fix(core): Clean up project mapping rules on provisioning strategy switch

[cstuncsik]

Summary

When an admin switches away from a strategy that manages project roles (e.g. from Instance and project roles back to Instance roles only, or from expression-based mapping back to IdP claims), existing role_mapping_rule rows of type='project' are now cleaned up transactionally together with the config update. A danger callout in the confirmation dialog explicitly warns the user before saving, and the project-roles CSV backup download is already gated.

How to manually verify in the browser

Pre-requisite: SSO licence enabled (SAML or OIDC), N8N_ENV_FEAT_ROLE_MAPPING_STRATEGY=true to see expression-based mapping.

Scenario A — IdP mapping, drop project scope

1. Go to Settings → SSO, configure SAML or OIDC, enable SSO login
2. In User role provisioning pick Instance and project roles with IdP claims, save
3. Switch the dropdown to Instance roles only, click Save
4. The confirmation dialog shows a red "Existing project mapping rules will be permanently deleted" callout
5. Download the project-roles CSV, tick the checkbox, confirm
6. Reload the page — dropdown stays on Instance roles only, and GET /role-mapping-rule returns no type: "project" rows

Scenario B — Expression-based, drop project rules

1. With expression mapping enabled and Instance and project roles selected, add at least one instance rule and one project rule, save
2. Switch the dropdown to Instance roles only, click Save
3. The deletion warning appears in the confirmation dialog — confirm
4. Reload the page — the project rules section is hidden, GET /role-mapping-rule returns only instance rules

Scenario C — Disable SSO entirely

1. Starting from Instance and project roles (IdP or expression), toggle SSO to Disabled and save
2. The deletion warning appears — confirm
3. Project mapping rules are wiped; reloading shows the manual provisioning state

Negative check — no false positives

1. Starting from Instance roles only (no project rules stored), change any unrelated setting and save
2. No deletion warning appears, no rules are touched

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/IAM-561/project-mapping-rules-stay-active-after-switching-to-instance-only

Review / Merge checklist

• I have seen this code, I have run this code, and I take responsibility for this code.
• PR title and summary are descriptive. (conventions)
• Docs updated or follow-up ticket created.
• Tests included.
• PR Labeled with `Backport to Beta`, `Backport to Stable`, or `Backport to v1` (if the PR is an urgent fix that needs to be backported)

🤖 PR Summary generated by AI

[codecov]

Codecov Report

❌ Patch coverage is 81.81818% with 10 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...cli/src/events/relays/log-streaming.event-relay.ts	0.00%	3 Missing ⚠️
...tures/settings/sso/components/SamlSettingsForm.vue	40.00%	3 Missing ⚠️
.../provisioning/components/RoleMappingRuleEditor.vue	0.00%	2 Missing ⚠️
...modules/provisioning.ee/provisioning.service.ee.ts	92.85%	1 Missing ⚠️
...tures/settings/sso/components/OidcSettingsForm.vue	66.66%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[github-actions]

Performance Comparison

Comparing current → latest master → 14-day baseline

Memory consumption baseline with starter plan resources

Metric	Current	Latest Master	Baseline (avg)	vs Master	vs Baseline	Status
memory-rss-baseline	279.38 MB	286.68 MB	289.82 MB (σ 42.90)	-2.5%	-3.6%	✅
memory-heap-used-baseline	114.61 MB	114.56 MB	114.46 MB (σ 0.25)	+0.0%	+0.1%	✅

docker-stats

Metric	Current	Latest Master	Baseline (avg)	vs Master	vs Baseline	Status
docker-image-size-n8n	1290.24 MB	1290.24 MB	1274.88 MB (σ 11.22)	+0.0%	+1.2%	⚠️
docker-image-size-runners	387.00 MB	387.00 MB	392.31 MB (σ 11.08)	+0.0%	-1.4%	✅

Idle baseline with Instance AI module loaded

Metric	Current	Latest Master	Baseline (avg)	vs Master	vs Baseline	Status
instance-ai-rss-baseline	381.66 MB	343.82 MB	368.35 MB (σ 22.81)	+11.0%	+3.6%	✅
instance-ai-heap-used-baseline	187.34 MB	186.83 MB	186.46 MB (σ 0.27)	+0.3%	+0.5%	🔴

How to read this table

• Current: This PR's value (or latest master if PR perf tests haven't run)
• Latest Master: Most recent nightly master measurement
• Baseline: Rolling 14-day average from master
• vs Master: PR impact (current vs latest master)
• vs Baseline: Drift from baseline (current vs rolling avg)
• Status: ✅ within 1σ | ⚠️ 1-2σ | 🔴 >2σ regression

[codecov]

Bundle Report

Changes will increase total bundle size by 3.27kB (0.01%) ⬆️. This is within the configured threshold ✅

Detailed changes

Bundle name	Size	Change
editor-ui-esm	45.93MB	3.27kB (0.01%) ⬆️

Affected Assets, Files, and Routes:

view changes for bundle: editor-ui-esm

Assets Changed:

Asset Name	Size Change	Total Size	Change (%)
assets/worker-*.js	-3.14MB	17.9kB	-99.43%
assets/worker-*.js	3.14MB	3.15MB	17517.58% ⚠️
assets/core-*.js	352 bytes	629.07kB	0.06%
assets/SettingsSso-*.js	2.91kB	109.93kB	2.72%

Files in assets/SettingsSso-*.js:

• ./src/features/settings/sso/provisioning/composables/useUserRoleProvisioningForm.ts → Total Size: 5.55kB

• ./src/features/settings/sso/provisioning/components/ConfirmProvisioningDialog.vue → Total Size: 406 bytes

• ./src/features/settings/sso/provisioning/components/RoleMappingRuleEditor.vue → Total Size: 390 bytes

• ./src/features/settings/sso/components/OidcSettingsForm.vue → Total Size: 366 bytes

• ./src/features/settings/sso/components/SamlSettingsForm.vue → Total Size: 366 bytes

• ./src/features/settings/sso/provisioning/composables/useRoleMappingRules.ts → Total Size: 4.47kB

[cubic-dev-ai]

No issues found across 17 files

Architecture diagram

sequenceDiagram
    participant Admin as Browser (SSO Settings)
    participant UI as Frontend (Vue/Pinia)
    participant API as Backend API
    participant PS as ProvisioningService
    participant RMRS as RoleMappingRuleService
    participant DB as Database (Transaction)
    participant EB as Event Bus / PubSub

    Note over Admin,EB: Strategy Switch: Project Roles -> Instance Roles Only

    Admin->>UI: Click Save Settings
    
    UI->>UI: CHANGED: Check if dropping project scope
    opt isDroppingProjectRules
        UI->>Admin: NEW: Show confirmation dialog with deletion warning
        Admin->>UI: Confirm & Click Save
    end

    UI->>API: PATCH /sso/provisioning/config
    Note right of UI: NEW: payload includes { deleteProjectRules: true }

    API->>PS: patchConfig(dto)
    
    PS->>DB: CHANGED: Start Transaction (EntityManager)
    
    PS->>DB: Update 'provisioning_preferences' record
    
    opt shouldDeleteProjectRules
        PS->>RMRS: NEW: deleteAllOfType('project', tx)
        RMRS->>DB: DELETE FROM role_mapping_rule WHERE type = 'project'
        DB-->>RMRS: count affected rows
    end
    
    PS->>DB: Commit Transaction
    
    alt Transaction Success
        opt shouldDeleteProjectRules
            PS->>EB: NEW: Emit 'role-mapping-rules-bulk-deleted' (Audit)
        end
        
        opt Multi-Main Setup
            PS->>EB: Publish 'reload-sso-provisioning-configuration'
        end
        
        PS-->>API: Return updated config
        API-->>UI: 200 OK
        UI-->>Admin: Show Success Notification
    else Transaction Failure
        DB-->>PS: Rollback
        PS-->>API: Error
        API-->>UI: 500 Error
    end

Loading

[afitzek]

🚀

[n8n-assistant]

Got released with n8n@2.19.0