Global admins should not be forced to set up 2FA if they're members of a group or project with 2FA requirements
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Zendesk ticket: https://gitlab.zendesk.com/agent/tickets/94910
Description
I'm a global admin on our GitLab EE installation, and I'm also the 'Owner' of a certain group (just by virtue of me creating the group). Another 'Owner' enabled 2FA on that group. This locked my account until I set up 2FA -- I could not navigate to any section of GitLab -- admin settings, other parts of my profile, anything, even projects where no 2FA is required.
A global administrator should not need to be forced to enable 2FA if a single project of which that admin is a member decides to enable 2FA. If this forcing function is required, it should not be global to the entire GitLab instance, only the relevant project/group.
Further, there really needs to be an option to disable 2FA globally so that arbitrary GitLab users can't impose this kind of check on other users where it's unwarranted (our shop uses federated SAML via PIV cards for authentication, and 2FA is not necessary). Right now, we have no option to prevent users from deciding to lock out global administrators (it's easy enough to fix, just extremely bothersome).
Proposal
Make 2FA requirements for groups/projects only apply to the groups/projects in question or prevent global admins from being forced to set up 2FA when it's required at group level.