Provisioned Accounts
Problem to solve
Enterprise customers on Gitlab.com want to be able to fully manage the entire lifecycle of users in their groups. This desire is both for efficiency and to protect their intellectual property. Typically, these customers will have centralized user management for their enterprise through an IdP like Okta or Azure and use GitLab SSO/SCIM.
There are three ways that users can join a SAML enabled group today:
- Users are provisioned using SCIM and join the group when they follow a GitLab SAML URL
- Users create an account after following a GitLab SAML URL. The user links this new account to their SAML identity.
- Users already have a GitLab account and link it to their SAML identity when they follow a GitLab SAML URL
Accounts that are newly provisioned for a group (scenarios 1 and 2 above) can be used to participate in any group/project in GitLab.com. Over time, they can collect intellectual property that doesn't belong to the organization they were provisioned for. Accounts that existed and were invited into a group (scenario 3) may have participated in other groups and contain intellectual property from another organization. This dynamic prevents us from allowing administrators for a SAML enabled group from fully managing users that are part of their group.
Intended users
User experience goal
Proposal
We draw a distinction between newly provisioned accounts (scenarios 1 and 2 above) and allow administrators additional rights to manage those users' accounts. In order to prevent accidental disclosure of intellectual property, those accounts cannot participate in other groups. They also should not be able to use personal namespace. When a user leaves their group, they should not be able to use the account anymore.
Users that provision accounts for use with a group will have very clear messaging that this account is only for use with that group. Their welcome email will clearly state this. Since users will not be able to use the account with any other projects/groups the probability that they use this account for personal work is low.
This approach is different from Group Managed Accounts because ONLY accounts that were newly provisioned in the context of a group can be administered by a group. Existing accounts CANNOT become managed.
Questions
- Why are we not pursuing Personas?
- After spending time investigating the concept of profiles within an account, we discovered that the effort to make that solution is too high. We also heard a need from customers that accounts that were exclusive to their group was a hard requirement.
- Can we iterate here with Group Managed Acccounts?
- We'll need the SAML provisioning capabilities. This should be a stand-alone feature.
- We don't need the workflow to make an account managed.
- We don't need the special outer forks toggle. We already built this for all groups in this issue.
- We'll need to make all SCIM created accounts also be marked as managed. Maybe this happens when they join the group?
- A nice bonus will be the credential inventory!
- What functionality needs to be there for an MVC?
- Tying a provisioned account to their group.
- Custom email notification explaining intended account usage.
- In-app messaging on the first log in explaining intended account usage.
- Prevent the newly provisioned account from creating projects/groups outside of the top-level namespace.
- What's the transition for a group that starts account provisioning?
- How do we resolve conflicts in account creation? Example: Someone created an account with their work email and now the enterprises SCIM system wants to create an account with that same email.
Further details
Permissions and Security
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Activity
added groupauthentication and authorization [DEPRECATED] typefeature + 1 deleted label
This approach is different from Group Managed Accounts because ONLY accounts that were newly provisioned in the context of a group can be administered by a group. Existing accounts CANNOT become managed.
@mushakov: There's already an existing flow with Group Managed Accounts where you create a new account, isn't there? If we just remove the ability to map an existing account, do you think that'd be sufficient?
Setting label(s) devopsmanage sectiondev based on ~"group::access".
added devopsmanage sectiondev + 1 deleted label
mentioned in issue gitlab-org/quality/triage-reports#604 (closed)
@dblessing @alexpooley I created this after our call last week where we discussed that introducing separate personas in a single account would be significant lift and we should pursue separate accounts instead. Can you please review it and let me know your thoughts?
@mushakov This makes sense. The biggest question/hurdle for me is definitely the last one in the proposal - how to deal with existing/duplicate email addresses.
This is potentially easier if the email address is a secondary one in another account. The user wouldn't necessarily lose access if we remove that email address automatically.
For primary email addresses it's a bit more tricky. Can we somehow allow duplicates between managed and unmanaged accounts in the short term - just to allow the new managed account to be created? Then on first sign-in to either account the user is forced to acknowledge the duplication, that the enterprise has assumed the email address, and give the user the option to change their personal account email to retain access there.
mentioned in issue gitlab-org/quality/triage-reports#662 (closed)
mentioned in issue gitlab-org/quality/triage-reports#670 (closed)
mentioned in issue gitlab-org/quality/triage-reports#703 (closed)
promoted to epic &4786
