Allow control over project visibility for enterprise users

Problem to solve

A group Owner on GitLab.com might want to have more control over their user's namespaces. Currently, an Enterprise User can create or import projects in their own Personal namespace outside of their organization's primary group/namespace. This currently allows for potential accidental exposure of source code that should be private.

We currently have a SAML attribute called projects_limit which can allow a group Owner to set the value to 0, effectively preventing a user from creating any personal projects. An organization might decide that actually do want users to have the freedom of creating their own personal projects, but want to ensure that they are unable to create public projects to reduce risk of code exposure.

Proposal

We should bring some administrative level features like restrict visibility levels to the group, but also have the ability for it to apply to a user namespace that was provisioned via SAML/SCIM.

• Introduce a SAML attribute that prevents users from creating public projects.
• Introduce a group level GUI setting that restricts all members that were provisioned via SAML/SCIM from creating public projects in their own namespace.

Intended users

Group Owners who provision users and manage users and are security minded.

• Sidney (Systems Administrator)
• Allison (Application Ops)
• Ingrid (Infrastructure Operator)