API endpoint for listing all group and project memberships for a user

Problem to solve

Compliance-minded organizations, or generally those with standard auditing practices, need to be able to view a list of user access within their GitLab instances. Knowing what users are part of specific groups and projects helps an organization audit those memberships as part of their access management policy.

Currently, GitLab does not provide a simple, friendly way to obtain this information and the only current workaround is leveraging multiple GitLab API endpoints to create this report.

Intended users

Cameron (Compliance Manager)

Further details

This is the first iterative change we can make towards delivering this feature to customers due to some technical challenges with the original proposal. Of import:

Rendering the data within the GitLab UI has a considerable performance cost (e.g. 6.75s to render data for 20 users)
Using current API endpoints also has a considerable performance cost (e.g. 9s for 44 users)
UX challenges for larger instances where group and project memberships may be high

Proposal

Create a GraphQL API endpoint specifically tuned for querying data about a user's group and project memberships. The JSON response would look similar to this:

[
  {
    "user_id": 1,
    "memberships": [
      {
        "access_level": 20,
        "created_by_id": 37,
        "source_id": 1,
        "source_type": "Project",
        "created_at" : "2017-03-17T17:18:09.283Z",
        "updated_at" : "2017-03-17T17:18:09.283Z"
      },
      {
        "access_level": 20,
        "created_by_id": 20,
        "source_id": 3,
        "source_type": "Namespace",
        "created_at" : "2017-03-17T17:18:09.283Z",
        "updated_at" : "2017-03-17T17:18:09.283Z"
      },
      {
        "access_level": 40,
        "created_by_id": nil,
        "source_id": 28,
        "source_type": "Project",
        "created_at" : "2017-03-17T17:18:09.283Z",
        "updated_at" : "2017-03-17T17:18:09.283Z"
      }
    ]
  },
  {
    "user_id": 20,
    "memberships": [
      {
        "access_level": 50,
        "created_by_id": 1,
        "source_id": 5,
        "source_type": "Project",
        "created_at" : "2017-03-17T17:18:09.283Z",
        "updated_at" : "2017-03-17T17:18:09.283Z"
      }
    ]
  }
]

Permissions and Security

Only administrators should be able to pull this data via API.

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

Example GraphQL endpoint implementation

GraphQL Query

{
  users {
    pageInfo {
      startCursor
      endCursor
      hasNextPage
    }
    nodes {
      id
      ...memberships
    }
  }
}


fragment membership on MemberInterface {
  createdAt
  updatedAt
  accessLevel {
    integerValue
    stringValue
  }
  createdBy {
    id
  }
}

fragment memberships on User {
  groupMemberships {
    nodes {
      ...membership
      group {
        id
      }
    }
  }
  
  projectMemberships {
    nodes {
      ...membership
      project {
        id
      }
    }
  }
}

Edited Jun 15, 2020 by Max Woolf