Skip to main content

Recovering Lost User Groups and Access Control

Angelo Bresci
Updated

Area: Product Issues

Sub-Area: User Access Management

Issue

User groups in DataHub environments can suddenly disappear, causing all users to lose their previously assigned privileges and access controls. This typically occurs when external identity provider (IdP) synchronization processes send empty or incorrect group membership data to DataHub, overwriting existing group assignments.

You Might Be Asking

  • Why did all my DataHub groups disappear suddenly?
  • How can I restore lost user groups and their privileges?
  • What causes SCIM provisioning to remove group memberships?
  • How do I prevent this from happening again?

Solution

  1. Immediate Recovery for DataHub Cloud Customers

    Contact DataHub Support immediately for emergency backup restoration. DataHub Cloud automatically backs up all metadata including groups and privileges as part of the managed service.

  2. Identify the Root Cause

    Check the following potential causes in order of likelihood:

    • SCIM Provisioning Issues: Review your Identity Provider (Okta, Azure AD, etc.) SCIM provisioning logs for DELETE operations or empty group synchronizations
    • Ingestion Source Problems: Check if any identity-related ingestion sources with stateful ingestion and soft-delete enabled ran recently
    • Manual API Operations: Review DataHub audit logs for any bulk delete operations on group entities
    • SSO Group Sync Overwrites: Verify if SSO configuration with group membership synchronization caused overwrites
  3. Restore Group Memberships via Identity Provider

    If the issue was caused by IdP synchronization:

    1. Access your Identity Provider (Okta, Azure AD, etc.)
    2. Verify users are assigned to the correct SCIM application groups
    3. Re-assign affected users to their appropriate DataHub groups in the IdP
    4. Trigger a manual sync or wait for the next scheduled synchronization
    5. Verify group memberships appear correctly in DataHub
  4. Manual Group Recreation (if needed)

    If automatic restoration is not possible:

    # Using DataHub CLI to recreate groups
datahub group create --name "ADMIN" --description "Admin users"
datahub group create --name "EDITOR" --description "Editor users"
datahub group create --name "READER" --description "Reader users"

# Add users to groups
datahub group add-user --group "ADMIN" --user "user@example.com"
  5. Verify Recovery
    • Check that all expected groups are visible in DataHub UI
    • Confirm users can access resources according to their group permissions
    • Test group-based access controls are working correctly

Additional Notes

This issue most commonly affects environments with SCIM provisioning configured. The simultaneous loss of groups across multiple environments (sandbox and production) typically indicates an external trigger rather than a platform bug. Prevention involves monitoring IdP configuration changes and implementing proper change management for SCIM applications. For DataHub Cloud customers, metadata backup and restore capabilities are included as part of the managed service.

Related Documentation

Tags: groups, access-control, scim, provisioning, identity-provider, backup-restore, permissions, sso, user-management, okta

Related articles