docs(KNO-13457): document the directory sync account-lockout edge#1483
docs(KNO-13457): document the directory sync account-lockout edge#1483meryldakin wants to merge 1 commit into
Conversation
Because Knock treats the IdP as the source of truth, directory sync can remove or demote an account's last owner and leave it with no owner. Adds a Preventing account lockout section to the directory sync page explaining how to prevent this (keep at least one user mapped to the owner role via the knock-role-owner group) and how to recover. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit d6328ae. Configure here.
| <code>knock-role-owner</code> group or your custom group-to-role mapping — | ||
| and is not removed from your identity provider. If owner access is lost, | ||
| re-add a user to the owner-granting group from your IdP to restore it, or | ||
| contact the <a href="mailto:support@knock.app">Knock support team</a>. |
There was a problem hiding this comment.
Repeated support mailto link
Low Severity
The new Callout links “Knock support team” to mailto:support@knock.app, but that destination is already linked earlier on the page in Directory sync configuration. Repeated links to the same path should only appear on the first mention; later mentions should use plain text.
Triggered by learned rule: Link Knock concepts on first mention only per page
Reviewed by Cursor Bugbot for commit d6328ae. Configure here.
There was a problem hiding this comment.
Risk LOW: adds a "Preventing account lockout" section with a warning callout to the existing directory sync docs page.
Reasons
- Only 1 file changed: an existing
.mdxcontent page (content/manage-your-account/directory-sync.mdx) - Small diff: 19 additions, 0 deletions — well under the 50-line threshold
- No new pages, sidebar changes, component modifications, or dependency updates
- No
.tsx/.tscode, build config, or structural changes - Author (
meryldakin) is a confirmed repository contributor and team member
Notes
- Verify the
Calloutcomponent renders correctly (Vercel preview already deployed and shows ready) - Confirm the
mailto:support@knock.applink and the internal/manage-your-account/roles-and-permissionslink resolve properly
Sent by Cursor Automation: Docs PR classifier
1 participant
Summary
Adds a Preventing account lockout section to the directory sync page (KNO-13457).
Because Knock treats the IdP as the source of truth, directory sync applies role changes even when they remove or demote an account's last owner — so an account can end up with no owner. This documents how to prevent it (keep at least one user mapped to the
ownerrole via theknock-role-ownergroup) and how to recover (re-add a user to the owner-granting group from the IdP, or contact support).Context: the backend deliberately does not block dsync from doing this — blocking would break the IdP source-of-truth contract. This is the customer-facing callout for that edge.