Create SAML Group Lock for Self-Managed GitLab
Background
Customers want to be absolutely sure that additional members cannot be added to groups that are controlled by SAML group links. Currently, a group owner can add other members to groups, as long as the user has a SSO enabled login.
Proposal
Create a "SAML Group Lock" similar to LDAP Group Membership Lock
- Since this issue is for self-managed GitLab, place this setting in
ApplicationSettings
The setting should be disabled by default.
GitLab administrators can prevent group members from inviting new members to subgroups that have their membership synchronized with SAML group links by turning this setting ON
.
Global group membership lock only applies to subgroups of the top-level group where SAML group links are configured.
When global group memberships lock is enabled:
-
Users are not allowed to share a project with other groups or invite members to a project created in a group.
-
Only an admin can manage memberships.
Alternative
The problem we are trying to solve here is that we don't want Owners
able to add new members to groups. Instead of creating a SAML group lock, we could split out the current permissions around group owner and make a granular permission can add new users to groups
Then, to accomplish this, someone would create a new custom role that uses Maintainer
role as a template, then add whatever granular permissions on top and create it.
Self-Managed / SaaS
Ideally, we would have this for both self-managed and SaaS. But for the customer escalation, Self-Managed is higher priority.
To minimize scope, we are keeping this self-managed only for now. A separate issue will be created and linked for SaaS.
Known Limitation
If a member is already in a group and is not synced through SAML group sync, and SAML group lock is turned on, the group member will not be automatically removed.