Assign a user a maximum role that cannot be elevated without Admin approval

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

This feature will allow Administrators to set a maximum role for a user. For example, Parker (Product Manager) cannot exceed the role of Reporter and "Henry (Help Desk Analyst)" cannot exceed the role of Guest in any project or group.

Problem to solve

1. Maintainers and Owners of Projects/Groups can elevate any user to any role. This might bypass corporate compliance workflows that manage who can access what data and when.
2. When taking advantage of Free Guest Users in Ultimate, a users role can be elevated beyond Guest and start consuming a license without proper approvals.

Proposal

Add a user attribute that sets a max role, check this attribute when users are added to a group or project. Do not allow the add if requested role is > max role.

Additional Iterations

• Add this to the group level, so a user can have a maximum role by group/sub-group. This would enable SaaS consumption of this feature.

Intended users

• Sidney (Systems Administrator)
• Cameron (Compliance Manager)

Feature Usage Metrics

/cc @hsutor

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.