# Just-in-Time provisioning

The Just-in-Time (JIT) provisioning is the default provisioning mode. User accounts are created in SonarQube Server when GitLab users log in for the first time. With this mode, you can use the group synchronization and user access restriction features described below.

## Group synchronization <a href="#group-synchronization" id="group-synchronization"></a>

[user-groups](https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/user-management/user-groups "mention") are used in SonarQube Server to manage user permissions.

With the group synchronization:

* The synchronization occurs each time a user logs in to SonarQube Server with their GitLab credentials.
* If a matching group is found in SonarQube Server, the GitLab account’s memberships in that group are synchronized in SonarQube Server. The groups match if the SonarQube Server group name matches the GitLab group URL. For example, the SonarQube Server group `my-gitlab-group/sub-group` matches the GitLab group whose URL is `https://gitlab.com/my-gitlab-group/sub-group`. (The name check is case-sensitive; The default built-in `sonar-users` group is excluded from the synchronization.)
* Manually added group memberships of JIT-provisioned users are reset in SonarQube Server at synchronization time.

![](https://3560343708-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4FzELVjsPO4ijRo3jtBV%2Fuploads%2Fgit-blob-e1cbe80e00b28cc5c32904e44b904b3b4753f850%2Ff7fc342717f693dd54bdd808477fc978793479d1.png?alt=media)

## User access restriction (Allowed groups) <a href="#user-access-restriction" id="user-access-restriction"></a>

You can block the signup of new users with SonarQube. This may be useful if you want to manage user provisioning through an API.

Starting from the [Developer Edition](https://www.sonarsource.com/plans-and-pricing/developer/), you can restrict access to SonarQube Server by defining Allowed groups. An Allowed group is a GitLab root group (a group with no parent): only members of the Allowed group and all its subgroups can authenticate to SonarQube Server.

{% hint style="info" %}
If group synchronization is enabled, only Allowed groups and subgroups are taken into account during synchronization.
{% endhint %}

## Related pages <a href="#related-pages" id="related-pages"></a>

* [automatic](https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/authentication/gitlab/provisioning-modes/automatic "mention")
* [setting-up](https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/authentication/gitlab/setting-up "mention")
* [managing-jit-mode](https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/authentication/gitlab/managing-jit-mode "mention")


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/authentication/gitlab/provisioning-modes/just-in-time.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.