We’ve had some difficulty getting Automatic Provisioning to work using GitLab as the authentication source. In particular we’ve been noticing that not all users who have access to projects are being synced over. In some cases we’re even seeing them be deleted.
This occurs even if one or more groups they are a part of are added to the Allowed Groups list.
After a good deal of troubleshooting, I’ve found that groups that contain no projects themselves or in child groups (henceforth security groups) are ignored in Automatic Provisioning mode. This can result in unexpected behavior such as:
- Users who have access to projects through a security group that was granted direct permissions to a project/group are not provisioned. They are deprovisioned.
- Removing all groups containing projects from the allowed list will remove associated users; even if they have access through a security group on the allowed list.
- Sign-in is blocked for users who only have access via a security group.
Notably, sign-ins for users granted access via a security group are not blocked when using Just-in-Time provisioning.
The logs do not indicate any errors, aside from blocking affected users from logging in.
Environment
| Key | Value |
|---|---|
| Version | 2026.1 (119033) |
| Edition | Developer |
| Deployment | Container |
| Database Type | Oracle 23ai |
This is a huge pain, and I’d greatly appreciate help in resolving, mitigating, or working around it.