I somehow have 2 accounts that appear to have been assigned the same permissions but do not behave the same way.
We created an organization via the Azure DevOps link here, then set up an Enterprise plan later.
After the initial org creation via the ADOS login link, I had a single admin account. When the Enterprise plan was set up and SSO configured, my email address was divorced from that account and seemingly migrated onto a new SSO account. The new account accessed via the SSO login was provisioned with no admin privileges or even knowledge of the organization that had already been set up. Logging in via ADOS to get to the original account shows a warning banner saying my email canât be linked.
To this day, I have 2 accounts - one not tied to my email address when using the ADOS login link & one with my email when using the SSO link. SSO has been configured and both accounts have mirrorâd permissions according to what I can see in the UI, but the original account (ADOS login, no email) is the only one in my company thatâs able to access the organization when attempting to add new projects.
When trying to âAnalyze new projectâ, the original account populates the organization and kicks off a call to get our ADOS repos. The new account doesnât default the organization, but instead has me use a dropdown which is populated with a single entry which is the correct org name, but the control is disabled.
The ideal scenario is to be able to add/remove permissions to an SSO login account attached to an email address. If Admin permissions to the Org & Enterprise are granted to that account, it should be able to import new projects.
Anyone seen this sort of thing before? What additional details might help? Sorry for the text wall; thanks in advance for your time.
Your SSO-enabled user has been added to the organization where you want to create projects. You can verify this by checking the Members tab of your organization.
If yes, does your SSO-enabled user have the same Create permission as your Azure DevOps user (at the org level via Administration > Permissions)? See the screenshot below.
Itâs possible to have admin access to an organization without having the permission to create projects.
In SQC you need to use the Group sync feature to add users to your Organizations. This means that you need to have the Group attribute added and then have groups or groups added in your SSO to the application and also have the same groups (same name) created in the organization in SonarQube Cloud.
Please check the following documentation for more information.
Thank you for the insights, Colin & Arturo. The provided info let me to more testing.
The problem is that group membership changes for the SSO user donât persist. If I add the user to groups permitted to administer the organization, I can add projects. But when that user logs out & logs back in again, the groups are reset.
The behavior is consistent whether adding or removing group membership. We have 6 groups set up and the SSO account is a member of 3 of those. If I use the checkboxes in the UI to add groups during the session, the the UI reflects the change and shows that itâs a member of 6 groups and Iâm able to import projects (as long as Iâve added a group permitted to administer the org). If that user logs out & back in, itâs only a member of 3 groups.
The behavior is consistent for group removal as well. If I remove the user from all groups (except Members), the UI confirms the change and shows the group membership count as 1.
If I then log out & back in, the user is a member of the same 3 groups itâs always a member of at login.
Membership changes to the ADOS user made via the UI persist.
Thatâd all be fine if the account with the changes that persist were for the user attached to my email address. Any ideas on how to do that or why the SSO/emailAddress userâs changes get wiped out?
Hey @Brad_Lav, this is because of the group sync feature between SonarQube Cloud and your SSO. When a SSO user signs in, SonarQube will check if there are any groups it needs to be added to in your Organization. It will basically sync the groups for that user. This is expected behavior. If you want them to be part of more groups, you will need to create them in your SSO and create them in SQC Organization with the same name.
Thank you, Arturo. That does help explain things, but brings up questions.
We use Okta as our IdP, but I donât have rights to it - are there permission sets configured there as well as in SQC or is it just names of groups?
Also tested this with another user⌠the findings:
Group membership changes for a particular user in SQC are reverted by whateverâs in Okta whenever the user logs in. Groups will continue to exist in SQC, but the userâs membership will have been:
removed if that group/member combination isnât present in Okta. (Nice to know and useful for single-use permissions.)
added if a membership was deleted in SQC, but remains in Okta.
User & group permissions in SQC are additive - If a user is a member of a group with only âExecute Analysisâ and the userâs individual permissions only has âAdminister Organizationâ checked, they can do both.
Does that sound accurate? Anything relevant I missed?
edit: added âfor a particular userâ based on next reply
The group membership in SQC for Okta users is determined by the groups they are a part of in Okta. These groups get synced every time a user signs in and it is per user. So if user A signs in, only that user will be added to their respective groups. If then user B signs in, they will the added to theirs. It is not that the list of users are added to the groups at a certain point. Everything is determined by the information being received by SonarQube.
And yes, the permissions should aggregate between group permissions and the user permissions.
