Backfill `organization_id` in `scim_oauth_access_tokens` (!213936) · Merge requests · GitLab.org / GitLab

This is part of Add sharding key for `scim_oauth_access_tokens` (#553107) and a follow-up to Add `organization_id` to `scim_oauth_access_tok... (!212160 - merged).

What does this MR do and why?

This MR backfills organization_id for existing instance-level (i.e. no Gitlab.com involved) SCIM access tokens to make the table compliant with Protocells.

This migration sets organization_id to 1 (default organization) for all existing instance-level tokens that don't already have it.

Group-level tokens are not affected as they are stored in a separate table.

References

How to set up and validate locally

Create some test data in rails console:

ScimOauthAccessToken.create!(group_id: nil, organization_id: nil, token_encrypted: 'test')

Run the migration:

bundle exec rails db:migrate

Verify the backfill in rails console:

ScimOauthAccessToken.where(group_id: nil).pluck(:organization_id)
# Should all be 1

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Nov 26, 2025 by Paulo Barros

Backfill organization_id in scim_oauth_access_tokens

What does this MR do and why?

References

How to set up and validate locally

MR acceptance checklist

Merge request reports

Backfill `organization_id` in `scim_oauth_access_tokens`