Update enterprise users badge, filtering, and disabling 2FA to the new definition
Related to https://gitlab.com/groups/gitlab-org/-/epics/11886
Currently, disabling two-factor authentication for enterprise users feature works based on the old enterprise user definition("Users created by SAML SSO or SCIM provisioning are enterprise users"). As a part of "Automatic claims of enterprise users" rollout, we introduced the new definition that is based on domain verification, see the documentation https://docs.gitlab.com/ee/user/enterprise_user/#automatic-claims-of-enterprise-users.
The goal of this issue is to make disabling two-factor authentication for enterprise users feature work based on the new definition. The UI for the feature is tightly coupled with the Enterprise badge and filtering group members by Enterprise option as described in https://docs.gitlab.com/ee/user/enterprise_user/#disable-two-factor-authentication. We need to update the definition for those features simultaneously to prevent inconsistencies between the system behavior and UI.
While working on the implementation MR, I noticed a few bugs and issues that should be resolved:
- Currently, group owners could filter members by Enterprise option, if SAML authentication for this group is enabled. While it could make sense with the old enterprise user definition, it is not correct for the new definition. The new definition is based on the group domain verification. There could be paid groups that do not use SAML at all but have their domain verified for automatic claims purposes. Group owners should be able to filter members by 'Enterprise' option if the domain verification feature is available for the group.
- Currently, the badge is shown and the Enterprise filtering work if an enterprise user is a member of top-level group. I see that currently, it is possible to filter by Enterprise option on the subgroup level, too. It could lead to confusion for group owners since some enterprise users might be direct members of the subgroups they are filtering in but not members of the top-level group. I suggest allowing filter members by Enteprrise option on top-level groups only. It will make clear that currently filtering members by Enterprise requires them to be members of the top-level group. We plan to build a separate page that will show a group's enterprise users regardless of whether they are members.
- Currently, group owners could disable 2FA for their enterprise users even after the group's subscription is canceled or expired. It is a bug since the docs say:
Enterprise users have user accounts that are administered by an organization that has purchased a GitLab subscription.
If a group’s purchased subscription expires or is canceled, the group is not able to manage their enterprise users.
Disabling two-factor authentication for enterprise users should be only allowed for a group if the group's current subscription is GitLab Premium+ (supports domain_verification feature).