Allow groups to disable 2FA requirement for subgroups
Problem to solve
As an Owner in a group, I want to be able to globally disable the 2FA requirement on all sub-groups in my group on GitLab.com. Today, all users in SSO enabled groups are added as guest at the top level and are in every subgroup due to inheritance. If a user in a sub-group turns on MFA, all users in an SSO enabled group would have 2FA required. This leads to a bad experience for customers that have opted to have MFA handled outside of Gitlab.
Intended users
Further details
This is similar to the feature to bypass 2FA for certain identity providers on self-managed:
https://docs.gitlab.com/ee/integration/omniauth.html#bypassing-two-factor-authentication
Proposal
Create a toggle for top-level group owners to prevent enabling of 2FA in all sub-group descendants. Do not allow subgroups below to turn on MFA.
Permissions and Security
Owner in the top-level group (where SAML SSO is configured)
Documentation
Availability & Testing
What risks does this change pose to our availability?
This feature appears to be low risk for GitLab instance availability.
How might it affect the quality of the product?
This feature is going to improve user experience (and so the quality of the product) by allowing users that use SSO along with external MFA to disable 2FA at top-level so that sub-group admins do not enable it accidentally causing confusion and sub-optimal user experience.
What additional test coverage or changes to tests will be needed?
Ensure the following scenarios are covered:
- By default, "Allow MFA to be configured in subgroups", should be checked to continue existing behaviour.
- When "Allow MFA to be configured in subgroups" checkbox state is changed form checked to unchecked, any sub-groups that already have 2FA enabled should now have it disabled.
- When "Allow MFA to be configured in subgroups" checkbox state is at unchecked, sub-groups should not see the "Two-factor authentication" section.
- When "Allow MFA to be configured in subgroups" checkbox state is at unchecked, top level group should see the "Two-factor authentication" section and the user should be able to enable/disable it.
These scenarios could be coved at levels lower than end-to-end tests. No end-to-end tests would be required. However, we should ensure that the package-and-qa
job should be run ensure existing end-to-end tests pass.
Will it require cross-browser testing?
I this feature is not UI heavy so extensive cross-browser testing shouldn't be requried.