Allow SAML Group Lock without Group Sync
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
Currently the SAML Group Lock functionality is limited to only groups where Group Sync has been enabled. Practically this means that the Top Level Group adds all the users with a minimum permission level, and the subgroups are only allowed to increase those permissions without granting access to any new users not already in the SAML Group.
It is however quite likely that group owners and orgs would like to restrict or limit who can be added to a group, via Active Directory, without automatically adding them. This could be because of Active Directory groups that indicate a qualification or internal security clearance, but where security auditors or owners only want people in groups on which they are directly working.
The proposal is therefore to relax the requirement for Group Lock so it can be applied to any group, regardless of whether group sync has actually been enabled or not.
It may well be required to have some SAML configuration required for Group Lock to work this way, which can be done from either Group or Self Hosted Administration. That SAML configuration must not automatically add members to a group, but simply restrict who can be added to the group and subgroups.
Currently there is precedent for this kind of restriction in the form of Restrict membership by email, however for most orgs this is not a viable way of restricting projects internally.