Skip to content

[PM-39129] Add UsePam organization capability#7816

Open
Hinton wants to merge 2 commits into
mainfrom
pam/use-pam-capability
Open

[PM-39129] Add UsePam organization capability#7816
Hinton wants to merge 2 commits into
mainfrom
pam/use-pam-capability

Conversation

@Hinton

@Hinton Hinton commented Jun 16, 2026

Copy link
Copy Markdown
Member

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-39129

📔 Objective

Add the UsePam organization ability across the stack, modeled on UseInviteLinks / UseMyItems:

  • Entity + OrganizationAbility + profile/provider detail models
  • Licensing: claim emission and claims-based VerifyData using the conditional HasClaim check (PM-33980) so pre-existing license files still validate
  • API response models and an Admin portal toggle
  • MSSQL schema + migration; EF migrations for Postgres/MySQL/SQLite

Defaults off for all organizations. Plan/pricing wiring is deliberately deferred until a PAM plan tier exists, so the Admin toggle is currently the only way to enable it.

📸 Screenshots

image

@Hinton Hinton requested review from a team as code owners June 16, 2026 12:22
@Hinton Hinton requested review from a team, abergs, connerbw and r-tome June 16, 2026 12:22
@github-actions

github-actions Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

🤖 Bitwarden Claude Code Review

Overall Assessment: REQUEST CHANGES

This PR adds a UsePam organization capability across the stack, modeled on UseInviteLinks/UseMyItems: entity + OrganizationAbility + profile/provider detail models, licensing claim emission and claims-based VerifyData, API response models, an Admin toggle, MSSQL schema/migration, and EF migrations for Postgres/MySQL/SQLite. The change is consistent and the conditional HasClaim check correctly preserves validation of pre-existing license files. One gap was found in the self-hosted license-to-organization mapping.

Code Review Details
  • ⚠️ : UsePam not mapped from license in OrganizationFactory.Create, so self-hosted orgs created from a PAM-enabled license default to UsePam = false
    • src/Core/AdminConsole/Services/OrganizationFactory.cs:69, src/Core/AdminConsole/Services/OrganizationFactory.cs:123

Dependency Changes

No dependency manifest changes.

@codecov

codecov Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 93.54839% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.67%. Comparing base (2706c74) to head (8399deb).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
...Admin/AdminConsole/Models/OrganizationEditModel.cs 66.66% 1 Missing ⚠️
.../Core/AdminConsole/Services/OrganizationFactory.cs 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7816      +/-   ##
==========================================
+ Coverage   61.25%   65.67%   +4.41%     
==========================================
  Files        2193     2193              
  Lines       97296    97323      +27     
  Branches     8767     8767              
==========================================
+ Hits        59601    63914    +4313     
+ Misses      35582    31201    -4381     
- Partials     2113     2208      +95

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Hinton added 2 commits June 16, 2026 14:34
@Hinton
PAM: add UsePam organization capability
ad1e603
@Hinton
PAM: map UsePam from license in OrganizationFactory
8399deb 
Self-hosted organizations are created via OrganizationFactory.Create (from a license or its claims) rather than Organization.UpdateFromLicense, so UsePam must be mapped there as well. Without it, an org provisioned from a PAM-enabled license would default to UsePam = false.
connerbw
connerbw previously approved these changes Jun 16, 2026
View reviewed changes

@connerbw connerbw left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Billing changes look good

@Hinton Hinton force-pushed the pam/use-pam-capability branch from 1d8caba to 8399deb Compare June 16, 2026 12:42
@sonarqubecloud

sonarqubecloud Bot commented Jun 16, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
70.9% Duplication on New Code

See analysis details on SonarQube Cloud

@Hinton Hinton requested a review from connerbw June 16, 2026 13:26
@Hinton Hinton mentioned this pull request Jun 16, 2026
Open
mkincaid-bw
mkincaid-bw approved these changes Jun 16, 2026
View reviewed changes

@mkincaid-bw mkincaid-bw left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r-tome r-tome r-tome approved these changes

@connerbw connerbw connerbw approved these changes

@mkincaid-bw mkincaid-bw mkincaid-bw approved these changes

@abergs abergs Awaiting requested review from abergs

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Hinton @r-tome @connerbw @mkincaid-bw