GitHub integration: Manual group membership reset on login with GitHub

Hey folks, :wave:

We’re using the SonarQube 9.0.1 (Enterprise Edition) and have enabled integration with GitHub for authentication as described at GitHub Integration | SonarQube Docs, so that our users can log in with their normal GitHub accounts and are assigned to their respective groups (based on GitHub teams).

For this we enabled the “Synchronize teams as groups” (sonar.auth.github.groupsSync) and it seems that the manually added group memberships (e. g. when adding a SonarQube user based on a GitHub user to the “sonar-administrators” group) get reset.

While I can add users to the “sonar-administrators” group, this group membership gets removed once they log in via GitHub.

Is this the intended behavior? Is it possible to use both, manual group memberships and automated group memberships (via GitHub integration) for the same users?


Hi Jochen,

This is indeed the intended behavior. From the docs:

  • membership in synchronized groups will override any membership locally configured in SonarQube at each login

What you’ll need to do is create an admin group in GH or decide which existing GH group you want to grant SQ admin permissions to.


Thanks for your reply, Ann!

Are there any plans to make this behavior configurable (I can see cases in which it doesn’t make sense) or what is your recommended practice for adding some users to more groups than in the delegated authentication source?

I see two options:

  • Add a dedicated team to the delegated authentication source (i. e. create a dedicated GitHub team which then gets elevated permissions on SonarQube).
  • Use dedicated/duplicated accounts for these users.

Do you have any input on the pros & cons of these options?


Hi Jochen,

We don’t currently have plans to do this. After all, if you’re delegating group membership, it seems like you want to … delegate it & trust the source. :woman_shrugging:

And I invite you to create a New Feature thread detailing your use case.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.