User cannot be added as member when SCIM identity inactive
What does this MR do and why?
- With the feature flag
skip_saml_identity_destroy_during_scim_deprovision
disabled, a user's SCIM identity is deleted when they are SCIM deprovisioned. - As as result, the GroupSaml::Membership enforcer works as expected and does not let a user be added to a subgroup or project after they have been SCIM deprovisioned.
- When the feature flag is enabled, however, we keep the SCIM identity when the user is SCIM deprovisioned.
- As a result, a user could be added to a subgrou or project.
- To remediate this, we are adding logic that also checks for any inactive SCIM identities for the root group when looking at whether a user can be added to a subgroup or project.
- Fixes #413079 (closed)
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.