Allow restricting group members by a domain whitelist
Problem to solve
Currently members can be added to our group, or subgroups or projects using any valid gitlab.com account.
We want users to only be able to invite new members if their email is on a whitelist of domains managed by the group owner. This is to ensure that no-one outside our company (or our clients') is added to our group. And also any employee added is registered with their corporate email account rather than a personal one so that when their corporate email account becomes inactive they lose access to GitLab.
The use case for this is we regularly add users to GitLab. It's easy to mistakenly add the wrong account to the group (e.g. a personal account, or just selecting the wrong account from the autocomplete box).
Ideally we'd also be able to restrict members to use federated login (e.g. Google Sign-in) so that when their corporate Google Apps account they will no-longer be able to access GitLab.
- Allow entering a whitelist of member domains in the group settings, configurable by Owners.
- Only members with primary emails that match the defined mask can be added to the group. Other members should return an error.
- Only matching members should be displayed as results in the member autocomplete.
For the first iteration, we'll leave existing members that do not meet the whitelist in the group. The whitelist should apply only to new members.
What does success look like, and how can we measure that?
- Success would be mean increased security for corporate GitLab projects.