New team provisioned when Contributer adds project (SCIM integration enabled)

[MikeBlomm]

Environment

SaaS (https://sentry.io/)

Steps to Reproduce

1. Teams within Sentry are provisioned with the SCIM integration, connected to Entra ID groups.
2. On creation/first sync of the Entra ID group, a new team is provisioned within Sentry.
3. By default, when members get added to the Entra ID group, they will get the Contributor role within Sentry.
4. When a Contributor tries to add a new project to the team (which is not allowed), it will automatically create a new team based of the Contributors user.

Context
We are running into some unwanted "bugs" when we onboard teams via the SCIM integration.This initially works fine and as intended, we request new Entra ID groups and those are automatically synced with our Sentry Organization for the creation of teams.

By default each user is given the role Contributer, which in theory is what we would like. If needed, we give certain users the Team Admin role, so they can start creating projects within their team. However, when someone who has the role Contributor tries to create a new project (which is not allowed), it automatically creates a new team based on that specific user. This is somewhat unexpected, as the creation of teams should be explicitly controlled by Entra ID and the SCIM integration. This results in manual cleanup of the (by accident created) team, and the users are sometimes not even aware this happens.

We would like to see a fix that when SCIM integration is enabled, it is not possible to create new teams manually or as a result when Contributors try to create/setup a new project within Sentry. We do not support personal projects within our Organization. This has a high priority for us, as it can lead to a lot of manual work

Expected Result

When SCIM integration is responsible for the provisioning of teams within Sentry, a Contributor should only get an error when trying to add a new project for the team.

Actual Result

When a Contributor tries to add a project within a team, which is not allowed, a new team is automatically created based in the Contributors user.

Product Area

Settings - Teams

Link

No response

DSN

No response

Version

No response

┆Issue is synchronized with this Jira Improvement by Unito

[getsantry]

Assigning to @getsentry/support for routing ⏲️

[getsantry]

Routing to @getsentry/product-owners-settings-integrations for triage ⏲️

[sentaur-athena]

@MikeBlomm when you say

When a Contributor tries to add a new project to the team (which is not allowed)

How is this not allowed? If you go to organization settings is project creation by member setting off? For context when members create a project we create a new personal team for them to put that project in. That way the member only has access to modify that project not any other project out of that team.