Add restricted access check for SCIM on Gitlab.com

Paulo Barrosrequested to merge
pb/572852/add-bso-check-saas-scim into master

This is part of https://gitlab.com/gitlab-org/gitlab/-/issues/572852+.

What does this MR do and why?

This MR adds restricted access/BSO support for SCIM user provisioning on GitLab.com to prevent seat overages when no seats are available.

When SCIM provisions or re-provisions users to groups and BSO is enabled with no available seats, users are now assigned the Minimal Access role instead of originally intended access level. This prevents unintended seat overages during automated SCIM provisioning flows.

The implementation uses the unified SeatAwareProvisioning module introduced in !206913 (merged), ensuring consistent behavior and logging across all enterprise user management protocols (SAML, LDAP, and SCIM).

References

How to set up and validate locally

  1. Enable the feature flag and minimal access role:
   Feature.enable(:bso_minimal_access_fallback)
  1. Configure a group with BSO enabled and no available seats (e.g purchase a subscription with only 1 seat)
  2. Trigger SCIM provisioning for a new user (e.g. via Okta)
  3. Verify the user is added with Minimal Access role instead of the original role defined in the group link
  4. Check logs for BSO adjustment message
Edited by Paulo Barros

Merge request reports