Group Managed Accounts - Journey Mapping
This issue tracks the design artifacts for everything related to Extend group managed accounts to all groups.
Intended Users
Sidney (Systems Administrator)
Job Statements
The below statements, in conjunction with the Acceptance Criteria, best capture the user needs of the Group Owner.
- As a
Group Owner
who wants to secure project information, I want to make sure employee accounts are managed by my company so that I can guarantee that employees won't leak project data. - As a
Group Owner
who wants to enforce an additional layer of protection, I want to make sure employees log in with credentials I determine so that employees are not using unauthorized email addresses. - As a
Group Owner
who wants to off-board users, I want to have the ability to block and delete group members, so that I can control who has access to the group projects. - As a
Group Member
who wants to keep my personal projects, I want to be able to easily differentiate my "company" work from my other Gitlab activity.
User Flow
Current Behavior
Group Overview Page (Self-Managed) | SAML SSO (Self-Managed) | Whitelisted Domains (Self-Managed) | Navigation (Self-Managed) |
---|---|---|---|
Mural Board
Aditional Information
- Current workflow for Authorize (recording)
- Current workflow for Membership Transfer (recording)
- Current workflow for Group Member (recording)
- Current workflow for Group Owner (recording)
- Behavior of a group member who had authorized via SSO before GMA conversion (recording)
- Behavior of a group member who had not authorized via SSO before GMA conversion (recording)
- Video recording of the Spaces team learning how the group owner flow and group member flows currently work: https://drive.google.com/open?id=1_Huaa0Tu_liHbi36Gu9GC2a36nV4W3aD
- SAML SSO / GMA docs: https://docs.gitlab.com/ee/user/group/saml_sso/
Concept - Wizard Flow
Mockups of a potential wizard flow, which demonstrates the first few steps of enabling Group Managed Accounts once decoupled from SAML SSO:
We considered whether solving the isolation problem using Group Managed Accounts was a better solution than starting fresh and introducing a new type of "Organization/Space" group. Included is a parallel wizard of "promoting" the group to an organisation (space/workspace) as another route we could use to engineer group managed accounts (as separate from SAML SSO):
Step 1 | Step 2 | Step 3 | Step 4 |
---|---|---|---|
Upon discussion with the backend team, we decided to go with option 1. The sticky notes on Step 1 have some comments as to why we made this choice.