Consistency between Owner/Maintainer and who they can invite to a Group or Project
A large Self-Managed Premium customer has reported the following:
We discovered recently that at some point there has been a change in who can add members to a top-level group. In order to add members to a top-level group it appears that you now need to be either an Owner or a Gitlab Administrator. For sub-groups and individual projects the Maintainer role is all that's required to invite members so there's a contextual disconnect in how the role permissions operate.
Why we are interested: This is problematic because we want to give team leads/managers the ability to invite their own members to their groups but do not want to grant them all Owner role capabilities which grant the ability to configure a ton of additional features without approval or following standards.
Current solution for this problem: DevOps has to invite members to the top-level groups or we have to grant users Owner role at the top level group.
How important to us: This is very important to us from a scalability and security perspective. We want to be able to empower development team leads/managers to invite members without needing to open tickets every time but also prevent the permission overkill of needing the Owner role of a top level group just to do that.