# Managing JIT provisioning

Once you’ve [setting-up](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/gitlab/setting-up "mention") with the Just-in-Time (JIT) provisioning mode (default mode), you can set or change the [just-in-time](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/gitlab/provisioning-modes/just-in-time "mention") options.

You need the global Administer System permission in SonarQube to perform this setup.

## Setting up the group synchronization <a href="#group-synchronization" id="group-synchronization"></a>

With the JIT provisioning mode, you can enable [just-in-time](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/gitlab/provisioning-modes/just-in-time "mention"). The group synchronization requires that you manually create the user groups in SonarQube: see below.

{% hint style="warning" %}
If you enable the group synchronization, you cannot manage group memberships manually and existing manually added group memberships of JIT-provisioned users are reset in SonarQube during synchronization.
{% endhint %}

<details>

<summary>Enabling/disabling the group synchronization (Community Edition)</summary>

1. Go to **Administration > Configuration > General Settings > Authentication > GitLab**.
2. Select or unselect the **Synchronize user groups** option.
3. Save.

</details>

<details>

<summary>Enabling/disabling the group synchronization (from the Developer Edition)</summary>

1. Go to **Administration > Configuration > General Settings > Authentication > GitLab**.
2. On the far right of **App ID,** select **Edit**.
3. In the dialog, select or unselect the **Synchronize user groups** option.
4. Save.

</details>

<details>

<summary>Creating the user groups in SonarQube</summary>

To allow group synchronization, you must create in SonarQube a group for each GitLab group and subgroup you want to synchronize: see [user-groups](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/user-management/user-groups "mention").

You must name the SonarQube group according to the URL of the GitLab group or subgroup. Be aware that that name check is case-sensitive.

Examples:

* If the URL of the GitLab group is `https://gitlab.com/my-gitlab-group`, the name of the SonarQube group mus be `my-gitlab-group`.
* If the URL of the GitLab group is `https://gitlab.com/my-gitlab-group/sub-group`, the name of the SonarQube group must be `my-gitlab-group/sub-group.`

{% hint style="info" %}
To set the group permissions at the system level, see [user-permissions](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/user-management/user-permissions "mention").
{% endhint %}

</details>

## Setting the Allowed groups <a href="#allowed-groups" id="allowed-groups"></a>

Starting from the [Developer Edition](https://www.sonarsource.com/plans-and-pricing/developer/), you can restrict access to SonarQube Server by defining Allowed groups. An Allowed group is a GitLab root group (a group with no parent): only members of the Allowed group and all its subgroups can authenticate to SonarQube Server.

To set the Allowed groups:

1. Go to **Administration > Configuration > General Settings > Authentication > GitLab**.
2. In the **Provisioning > Just-in-Time provisioning** **> Allowed groups**, enter the root group slug as it appears in the GitLab URL. For instance, if the first Allowed group URL is `https://gitlab.com/my-root-group`, then enter `my-root-group`. A new text box is added underneath.
3. Enter the second Allowed group slug, etc.

## Blocking/Authorizing the sign-up of new users <a href="#sign-up-new-users" id="sign-up-new-users"></a>

You can block the signup of new users with SonarQube Server. This may be useful if you want to manage the user provisioning through an API.

To block or authorize the sign-up of new users with SonarQube:

<details>

<summary>Community Edition</summary>

1. Go to **Administration > Configuration > General Settings > Authentication > GitLab**.
2. Unselect or select the **Allow new users to sign up** option.
3. Save.

</details>

<details>

<summary>From the Developer Edition</summary>

1. Go to **Administration > Configuration > General Settings > Authentication > GitLab**.
2. In the **Provisioning > Just-in-Time provisioning** section, unselect or select **Allow users to sign up**.

</details>

## Related pages <a href="#related-pages" id="related-pages"></a>

* [just-in-time](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/gitlab/provisioning-modes/just-in-time "mention")
* [automatic](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/gitlab/provisioning-modes/automatic "mention")
* [setting-up](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/gitlab/setting-up "mention")
* [user-permissions](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/user-management/user-permissions "mention")