+-------+-------+--------+
| Total       | 436    | 0      | 119     | 3     | 555   | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+

Generated by gitlab_quality-test_tooling.

---

Slow tests detected in this merge request. These slow tests might be related to this merge request's changes.

Click to expand

Job	File	Name	Duration	Expected duration
#8381626000	spec/features/admin/users/users_spec.rb#L177	Admin::Users GET /admin/users when blocking/unblocking a user shows confirmation and allows blocking and unblocking	66.11 s	< 50.13 s
#8383658120	spec/features/admin/users/users_spec.rb#L177	Admin::Users GET /admin/users when blocking/unblocking a user shows confirmation and allows blocking and unblocking	66.22 s	< 50.13 s
#8413813732	spec/features/admin/users/users_spec.rb#L177	Admin::Users GET /admin/users when blocking/unblocking a user shows confirmation and allows blocking and unblocking	69.29 s	< 50.13 s
#8415356152	spec/features/admin/users/users_spec.rb#L177	Admin::Users GET /admin/users when blocking/unblocking a user shows confirmation and allows blocking and unblocking	66.57 s	< 50.13 s
#8423826342	spec/features/admin/users/users_spec.rb#L177	Admin::Users GET /admin/users when blocking/unblocking a user shows confirmation and allows blocking and unblocking	65.43 s	< 50.13 s
#8464843605	spec/features/admin/users/users_spec.rb#L177	Admin::Users GET /admin/users when blocking/unblocking a user shows confirmation and allows blocking and unblocking	66.26 s	< 50.13 s

added rspec:slow test detected label

added 1 commit

• 58f09441 - Polish ee/lib/api/group_enterprise_users.rb file

Compare with previous version

added 1 commit

• 571f2418 - Add tests for 'GET /groups/:id/enterprise_users' API endpoint

Compare with previous version

reset approvals from @jglassman1 by pushing to the branch

added 1 commit

• a06170fe - Test pagination parameters 'GET /groups/:id/enterprise_users'

Compare with previous version

added 1 commit

• be08a349 - Clean up ee/spec/requests/api/group_enterprise_users_spec.rb

Compare with previous version

marked this merge request as ready

approved this merge request

added 1 commit

• baff9fba - Apply documentation suggestions from Isaac

Compare with previous version

reset approvals from @jglassman1 by pushing to the branch

added 1 commit

• 08e14bf6 - Apply documentation suggestions from Isaac

Compare with previous version

changed the description

requested review from @paulobarros

@Quintasan Could you please review backend?

requested review from @Quintasan

added workflowin review label and removed workflowin dev label

changed the description

approved this merge request

changed the description

changed the description

approved this merge request

requested review from @fabiopitino

added pipelinetier-3 pipeline:run-e2e-omnibus-once labels and removed pipelinetier-2 label

Before you set this MR to auto-merge

This merge request will progress on pipeline tiers until it reaches the last tier: pipelinetier-3. We will trigger a new pipeline for each transition to a higher tier.

Before you set this MR to auto-merge, please check the following:

• You are the last maintainer of this merge request
• The latest pipeline for this merge request is pipelinetier-3 (You can find which tier it is in the pipeline name)
• This pipeline is recent enough (created in the last 8 hours)

If all the criteria above apply, please set auto-merge for this merge request.

See pipeline tiers and merging a merge request for more details.

approved this merge request

requested review from @a_akgun

approved this merge request

added databaseapproved label and removed databasereview pending label

@dbalexandre do you have capacity to take this maintainer review? I'm at fully capacity at the moment.

requested review from @dbalexandre and removed review request for @fabiopitino

resolved all threads

added Category:System Access label

approved this merge request

resolved all threads

enabled automatic add to merge train when checks pass

mentioned in merge request !171755 (closed)

started a merge train

merged

mentioned in commit 1e7b9904

Hello @bdenkovych

The database team is looking for ways to improve the database review process and we would love your help!

If you'd be open to someone on the database team reaching out to you for a chat, or if you'd like to leave some feedback asynchronously, just post a reply to this comment mentioning:

@gitlab-org/database-team

And someone will be by shortly!

Thanks for your help!

This message was generated automatically. Improve it or delete it.

added workflowstaging-canary label and removed workflowin review label

added workflowcanary label and removed workflowstaging-canary label

added workflowstaging label and removed workflowcanary label

added workflowproduction label and removed workflowstaging label

added workflowpost-deploy-db-staging label and removed workflowproduction label

mentioned in issue bdenkovych/todo#34

added workflowpost-deploy-db-production label and removed workflowpost-deploy-db-staging label

mentioned in issue #438366 (closed)

Hi @bdenkovych does this endpoint retrieve only the top-level group Enterprise users or also from the subgroups and projects?

@pprokic Users can only be enterprise users of top-level group. (not confuse "enterprise users" with "membership")

This endpoint returns enterprise users of a given top-level group regardless they are members of the group or its subresources(subgroups, projects).

Documentation: https://docs.gitlab.com/ee/api/group_enterprise_users.html

Thanks @bdenkovych. Wanted to make sure a customer could use this endpoint to pull all (Enterprise) users under the top-level group and retrieve their emails (among others) as well.

Until now it was using billable members API, which AFAIK does not include the email field, only public_email if exposed.

Not sure how these 2 endpoints exactly compare.

mentioned in merge request gitlab-docs!5225 (merged)

added releasedcandidate label

added releasedpublished label and removed releasedcandidate label

mentioned in merge request !176328 (merged)

mentioned in issue #487911 (closed)