Add Controls for Ability to Promote Guest Users
Note: although this issue is aligned to ~"group::authentication and authorization", grouputilization will attempt to lean in here per discussion here #214706 (comment 1556928539)
Problem Validation
Question | Answer |
---|---|
What context do we need? |
Guests are non-billable for the Ultimate tier. |
What is the problem? | Guests can be promoted to a higher role via project sharing, which makes them a billable user. For example: any maintainer or owner in the system can make users not a guest by adding them to their project. |
Who does the problem impact? | Ultimate SM & SaaS customers |
Why does this problem occur? |
When you add a user to a project or group, you assign them a role. The role determines which actions they can take in GitLab. If you add a user to both a project's group and the project itself, the higher role is used. |
What are our open questions |
Are there other ways to promote a user's permissions (besides this known #415616 (closed) method)? |
Design
Question | Answer |
---|---|
What objective are we hoping to achieve in our solution? | Give admins/owners control over/approval when a guest role moves into a paid seat |
What is our solution | See solution recommendations here: #419645 (closed) |
Table is currently leaving API and SaaS flows outside
Iterations \ flows |
When inviting new users to billable positions | When promoting users to billable positions |
---|---|---|
iteration 1 (SM) |
Maintainer invites a user to a `> Guest` role — we silently accept that request. We don't show any messages to the actor yet. In group admin panel, we add that user to the "Invited" tab. In the instance admin panel we display this promotion request in a "Pending approval" tab, for admin to approve. If admin invites a user — that user get's added instantly (current flow). |
Maintainer promotes user from non-billable to billable position. We don't show any messages to the actor yet. Question: how do we display that pending promotion state? In the instance admin panel we display this promotion request in a "Pending promotion" tab, for admin to approve. If admin promotes a user — that user get's promoted instantly (current flow). |
iteration 2 & 2+ (SM) |
Add messaging before and after addition. | Add messaging before and after addition. |
Resources
Original Issue Description
Problem to solve
** Customer Writes: **There is no way to designate a user as being a guest.
A guest user in your licensing system is defined as a user without any permission other than a guest. This defined in the billing parameter as an absence creates a lot of issues in license compliance especially in the government space. Any Maintainer or Owner in the system can make users not a guest by adding them to their project. This creates and issues because this is in effect obligating the company to spend more money next year. There is no reason Maintainers should have this authorization in the company. There should be a way for admins to mark as user as a guest and no one but an admin should be able to override this. New auto-created users should get this flag by default. Without this feature, guest users in ultimate are either highly risky in terms of compliance or unusable.
Intended users
Ultimate CustomersSpecifically, Gov't customers have strict licensing auditing requirements.
Further details
It seems the goal is to get a better handle and control over how/when and who is able to promote Guests.I have several customers now working with a microservices architecture and they work with different vendors, developers, etc. The goal is not to restrict people from doing work but to keep a good track of why a guest was promoted (like what ability did they need that was not covered as a guest). Having this audited provides management the ability to say we need more funding in advance for the next go-around because more people are using the system for X reasons.
Proposal
A few ways to approach.
- Allow a particular group of users to have this specific permission to promote Guests (either allow by exception or Deny by exception approach).
- Have a notification that appears that provides the owner or maintainer the ability to promote a guest and provide a reason. Let the person know what that means. And provide auditing of who and when this was done.
- Provide an option to says Guests in this project can not be promoted, but guests in this project can be.
Permissions and Security
Documentation
Availability & Testing
What does success look like, and how can we measure that?
Success is improving the control over Guest Accounts in relation to licensing. Better awareness and notifications or better controls and restriction options or both.
What is the type of buyer?
Ultimate customer
Is this a cross-stage feature?
Depending on the approach. Yes, this change will affect Licensing, UI changes, Internal changes to auditing, etc.