Skip to content
Snippets Groups Projects

Automatic claims of enterprise users: Claim users whose primary email has a domain that has been verified by a paid group

  • Automatic claims of enterprise users: Claim users whose primary email has a domain that has been verified by a paid group

    Closed Epic created by Adil Farrukh

    Problem to solve

    Enterprise customers on Gitlab.com want to be able to fully manage the entire lifecycle of users in their groups. This desire is both for efficiency and to protect their intellectual property. Typically, these customers will have centralized user management for their enterprise through an IdP like Okta or Azure and use GitLab SSO/SCIM.

    As part of &4786 we have started tying new users to groups and giving group administration rights to those users.

    According to the enterprise user definition in the GitLab system. A user provisioned by a group is an enterprise user of that group.

    According to the new legal enterprise user definition, domain verification is involved.

    We want to replace the old enterprise user definition in the GitLab system to the new definition.

    We want to make sure that implementing the new definition will resolve all known issues and improve Support Efficiency. Since replacing the old definition to the new definition is a breaking change, we need to communicate to group owners to guide them how to be prepared for that so that the definition change won't be a breaking change for their groups.

    The plan

    Iteration 1 | &9675 (closed)

    Automatic claims of enterprise users: Claim use... (&9675 - closed) implements the new enterprise user definition.

    That means that in the GitLab system, there will 2 two enterprise users definitions.

    All existing enterprise user functionality won't be impacted and will remain to work based on the old enterprise user definition.

    For security reasons, we need to implement Prevent Enterprise users from changing or addin... (gitlab#15159 - closed) as a part of the implementation of the new enterprise user definition in the GitLab system to not allow users to become an owner of the organization's user account.

    New enterprise user features should be implemented according to the new enterprise user definition. That means new features will only be available for groups adopting the new enterprise user definition.

    Iteration 2 | &11886 (closed)

    Communicate to group owners that we are going to replace the old enterprise user definition to the new definition. Meaning that the existing enterpriuse users features to be only available according to the new definition.

    Group owners should add and verify all needed domains to their groups. That will allow the GitLab system to know which users are enterprise users as per the new definition.

    Groups with verified domains are prepared for the definition change in the GitLab system. It won't remove the ability to manage their enterprise user accounts according to the new enterprise user definition.

    Groups that haven't verified domains will lose the ability to manage their enterprise user accounts till they verify their domains.

    The last step of Iteration 2 is to completely replace the old enterprise user definition in the GitLab system with the new definition. (Implementation change: changing existing enterprise users administration features and other enterprise related checks in the code from using provisioned_by_group_id to enterprise_group_id)

    Edited by Bogdan Denkovych

    Linked items 0

  • Link items together to show that they're related or that one is blocking others.

    Activity

    • All activity
    • Comments only
    • History only
    • Newest first
    • Oldest first