feat(core): Make user role provisioning available on enterprise #22166
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BundleMonUnchanged files (2)
No change in files bundle size Groups updated (2)
Final result: ✅ View report in BundleMon website ➡️ |
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
This comment has been minimized.
This comment has been minimized.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
cubic analysis
4 issues found across 7 files
Prompt for AI agents (all 4 issues)
Understand the root cause of the following 4 issues and fix them.
<file name="packages/frontend/editor-ui/src/features/settings/sso/provisioning/components/UserRoleProvisioningDropdown.vue">
<violation number="1" location="packages/frontend/editor-ui/src/features/settings/sso/provisioning/components/UserRoleProvisioningDropdown.vue:24">
`canManageUserProvisioning` is computed once before RBAC scopes load, so the dropdown stays disabled even for authorized users. Make it reactive (e.g., via a computed ref bound to the RBAC store) so the select unlocks when scopes arrive. According to linked Linear issue PAY-4168, the dropdown must be usable once exposed.</violation>
</file>
<file name="packages/@n8n/backend-common/src/license-state.ts">
<violation number="1" location="packages/@n8n/backend-common/src/license-state.ts:178">
Removing `feat:ldap` from `isProvisioningLicensed()` blocks provisioning for LDAP-only enterprise tenants, because provisioning.controller still gates every request on this check and now permanently throws for those licenses.</violation>
<violation number="2" location="packages/@n8n/backend-common/src/license-state.ts:178">
Rule violated: **Tests**
Removing LDAP from the provisioning license gate changes core enterprise licensing logic but no backend-common test covers `isProvisioningLicensed`, violating the Community PR guideline that code changes ship with tests. Please add or update unit tests verifying the new gating behavior.</violation>
</file>
<file name="packages/frontend/editor-ui/src/features/settings/sso/views/SettingsSso.vue">
<violation number="1" location="packages/frontend/editor-ui/src/features/settings/sso/views/SettingsSso.vue:97">
Selecting an unlicensed protocol now renders an empty section because the upgrade action box only appears when both SAML and OIDC are disabled. Show the CTA whenever the currently selected protocol lacks a license so users still see an upgrade prompt.</violation>
</file>
Linked issue analysis
Linked issue: PAY-4168: Remove feature flag check
| Status | Acceptance criteria | Notes |
|---|---|---|
| ✅ | The "User role provisioning" dropdown in our SSO settings is shown unconditionally | Removed feature-flag gating; dropdown always rendered in SSO forms |
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
...editor-ui/src/features/settings/sso/provisioning/components/UserRoleProvisioningDropdown.vue
Show resolved
Hide resolved
packages/frontend/editor-ui/src/features/settings/sso/views/SettingsSso.vue
Outdated
Show resolved
Hide resolved
|
E2E Tests: n8n tests timed out after 30m Run Details
Groups
This message was posted automatically by
currents.dev | Integration Settings
|
konstantintieber
requested review from
a team and
afitzek
and removed request for
a team
BGZStephen
previously approved these changes
Nov 24, 2025
This comment has been minimized.
This comment has been minimized.
BGZStephen
approved these changes
Nov 24, 2025
konstantintieber
added
release/backport-to-beta
release/backport
Merged
|
Got released with |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Removes the feature flag check for user role provsioning.
Full demo video of the feature: https://n8nio.slack.com/archives/C09TBR1FL22/p1763988437444049
Also fixes some duplicated code on the "enterprise license" banner in the SSO form.
Disables user role provisioning dropdown if scope
provisioning:manageis missing (this is also enforced on the backend already).Improves project role access csv export by only exporting the string value that should be used in the SSO config (we omit the
project:role prefix on the SSO side for easier configuration).Related Linear tickets, Github issues, and Community forum posts
Closes PAY-4168
Review / Merge checklist
release/backport(if the PR is an urgent fix that needs to be backported)