Add Capability to Force-Delete SCIM-Provisioned Users or Groups
pending feedback
E
Evergreen Iguana
Currently, when a group exists in both Azure AD and Harness, but certain users are found only in Azure AD, forcing provisioning from Azure AD fails. This occurs because Azure identifies the user as already present, even though it is not in Harness. We propose a feature to enable account administrators to force-delete users or groups that were provisioned via SCIM. This functionality would allow for a clean refresh of data from Azure AD, resolving synchronization issues without manual intervention.
Log In
Prateek Mittal
pending feedback
Prateek Mittal
Hi,
As per the current model, if a user is deleted from the SCIM provider then it will be deleted from the Harness not the other way around.
The same is documented here - https://developer.harness.io/docs/platform/role-based-access-control/provision-users-with-okta-scim/#harness-user-management-with-okta-scim
To delete in Harness, if you delete in the SCIM provider the SCIM should re-provision the user/group in the next cycle. Please let me know the concern here.
Thanks
Prateek
V
Visiting Puffin
Prateek Mittal - My experience in our account has been if a user group is manually created before SCIM is enabled, SCIM cannot provision that group. If you provision a group with SCIM through Azure provisioning, I am unable to remove this group from Harness manually. Even if I remove this group from Azure, the group does not get deleted in Harness and retains "This is a SCIM managed group and cannot be deleted"
V
Visiting Puffin
I second the need for a way to delete SCIM created groups in Harness. Currently, I am stuck with a group provisioned through Azure, with no way to delete it through the UI. I assume I may have more luck using the Harness API to delete this but it would be much more preferred to have Azure automatically clean the group up after it is removed from the list of azure groups in the enterprise application.
There's an underlying resource group for each of our user groups in Harness that determines the scoped projects that team has access to. So after I remove them in Azure; their user group, resource groups, and access are all persisting. I don't necessarily need to clean up the resource group but if I'm not in the Azure group list I shouldn't be able to access Harness via SSO.
Prateek Mittal
under review