Skip to content

Add group provisioning support via Temporal Cloud API#77

Open
c1-dev-bot[bot] wants to merge 1 commit intomainfrom
epd-1658/group-provisioning
Open

Add group provisioning support via Temporal Cloud API#77
c1-dev-bot[bot] wants to merge 1 commit intomainfrom
epd-1658/group-provisioning

Conversation

@c1-dev-bot
Copy link

@c1-dev-bot c1-dev-bot bot commented Mar 3, 2026

Summary

Adds group provisioning support to the Temporal Cloud connector, enabling sync and management of user groups via the Temporal Cloud Groups API.

Changes

  • New group resource type (pkg/connector/groups.go): Syncs all user groups (Cloud, Google, SCIM types) with full membership management

    • List(): Fetches all user groups via GetUserGroups API with pagination
    • Entitlements(): Exposes a "member" assignment entitlement per group
    • Grants(): Lists group members via GetUserGroupMembers API with pagination
    • Grant(): Adds users to groups via AddUserGroupMember API
    • Revoke(): Removes users from groups via RemoveUserGroupMember API

  • Group namespace access (pkg/connector/namespaces.go): Groups can now be granted/revoked namespace permissions

    • Namespace entitlements are now grantable to both users and groups
    • Namespace grants now include both user-based and group-based access
    • Grant/Revoke dispatches to the appropriate API based on principal type (user vs group)
    • Uses SetUserGroupNamespaceAccess API for group namespace permissions

  • Helper functions (pkg/connector/helpers.go): Added protoUserGroupToResource and grant creation helpers for groups

  • Resource type registration (pkg/connector/resource_types.go, pkg/connector/connector.go): Registered the new group resource type and builder

Group Types Supported

All three Temporal Cloud group types are synced:

  • Cloud groups: Native Temporal Cloud groups with full membership management
  • Google groups: Google Workspace-integrated groups (identified by email)
  • SCIM groups: Identity provider-provisioned groups (identified by IDP ID)

API Methods Used

  • GetUserGroups / GetUserGroup - List and fetch groups
  • GetUserGroupMembers - List group membership
  • AddUserGroupMember / RemoveUserGroupMember - Manage membership
  • SetUserGroupNamespaceAccess - Manage group namespace permissions

Test plan

  • Verify groups are synced correctly from Temporal Cloud
  • Verify group membership grants are listed accurately
  • Test adding a user to a Cloud group
  • Test removing a user from a Cloud group
  • Test granting a group namespace access (admin/write/read)
  • Test revoking a group's namespace access
  • Verify idempotency for already-existing grants and already-revoked grants
  • Confirm Google and SCIM groups are synced with correct profile metadata

Automated PR Notice

This PR was automatically created by c1-dev-bot as a potential implementation.

This code requires:

  • Human review of the implementation approach
  • Manual testing to verify correctness
  • Approval from the appropriate team before merging

Add group provisioning support via Temporal Cloud API
7123626 
- Add group resource type with TRAIT_GROUP for syncing user groups
- Implement group membership provisioning (add/remove members)
- Support listing groups, group members, and membership entitlements
- Update namespace grants to support group-based namespace access
- Add Grant/Revoke for group namespace permissions via SetUserGroupNamespaceAccess API
- Support all three group types: Cloud, Google, and SCIM groups
@c1-dev-bot c1-dev-bot bot requested a review from a team March 3, 2026 17:09
@linear
Copy link

linear bot commented Mar 3, 2026

EPD-1658 Group provisioning via API for Temporal Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants