Group persitence problem

Hi, everyone.

I have a problema with a SonarQube Enterprise (version 8.9.8).

When I add an user in a group (administrators, for example), the privileges only last while the user is logged. If he log out, disappears from the group.

Thanks for the help!

Hey there.

Are you also delegating authentication to an external identity provider like LDAP? As noted in the documentation on Delegated Authentication:

When group mapping is configured, the delegated authentication source becomes the only place to manage group membership, and the user’s groups are re-fetched with each log in.

Meaning that if you are manually managing group membership and have* parameters configured, group membership will be revoked for users upon login if that group doesn’t also exist in LDAP (the same applies for other delegated authentication mechanism as well: SAML, GitHub, etc.)

Hi Colin, thanks so much for ur reply!.

So to manage users in groups is only by LDAP (they need has the same name according to documentation), I can’t any way to manage this from the plaftorm of SonarQube? (without disabling LDAP)

Another question, if I change the privileges (for user or group), from the platform like administer system, this has persistence?

Greetings, and thanks for your time!

You can disable Group Mapping (meaning you only manage group membership in SonarQube) by removing the* configuration in your server settings (in a conf/ file, for example)

Permissions assigned to users are unaffected by group mapping, as well as the permissions themselves. The only thing affected by group mapping is membership in groups.

— removed. I’ll post it separately

Thank you so much.

Grateful with you!

Hey @daniel

Your understanding is right – and thanks for being open to a conversation about it.

  • Our long-term stance has been that if you’re going to delegate group membership to an external identity provider, you should delegate all of it, otherwise you have two sources of truth for group membership.
  • It avoids having to answer questions like – what happens when a group exists in both SonarQube and LDAP?
  • Features like group mapping are also typically targeted to Enterprise environments where, at least from my experience, security teams like having a tight grip on authorization controls (making it trivial to revoke access from a user in just one place, not two).

sorry i somehow did not see you typing, i will reply with the separate thread here…