Allow an organization to disable user account-level 2FA functionality at the namespace level
Problem to solve
Many Organizations that use Gitlab elect to leverage SAML providers that offer 2FA/MFA functionality as part of user authentication flows (examples: Okta, Azure Active Directory). In such situations, enabling Gitlab's 2FA functionality is superfluous and can create an additional support burden as users lose access to their one-time-password generators (e.g. a lost phone).
Intended users
User experience goal
As an Organization administrator, I want the ability to completely remove a user's ability to enable User-level 2FA on Gitlab.
As a User joining a Persona with an Organization, I need to be informed that I am granting the Organization permission to toggle on/off parts of my account-profile functionality.
As a User-member of an Organization that has opted to disable 2FA functionality, I should not see any "Two-Factor Authentication" option under /profile/account
.
Being able to control this at the namespace level (for SaaS tenants) or at the instance level (for self-managed) would be ideal.
Further details
Permissions and Security
An owner of an organization should be the one able to manage this permission.