Embedded User Access Reviews in GitLab

Proposal

Because of the way GitLab inherits permissions from "above" in the group/project tree structure, reviewing access for GitLab is challenging when using third-party tools (e.g. ConductorOne, Authomize, Sailpoint, etc.). Rather than addressing this problem with each individual third party user access review (UAR) or Identity Management solution, there could be an opportunity to review GitLab user access from within the GitLab tool itself.

I'm honestly not sure what the right mechanism would be for this but some kind of issue template that's automatically deployed might make the most sense since adding the additional UI for this feature seems daunting.

I think the minimum requirements for this feature to meet our customer's compliance and regulatory requirements would be:

1. A way to demonstrate the completeness and accuracy of the listing of users
2. A way to differentiate between all users (both inherited and direct) or just directly-added members of the group or project
3. A way to export the results of the access review with a detailed accounting of who reviewed the access, when, and what the resulting decision was
4. Potentially a way to index the user listings on some external source for who should be reviewing the listing

What does success look like:

Success here would be a process to kick off a user access review for a selected group of GitLab Groups and/or Projects, the ability to complete the review within the GitLab application itself, and some audit-friendly output that could be used to demonstrate how and when the review was performed.