Support Direct membership for Group Sync with same role

Proposal

With the current state of SAML Group Sync, we follow the following conventions:

Users granted:

  • A higher role with Group Sync are displayed as having direct membership of the group.
  • A lower or the same role with Group Sync are displayed as having inherited membership of the group.

This poses an issue when using with Merge Request Approval using Groups because of the following constraint. This renders inherited members unable to provide approval even though they are part of the group.

Inherited members are not considered approvers. Only direct members can approve merge requests.

We should consider supporting the following conventions instead which is similar with how we handle direct invites.