Allow role override for SAML group-synced inherited members
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
GitLab does not currently support role overrides when SAML group-sync is turned on. We propose that it should.
Problem to solve
Enterprise customers leverage AuthN/AuthZ brokers in order to categorize users for a set of different DevSecOps tools. In some cases, the permissions need to be overridden on one tool, but not another. Because the GitLab Admins often to not own the groups in the AuthN/AuthZ broker, they cannot (and should not) reassign a user in the SAML Group. The easiest and most scalable solution is to allow for overrides in the tool leveraging the SAML groups.
Proposal
Create a group_sync_override_role in order to easily override the role of a user that was inherited from a group synced to SAML.
Intended users
Feature Usage Metrics
If a new attribute is created to track this, we could measure the number of non-empty values exist for that attribute. Note that a significantly high percentage would not be good behavior either.