Performant group-level membership checking

Problem to solve

Currently there is no performant way how to query list of groups a user is member of. A use case is to get a list of group-level resources in a set of groups the user can read. Specifically, for confidential epics task we need to filter only epics which are either not-confidential or are in a group the user is member of. This could be done by using group members sub-query to get user's membership, but since the member can be a whole group , it's probably not possible to do this with a single query.

Intended users

Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/

Sasha (Software Developer)

Proposal

An option would be to denormalize group membership and introduce group_autorizations table (similar to the existing project_authorizations table) which would keep group membership access level for each group member?

Permissions and Security

Similar to project_authorizations we should make sure we update this table whenever user's membership is updated (either directly or indirectly - when sharing with group).

Edited May 11, 2020 by Jan Provaznik