Skip to content

Group Access Token (bot user) should not be last explicit top-level group owner

Summary

It's possible for a Group Access token bot user to be the last explicit owner of a top-level group.

This causes issues especially in SaaS where no one can sign in as the bot user to change settings or re-add users.

Steps to reproduce

  1. Create a group.
  2. Add a Group Access Token with Owner role to the group.
  3. All other owners remove themselves, or set up something like SAML Group Sync in a way that auto-removes all owners except the "last owner".

Example Project

Prompted by customer ticket (internal): https://gitlab.zendesk.com/agent/tickets/292707

What is the current bug behavior?

Bot user can be last owner.

What is the expected correct behavior?

Bot user is not considered for last owner.

Output of checks

GitLab.com, GitLab Enterprise Edition 15.1.0-pre 75aa6cd2

Edited by Thong Kuah