currently our workflow with azure groups is the following:
someone requests permissions from an azure group
we have to add the azure group as group by typing down the Object-ID as name and in the description we type down the actual group name
we set the permission
bulk apply permission template to the projects
redo step 4 in case new users are logging into Sonarqube
it is quite time consuming and I wanted to know if an import of groups from Azure would make more sense at this point? It would spare us admins the time to set up the groups manually and also fasten the process for users as well.
thanks for the reply! That is true but most of it can then be fully automated with API. The following steps can then be done automatically:
create permission template
add group to permission template (which already consists of all members due to the import)
set the permission for the group
The users will then be able to start working with SonarQube immediately. Otherwise I would have to wait until they are logged in and then bulk apply the template to the corresponding projects.
You need to be aware that groups are only added to a user, i.e. group sync only happens for a user when that user logs in.
However, since you’ll be granting permissions to groups, there’s no timing problem here since people will join their already-permissioned groups on first login.
This gives me the sense that you intend to automate the application of multiple permission templates? Templates are not additive. This is a last-saved-wins proposition. When you apply a template, it replaces the previous project permissions.
What I advise instead:
Create all your groups in SonarQube. (Remember, capitalization counts. They must match exactly the ones that will be imported.) Whether that happens manually or via automation is up to you.
Create the minimum number of templates necessary to give your sets of groups the permissions they require.
thank you for the advise! Perhaps I chose the wrong words, but I actually meant that the automation only applies to one permission template at once I am aware that they are not additive. Sorry for the bad description of it.
Currently when creating azure groups we have to place the object ID as a group name so I am not aware of the importance of capitalization. I once contacted the support about it and they have confirmed that the group name should be the object ID in azure. Perhaps that has changed?
The timing problem that I see here is that sometimes when there is a team shift or a new team comes together and they have new Azure Groups then I would have to manually add the group and wait for the user to log in as you said. Only then can I add the group to perhaps existing permission templates and then bulk apply that template to existing projects.
I was thinking of an automation via API, where the customer only has to give us the Azure Group and then the automation will check if the group already exists in SonarQube or not. If it doesn´t then that group will be created and added to the template. So perhaps instead of some kind of import maybe an API that could immediately load the group members via the azure connection would be great too, if the technical implementation is possible.
Why? Create the groups and add them to the templates immediately.
And unless there are concerns about granting/revoking group permissions prematurely, I’d go ahead & apply the templates too. That way everything is set up and ready for the next login.
I am aware that they are not additive. Sorry for the bad description of it.