Expose `is_auditor` user role via API
Release notes
Problem to solve
Enterprise customers often manage their users, including their roles and permissions in third-party systems that serve as single source of truth for role based access control. This includes special user roles like admin
and auditor
.
In order to manage these roles outside of GitLab, customers need a way to configure these roles via the API. Currently, the Users API for admins provides a field is_admin
to configure admin users, but there is no respective is_auditor
field.
Intended users
User experience goal
Admin users are able to set the auditor role for a specific user via the API.
Proposal
Provide an is_auditor
field in the Users API for admins, analogous to the is_admin
field.
I'm currently not clear how the API should treat invalid configurations, like setting both is_admin
and is_auditor
to true
. The correct way to handle this would be an instance_access_level
field with values regular
, auditor
and admin
, but this would be a breaking change.
Possibly the API could just reject the call if both fields are set to true
.
Further details
Permissions and Security
Instance admin permissions
Documentation
Document the field in the API. Add a new section to https://docs.gitlab.com/ee/administration/auditor_users.html on how to configure Auditor users via the API
Availability & Testing
Available Tier
This is a basic API feature, so it would be Free
What does success look like, and how can we measure that?
New field is_auditor
added to the Users API.
What is the type of buyer?
This feature is especially important for large enterprises, whose compliance rules prescribe an auditable user management system that serves as single source of truth for RBAC.
Is this a cross-stage feature?
No