Skip to content

GitLab Next

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 42,953
    • Issues 42,953
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,365
    • Merge requests 1,365
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

GitLab 15.0 is launching on May 22! This version brings many exciting improvements, but also removes deprecated features and introduces breaking changes that may impact your workflow. To see what is being deprecated and removed, please visit Breaking changes in 15.0 and Deprecations.

  • GitLab.org
  • GitLabGitLab
  • Issues
  • #1793
Closed
Open
Created Feb 24, 2017 by Rémy Coutable@rymaiMaintainer

Allow group Owners to manually add members when LDAP lock is enabled

Problem

In https://gitlab.com/gitlab-org/gitlab-ee/issues/4354 we are proposing an admin-level setting to lock membership changes to LDAP sync. Under that setting, only instance administrators are allowed to manually add members to group outside of LDAP.

We should optionally extend this privilege to allow group Owners to manually add members to their group:

  • Some instances may want to add users to groups/projects, but not add them to LDAP. This is common for contractors/customers.
  • Manual member management will be burdensome for administrators if they're the only user type who can handle this. Frequently, admins are a very small group of privileged users.

Proposal

Allow group Owners to manually add to group membership when "allow group Owners to manage LDAP-related settings" is enabled.

  • What happens when this is unchecked? Members of groups (and their subgroups/projects) are not manually editable by Owners.
  • What happens when this is checked? A configuration option is exposed in group LDAP settings that reads "Lock membership of this group to LDAP". This should default to true.

When this lock is enabled, we should remove all existing users added to projects/subgroups outside of LDAP. We should inform the group owner enabling the lock that this will take place.

Availability & Testing

This feature appears to be low risk in terms of availability.

When "Lock membership of this group to LDAP" is checked, ensure that LDAP users are retained and only non-LDAP ones are removed.

Besides unit and feature tests, we should extend the admin_ldap_sync_spec end-to-end test to cover this functionality.

Edited Jul 21, 2020 by 🤖 GitLab Bot 🤖
Assignee
Assign to
Time tracking