Block sonar-users (group) access to SonarQube

Hello, I’m a QA Assurance Engineer at a company that uses SonarQube Enterprise Edition. I’ve been assigned with a task related to blocking any user’s login if that user is not within a specific group.
For example, assuming we have groups X, Y and sonar-users (default). If an user belongs solely to sonar-users, its access should be denied into SonarQube. Otherwise, if this same user, gets included into “X” group, its access shall be granted.
Nowadays even though some groups don’t have any type of access to any project/portfolio/application, they’re still able to login. It shouldn’t be that way (within our context).
We are trying to achieve this in account of access management good practices. We’d like to know if it’s possible to enable this functionality at all, in any version.

How do your users authenticate with SonarQube? LDAP, SAML, GitHub, something else…?

Hey, Colin. Thanks for the fast response. Yes, our users authenticate with LDAP.

In that case, your best bet is to fiddle with your ldap.user.baseDn or ldap.user.request configuration to only allow access to the groups you’ve specified (basically, not letting the ldapsearch query return a user unless a condition is met)

So you could do something like this:

ldap.user.request=(&(sAMAccountName={login})(|(memberOf=CN=Group1,OU=Training,DC=company,DC=local)(memberOf=CN=Group2,OU=Training,DC=company,DC=local)))

So it’s not exactly what you propose (block users if they would only belong to sonar-users), but it would prevent users from logging in / having an account created at all if they don’t belong to your specified groups.

(Credit is due where credit is due)