Are you also delegating authentication to an external identity provider like LDAP? As noted in the documentation on Delegated Authentication:
When group mapping is configured, the delegated authentication source becomes the only place to manage group membership, and the user’s groups are re-fetched with each log in.
Meaning that if you are manually managing group membership and have ldap.group.* parameters configured, group membership will be revoked for users upon login if that group doesn’t also exist in LDAP (the same applies for other delegated authentication mechanism as well: SAML, GitHub, etc.)
Your understanding is right – and thanks for being open to a conversation about it.
Our long-term stance has been that if you’re going to delegate group membership to an external identity provider, you should delegate all of it, otherwise you have two sources of truth for group membership.
It avoids having to answer questions like – what happens when a group exists in both SonarQube and LDAP?
Features like group mapping are also typically targeted to Enterprise environments where, at least from my experience, security teams like having a tight grip on authorization controls (making it trivial to revoke access from a user in just one place, not two).