Restrict Group and Project Membership
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
Problem to solve
GitLab admins can now limit group and project creation for users #263661 (closed). However, a gap is that they cannot prevent users from being invited to other projects and groups. We need a setting that limits user membership to only the group that they originated from.
Proposal
Before a user can be invited to a group, we check which group they were provisioned by. We restrict invitations to only be sent by groups/projects that are in that hierarchy.
In later iterations we can make this option configurable by admins and build an "allow list" of groups. For now we can make this a feature flag and see how many customers opt into this model. One thing to consider is that this will affect admins for an account's ability to interact with GitLab TAMs within GitLab. Perhaps we need to make it a user-level flag