Lock memberships to LDAP sync
As a company, we have our own access control (integrated with LDAP) to assign permissions. Gitlab allows us to sync these permissions to Gitlab roles using LDAP synchronizations.
There currently seems no secure way to prevent overriding these synced permissions, namely masters and owners can still add (or override) members. The lock membership feature is not useful because it can be turned off.
This makes our business' access control less authoritative than we need it to, to stay compliant (for example, with SOX).
We'd like it to be possible to make the LDAP synchronizations fully authoritative for group and project membership. The only way to override membership synced by LDAP synchronizations should be by means of administrator intervention.
An option in Gitlab that will lock down membership to a group and its projects to LDAP synchronizations only.
Add this option to the "Visibility and access controls" section of the "General" area of the admin settings panel:
Rename "LDAP group settings" to "LDAP settings"
Add "Lock memberships to LDAP synchronizations" as a toggle-able checkbox. This should default to false.
Like the existing
Allow group owners to manage LDAP-related group settings, both LDAP options should only be displayed if LDAP is configured.
When this lock is enabled, only an Administrator may be able to: 1) Add/Remove members 2) Change the access level of existing members.
Only an administrator may be able to enable/disable the lock.
When this lock is enabled or disabled, log an audit event.
When this lock is enabled, we should remove all existing users added to projects/groups outside of LDAP. We should inform the admin enabling the lock that this will take place.
For groups without LDAP group sync enabled:
- Group Owners should not be able to add members manually to these groups. Instead, they should see an error.
- Instance administrators should be able to add members manually with the LDAP lock enabled.