Group assignments removed with delegated authentication

Group Mapping

When using group mapping, the following caveats apply regardless of which delegated authentication method is used:

  • membership in synchronized groups will override any membership locally configured in SonarQube at each login
  • membership in a group is synched only if a group with the same name exists in SonarQube
  • membership in the default group sonar-users remains (this is a built-in group) even if the group does not exist in the identity provider

:warning:When group mapping is configured, the delegated authentication source becomes the one and only place to manage group membership, and the user’s groups are re-fetched with each log in.

I think this functionality should be reviewed. Copying group assignments from the authentication provider makes good sense. But it should be possible to define more specific permissions within SonarQube itself; these permissions should take precedence rather than be deleted.

In our use-case we want to be able to assign additional rights to certain users within SonarQube, but we don’t have the ability to easily create/update groups within the authentication system.

Also if using a source control system as the authentication service, you might not wish to create lots of groups just for managing permissions within SonarQube, as this would make the source control system untidy (and the SonarQube admin might then also need to be the source control admin).

Totally agree. In our organization, managing AD groups is difficult and time-consuming due to the level of bureaucracy involved. It is good for bulk things like adding entire teams, but for more granular control, it would be better to have the option to manage permissions in SonarQube - not only individuals, but groups.

Our setup is to sync development teams from AD. They may create projects and execute analysis on projects that have the correct prefix in their name, but nothing else. Then we also have local admin group that has the permission to administrate projects (and issues within them) that have the correct prefix. Granting permissions for individual people would be hassle compared with a group.

Furthermore, I believe the SonarQube UI itself should very clearly state, in bold, “You have enabled AD group sync, do not use local groups”. People who jump into an existing instance of SQ don’t necessarily go reading all docs immediately - and to add insult to injury, the way this is formulated in the docs is not the most clear, especially since English is not the native language of many of the users. And indeed, judging from the number of support threads, this point is very easy to miss… Not to mention it is very unintuitive behaviour!