Skip to content

Allow group Owners to manually add members when LDAP lock is enabled

Problem

In https://gitlab.com/gitlab-org/gitlab-ee/issues/4354 we are proposing an admin-level setting to lock membership changes to LDAP sync. Under that setting, only instance administrators are allowed to manually add members to group outside of LDAP.

We should optionally extend this privilege to allow group Owners to manually add members to their group:

  • Some instances may want to add users to groups/projects, but not add them to LDAP. This is common for contractors/customers.
  • Manual member management will be burdensome for administrators if they're the only user type who can handle this. Frequently, admins are a very small group of privileged users.

Proposal

Allow group Owners to manually add to group membership when "allow group Owners to manage LDAP-related settings" is enabled.

  • What happens when this is unchecked? Members of groups (and their subgroups/projects) are not manually editable by Owners.
  • What happens when this is checked? A configuration option is exposed in group LDAP settings that reads "Lock membership of this group to LDAP". This should default to true.

When this lock is enabled, we should remove all existing users added to projects/subgroups outside of LDAP. We should inform the group owner enabling the lock that this will take place.

Availability & Testing

This feature appears to be low risk in terms of availability.

When "Lock membership of this group to LDAP" is checked, ensure that LDAP users are retained and only non-LDAP ones are removed.

Besides unit and feature tests, we should extend the admin_ldap_sync_spec end-to-end test to cover this functionality.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by 🤖 GitLab Bot 🤖