docs(auto-create-groups): polish IFC-2521 user docs + dev knowledge + changelog#9340
Merged
Merged
Conversation
github-actions
Bot
added
type/documentation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
No issues found across 4 files
Confidence score: 5/5
- Automated review surfaced no issues in the provided summaries.
- No files require special attention.
Shadow auto-approve: would auto-approve. This PR is purely documentation: it adds a new section to the SSO guide, updates developer event docs, adds a changelog fragment, and removes a stale task tracker—no source code, config, or business logic changes are made.
Re-trigger cubic
github-actions
Bot
added
the
group/backend
Contributor
There was a problem hiding this comment.
0 issues found across 6 files (changes from recent commits).
Shadow auto-approve: would auto-approve. This PR adds documentation, event serialization methods, GraphQL types, and tests for the already-merged auto-create group events, with no changes to core business logic, security, or data paths, making the risk very low.
Re-trigger cubic
polmichel
force-pushed
the
pmi-20260522-polish-autocreation-feature
branch
from
746b51c to
6bafaa9
Compare
github-actions
Bot
removed
the
group/backend
polmichel
force-pushed
the
pmi-20260522-polish-autocreation-feature
branch
4 times, most recently
from
b161343 to
01c20ad
Compare
polmichel
force-pushed
the
pmi-20260517-event-autocreation-groups
branch
from
ea93e62 to
a943b7e
Compare
polmichel
force-pushed
the
pmi-20260522-polish-autocreation-feature
branch
from
01c20ad to
bf10b25
Compare
github-actions
Bot
added
the
group/frontend
polmichel
force-pushed
the
pmi-20260522-polish-autocreation-feature
branch
from
bf10b25 to
6257c96
Compare
github-actions
Bot
removed
the
group/frontend
polmichel
force-pushed
the
pmi-20260522-polish-autocreation-feature
branch
from
6257c96 to
351e60e
Compare
github-actions
Bot
added
the
group/backend
Base automatically changed from
pmi-20260517-event-autocreation-groups
to
develop
May 26, 2026 07:20
Add a new "Auto-create groups from identity provider claims" section to the advanced-sso guide covering: opt-in via the regex filter, the named-capture vs full-claim name extraction, precedence over the default-group fallback, the per-login cap and its dropped-claim behavior, the `origin` provenance attribute on auto-created groups, and the three audit events emitted on the event bus. Also update the in-page warning at the top of "Group mapping" — it was stating that Infrahub never auto-creates groups, which is no longer true. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add `GroupAutoCreatedEvent`, `GroupAutoCreateRejectedClaimEvent`, and `GroupAutoCreateCapBreachEvent` alongside the existing membership events so the table reflects what's actually defined in `group_action.py`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The per-task tracking file becomes stale once the feature ships and is no longer load-bearing. The durable design artifacts (spec, plan, data-model, research, quickstart, contracts/, checklists/) stay in place. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Drop env var name, event class names, origin attribute detail, and cap-setting key — those belong in docs, not the changelog. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The upstream branch renamed GroupAutoCreateRejectedClaimEvent → GroupAutoCreateRejectedEvent and GroupAutoCreateCapBreachEvent → GroupAutoCreateCappedEvent, with the matching event_name strings flattened from dotted to flat form. Sync the user-facing SSO guide, the events knowledge table, and the spec artifacts to match the code. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…package The auth package owns a non-trivial pipeline (password / SSO / LDAP → claim filter → auto-create → default-group fallback → membership) with no high-level write-up. Add dev/knowledge/backend/authentication.md to cover the entry points, the SSO group resolution pipeline, the AutoCreateEventEmitter Live/Disabled split, and the config keys. Surface the auth/ package in backend/AGENTS.md and the architecture layer table so future readers find it from the standard entry points, and cross-link from events.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
polmichel
force-pushed
the
pmi-20260522-polish-autocreation-feature
branch
from
351e60e to
06e6a27
Compare
ajtmccarty
approved these changes
May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The IFC-2521 auto-create-groups epic shipped without the user-facing and dev-knowledge docs caught up. Operators have no public reference for
auto_create_groups_filter/auto_create_groups_max_per_loginbehavior, theoriginprovenance attribute, or the three new audit events; the dev event-types table still lists only the membership events; no changelog fragment exists.Closes https://opsmill.atlassian.net/browse/IFC-2593 (docs polish phase).
What changed
docs/docs/deploy-manage/user-management/sso/advanced-sso.mdxand documentation update.dev/knowledge/backend/events.md.+ifc-2521-auto-create-account-groups.added.md.dev/specs/infp-556-auto-create-groups/tasks.md(per-task tracker becomes stale post-shipping; durable spec artifacts kept).How to test
Build the docs site locally and visit the SSO "Advanced SSO" page to confirm the new section renders.
Checklist
uv run towncrier create ...)Summary by cubic
Polishes user and developer docs for SSO auto-create account groups (IFC-2521). Adds the Advanced SSO guide section, documents the auth pipeline, syncs event names across docs/specs, surfaces the
auth/package in architecture docs, and adds a trimmed changelog entry.security.auto_create_groups_filter, named-capture extraction, precedence over the default group, per-login cap viasecurity.auto_create_groups_max_per_login,originprovenance (read-only,display: extra), and emitted events; updated the group-mapping note.dev/knowledge/backend/authentication.md: password/SSO/LDAP flows, SSO group-resolution pipeline,AutoCreateEventEmitter(Live/Disabled), and config keys; linked frombackend/AGENTS.mdand the architecture layer table (new Auth layer).GroupAutoCreatedEvent,GroupAutoCreateRejectedEvent,GroupAutoCreateCappedEvent; propagated the rename from the old...RejectedClaimEvent/...CapBreachEventacross contracts, data-model, plan, research, quickstart; removed obsoletedev/specs/infp-556-auto-create-groups/tasks.md.Written for commit 06e6a27. Summary will update on new commits. Review in cubic