Block all permission level changes except through LDAP
Description
Some security conscious companies use LDAP completely for all user level permissions. A user should not be able to have their permission level changed within GitLab and should be controlled completely in LDAP. They would like a feature to block the ability to change permissions level of any user from within GitLab, if they are already using LDAP.
Overview
This is a toggle option that is made available when LDAP is enabled. People who are very security conscious (federal customers) will probably want/require this. The underlying problem is random/accidental (or even worse, targeted/intentional) changes of permissions levels in GitLab without administrator knowledge. I think a toggle to enable this feature if LDAP is enabled should be sufficient. Perhaps have one GitLab admin user that can bypass this in case of LDAP failure is required.
Use cases
Federal customers in need of greater security.
Feature checklist
Make sure these are completed before closing the issue, with a link to the relevant commit.
-
Feature assurance -
Documentation -
Added to features.yml