Skip to content

GitLab Next

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
GitLab
GitLab
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 36,918
    • Issues 36,918
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge requests 1,548
    • Merge requests 1,548
  • Requirements
    • Requirements
    • List
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Operations
    • Operations
    • Metrics
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI/CD
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLabGitLab
  • Issues
  • #1793

Closed
Open
Created Feb 24, 2017 by Rémy Coutable@rymai⛰Maintainer

Allow group Owners to manually add members when LDAP lock is enabled

Problem

In https://gitlab.com/gitlab-org/gitlab-ee/issues/4354 we are proposing an admin-level setting to lock membership changes to LDAP sync. Under that setting, only instance administrators are allowed to manually add members to group outside of LDAP.

We should optionally extend this privilege to allow group Owners to manually add members to their group:

  • Some instances may want to add users to groups/projects, but not add them to LDAP. This is common for contractors/customers.
  • Manual member management will be burdensome for administrators if they're the only user type who can handle this. Frequently, admins are a very small group of privileged users.

Proposal

Allow group Owners to manually add to group membership when "allow group Owners to manage LDAP-related settings" is enabled.

  • What happens when this is unchecked? Members of groups (and their subgroups/projects) are not manually editable by Owners.
  • What happens when this is checked? A configuration option is exposed in group LDAP settings that reads "Lock membership of this group to LDAP". This should default to true.

When this lock is enabled, we should remove all existing users added to projects/subgroups outside of LDAP. We should inform the group owner enabling the lock that this will take place.

Availability & Testing

This feature appears to be low risk in terms of availability.

When "Lock membership of this group to LDAP" is checked, ensure that LDAP users are retained and only non-LDAP ones are removed.

Besides unit and feature tests, we should extend the admin_ldap_sync_spec end-to-end test to cover this functionality.

Edited Jul 21, 2020 by 🤖 GitLab Bot 🤖
Assignee
Assign to
Next 1-3 releases
Milestone
Next 1-3 releases
Assign milestone
Time tracking
None
Due date
None