Add user to Organisation is missing after 9.1.0

Hello,

Does anybody have the issue listed in the subject? Or something changed? We’re using AzureAD as authentication service. Had to roll back to 9.0.7 for the button to appear.

Hi @titasvenclovas,

Welcome to the :grafana: community forum !!

Is the current behaviour like that you can delete the current users but cannot add new one OR similarly cannot undo after deleting them ?

Thanks

Hello, the button just disappear after the update.


Ok, I actually saw something similar on our Github issues after updating to 9.1.0

I kindly suggest that you look into it and if the above-reported case is a bit different than yours then please open a new one there while providing all the technical data e.g. logs, screenshots versions info etc.

HI there,

I filed the bugreport and can confirm that rolling back to 9.0.7 fixes my concern.
question / remark though since 9.0 / 9.1 seems to contain a lot of permission / rbac changes.
a) Is adding / removing local grafana users from / to organizations still supported? (without using oauth)
b) How can users that are added via oauth be added to the organization that I want ?

Do you mean that move an OAuth user to a different organization ? or maybe you elaborate a bit more details on this?

thanks for answering on a).
more on b:

  • user1 is created used external auth provider and visible in grafana as “oauth user”
  • user1 is member of grafana organization A.
  • I want to add user1 to another grafana organization (organization ‘B’)

I have asked this in our team. Once I got an answer, will get back to you.

So we got the same question on our Github page with the answer:

https://github.com/grafana/support-escalations/issues/3033#issuecomment-1175980196

As a workaround, the customer used the LDAP for user org mapping and enabled skip_org_role_sync to stop OAuth from touching it:

https://github.com/grafana/support-escalations/issues/3033#issuecomment-1203738818

I hope this helps.

hi,
i cannot access the urls you shared (results into not found / 404 in my browser.)
still curious though how i should do organization management when i have authentication arranged from somewhere else.
can you share links that i can access / more info ?

Hi @tob123

Sorry for late reply. So I checked and found that the reason it is not visible due to being a private repository.

So, I will paste the details here and that can help you in knowing the details.

grafana’s oauth integration does not support multiple org mapping so every time the user logs in with oauth they’ll be set to org_id 1.

In the process of syncing the user with oauth_info all other org assignments are removed.

A feature request exists for this but is not on the roadmap for now grafana/grafana-enterprise#723 .

SAML supports organization mapping currently as does LDAP auth: Configure SAML authentication in Grafana | Grafana documentation .

Slightly off topic: I’m surprised to why use oauth and LDAP on the same instance, unless they’re using google oauth, other oauth integrations should support teamsync

As a workaround can switch to LDAP i.e.

oauth_state_cookie_max_age should not have any effect on it.

OAuth org memberships are calculated and revoked on login/token validation.

To workaround, it can increase the expiry time of the OAuth tokens and of the sessions (login_maximum_inactive_lifetime_duration, login_maximum_lifetime_duration and token_rotation_interval_minutes) but this caries security risks such as the inability to revoke a user’s access once they are logged in on a machine.

So for this reason use;

[auth]
# Skip forced assignment of OrgID 1 or 'auto_assign_org_id' for social logins
oauth_skip_org_role_update_sync = true

This might work in avoiding OAuth from hijacking org management

I have an update for this, I shared it in the github issue you opened too:

The legacy external auth behavior has been that changes were allowed in the UI, but then the next time the user logged in via an external provider their settings would be overwritten by the external authentication configuration.

The new behavior introduced by #52160 is that the buttons in the UI will disappear if the user is added by external authentication so there isn’t a false impression that the admin can use the UI to manage the user’s role persistently.

It seems that lots of users were relying on the ability to temporarily override a user’s role. This new PR adds a configurable setting that will disable the role_sync behavior and allow an admin to manage the role in the UI - #55182