Allow group owners to bypass SSO enforce

Release notes

Problem to solve

We've had multiple cases where group owners have locked everyone out with a misconfiguration of their SAML and having turned on SSO enforce.

Intended users

User experience goal

Proposal

Similarly to IP restriction, we should allow admins (self-managed) and top-level group owners (gitlab.com) to access the group outside of SSO.

Further details

Permissions and Security

Documentation

Availability & Testing

What risks does this change pose to our availability? This is a low risk feature for GitLab.com availability

What additional test coverage or changes to tests will be needed? Ensure that only the Owner (and Auditor if it is decided) is able to access the group without needing SSO when it is enforced. No other user with other roles should be able access the group via navigation or a direct link. Ensure that user with roles other than Owner or Auditor are still able to access the group when signed with with SSO.

We should ideally have an end-to-end test to check if the Owner (and Auditor) can by-pass SSO.

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references