[meta] Enterprise Authentication & User Management
Large enterprises have a greater need for more sophisticated capability when it comes to authentication and user management.
GitLab EEP will suit the needs of businesses at scale by providing greater Management, Control and Traceability for authentication.
Feature Delivery Plan
- Management: LDAP Sync Filters in EEP
- Control: Reject unsigned commits in EEP
- Control: Commit Author Restrictions in EEP
- Reporting: Improved Auditing in EEP
10.2#1372 (closed) & #1371 (closed)
More details to follow once 10.3 scope confirmed.
Management & Control
Granular Group Management
GitLab CE and EES allow for LDAP integration and group synchronisation. Whilst powerful, this capability can be limited when it comes to managing larger directory structures.
GitLab EEP introduces the ability to:
- Apply filters to group synchronisation, meaning that users can selectively be synchronised between an LDAP and a GitLab group without having to synchronise all users in an LDAP group. #3188 (closed)
- Implement group-based server connections, allowing GitLab groups to be configured to be synchronised against selective LDAP servers. This means if you have multiple LDAP servers, you can restrict the scope of group synchronisation to particular groups on target servers.
- Target fine-grained groups for synchronisation by allowing multiple group bases to be configured with GitLab group sync. This will restrict the visible groups to project owners to prevent inadvertently adding people from incorrect LDAP groups into GitLab's permission structures.
- Mirror LDAP group structures inside of GitLab. In GitLab EES it is possible to synchronise a pre-existing GitLab group with an LDAP group. This means that every group needs to be created inside of GitLab and then connected to an LDAP group. GitLab EEP introduces the ability to selectively mirror LDAP groups and automatically create GitLab groups from the LDAP structure. This means that group management can be centrally performed in LDAP and trickle down into GitLab EEP, leveraging your investment in existing directory structure.
- Inherit permissions from LDAP properties. LDAP group sync in GitLab EES allows for a mapping relationship between an LDAP group and a group on GitLab with an explicit level of permission specified in GitLab. By leveraging GitLab EEP Group filters, it is possible to define a permission mapping such that the permissions are managed via LDAP rather than GitLab.
Reporting & Traceability
GitLab EEP adds additional reporting capability for authentication and user management through:
- Periodic LDAP synchronisation reports will send administrators email summaries of changes to GitLab's user and permission structures as a result of changes to LDAP. This allows for greater proactive visibility to administrators of how GitLab's user management is impacted by external connections.
- Improved User Management Audit Events mean that it is possible to trace back historical changes in authentication and permissions