Disable sharing of groups within a SaaS customer namespace with other groups
Problem to solve
Customers on GitLab.com manage a top/root group namespace. Access to that namespace is typically managed on a that root group level and can optionally be protected using SSO.
However, subgroups can be shared with any other groups, even from other namespaces. This action can be performed by owners of these subgroups, without knowledge of the root group owner.
The consequence is a compliance issue, where, as a root group owner, I can not prevent lower level groups being shared with people outside my organization. In addition, these members brought in via shared groups will take billable seats in my subscription as well.
Intended users
User experience goal
The user should be able to prevent groups being shared outside their root group namespace. That feature is analogous to Share project with group lock.
Proposal
Add a configuration option on top group level "Prevent sharing a group within $namespace with other groups". Activating that option limits sharing to groups that are descendants of the top level group.
Further details
This feature should expose an API attribute, similar to share_with_group_lock
in the Groups API. Enterprise customers need API attributes to automate their configuration.
Upon implementation of this feature, share_with_group_lock
(currently used for locking project sharing within the group) will be somewhat ambiguously named.
Permissions and Security
Owner
Documentation
Availability & Testing
What is the type of buyer?
Managing groups becomes an issue for mid-sized companies with multiple subgroups, so this should be a Premium feature