Prevent Enterprise users from changing or adding email addresses on GitLab.com
Problem to solve
I'd like the option to prevent users from changing or adding new email addresses. If we allow them to change it they may have data from an internal GitLab instance sent to non-approved email addresses.
Proposal
The scope of this Proposal is limited to GitLab.com only / SaaS and users who are Enterprise Users and their group owners.
MVC
Enterprise User should always be prevented from changing or adding email addresses that do not match their group's verified domain(s).
Further iteration
Create a setting similar to https://docs.gitlab.com/ee/user/admin_area/settings/account_and_limit_settings.html#disabling-user-profile-name-changes , except that it lives at the top group level
Location: GROUP Settings > General > Permissions and group features
This would be at the URL https://gitlab.com/groups/$GROUP_NAME/-/edit
The new setting could be called - "Prevent users from changing their email." (need UX or TW to confirm)
When enabled:
- It applies to all users in an Enterprise
- In https://gitlab.com/-/profile the email field is disabled with a message explaining that it has been disabled by an administrator.
- In https://gitlab.com/-/profile/emails the add button is disabled with a message explaining that it has been disabled by an administrator.
- Existing email addresses cannot be changed (primary/secondary/etc)