Skip to content

Allow option to change permission levels of users when LDAP group sync is enabled

description

We want to allow people to change permission levels of individual members from synced LDAP groups in groups.

  • The ability to do this has to be configurable on a Global level (group level doesn't really make sense, because group members that can change permissions would also be able to change the setting)
  • It should use a boolean on users to distinguish them between an LDAP synced user and an excepted one.

Mockups

Editing LDAP user

v02-ldap__enable-edit--editing

Drop down options w/ option to revert back to LDAP

v02-ldap__enable-edit--dropdown

After editing permission, user still have label indicating they are still a part of the LDAP group

v02-ldap__enable-edit--postedit

LDAP mobile view

v02-ldap--mobile

Editing LDAP mobile view

v02-ldap__edit--mobile

original issue

We have two customers (large ones) with opposing views on LDAP group sync member management.

Initially, we allowed manual management of users when group sync was enabled. In 7.14 or 8.0 we changed this and now you cannot manage members when group sync is enabled. This was changed in https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/465 at the request of a customer in https://gitlab.zendesk.com/agent/tickets/2679

Now, the second customer recently upgraded from 7.x to 8.4 and is now struck by what appears to be a regression from their standpoint. https://gitlab.zendesk.com/agent/tickets/16312

I've also heard from several other customers/users that this feels a bit restrictive. From their perspective, it doesn't make sense to add another LDAP group just to promote one or a few members from developer to master/owner of a group. They would rather allow certain users to be an exception to the group sync.

I think we should add an option for this. I'm not sure whether it should be a global, or group-level option, or both. I believe the customer in Zendesk issue 2679 was after a global 'lock' solution. However, group sync is enabled or disabled at the group level, so a global option may not be warranted.

To accomplish this we'll need the option, plus a new boolean on users (I think) to distinguish them between an LDAP synced user and an excepted one.

cc/ @DouweM @JobV What do you think?