Assign custom role when sharing a group to a "project".

Problem to solve:

There is no support for mapping custom roles to groups who may be invited into a project. It is easier to apply these roles to user groups rather than one-by-one for a user.

Proposal

Assign custom roles when sharing groups into a project.

Permission Evaluation Criteria

See criteria on this issue.

Related issue

Sharing a group into a group: Assign custom role when sharing a group to a "g... (#443369)

cloned from #443369

changed milestone to %17.2

added Category:Permissions OKR2 auto-report backend customer devopsgovern groupauthorization priority1 sectionsec workflowin dev labels

set weight to 5

assigned to @hmehra

added to epic &13472

changed title from Assign custom role when sharing a group to another group to Assign custom role when sharing a group to a project

changed the description

marked this issue as related to #443369

removed workflowin dev label

added workflowready for development label

@jrandazzo, thank you for moving this issue to workflowready for development.

Please add a type:: label to indicate the work type classification.

This message was generated automatically. You're welcome to improve it.

removed the relation with #443369

marked this issue as blocked by #443369

removed milestone %17.2

mentioned in issue #443369

added typefeature label

added workflowscheduling label and removed typefeature workflowready for development labels

unassigned @hmehra

removed auto-report label

removed health status needs attention

Dropping auto-report and Health status as they came over from cloned issue: Assign custom role when sharing a group to a "g... (#443369)

mentioned in issue #448645

mentioned in issue gitlab-org/govern/authorization/team-tasks#45

added priority2 label and removed priority1 label

mentioned in issue gitlab-org/govern/authorization/team-tasks#51

The following customer is interested in this capability

• Subscription: GitLab Ultimate
• Product: gitlab.com
• Link to request: https://gitlab.my.salesforce.com/0016100000K9ODkAAN
• Priority: customer priority10
• Why interested: We utilise Azure AD SAML group linking for adding members to team groups, and then share these team groups back up the hierarchy. (Gong call snippet - internal only)
• Problem they are trying to solve: They are limited to the standard roles when sharing a group to a project.
• Current solution for this problem: None.
• Impact to the customer of not having this: Unable to adopt custom roles as it is not compatible with their workflow for delegating access. A key driver for needing custom roles is the "admin vulnerability" permission that was recently removed from the developer built-in role, which their teams require for certain security and compliance workflows.
• Questions:
  • Would sharing a group to another group be in scope for this issue or is it separate?
• PM to mention: @jrandazzo

Hey @cguitarte - Thanks for ping and sharing their use case! This issue will be a separate implementation/release than the one you linked which can be followed here: Assign custom role when sharing a group to a "g... (#443369).

changed milestone to %Next 1-3 releases

changed title from Assign custom role when sharing a group to a project to Assign custom role when sharing a group to a PROJECT

Adoption blocked by lack of support here: #443369 (comment 2181752658)

The following customer is interested in this capability for group and project level

• Subscription: GitLab Ultimate
• Link: https://gitlab.my.salesforce.com/0016100001Eo2mb?srPos=0&srKp=003
• Product: gitlab.com
• Priority: customer priority6
• This is causing service degradation as customer is not able to structure their organizations effectively.
• PM to mention: @jrandazzo
• CSM to mention: @rasheed
• Reference: #443369 (comment 2170089622)

The following customer is interested in this capability

• Subscription: GitLab Ultimate
• Product: ~Self Managed
• Link to request: https://gitlab.my.salesforce.com/0016100000sPtxlAAC
• Priority: customer priority10

assigned to @eugielimpin

added workflowin dev label and removed workflowscheduling label

changed milestone to %17.7

added permissionscustom roles label

added priority1 label and removed priority2 label

added typefeature label

mentioned in issue gitlab-org/govern/authorization/team-tasks#90

mentioned in issue gitlab-com/Product#13748 (closed)

The following customer is interested in this capability

• Subscription: GitLab Ultimate
• Product: self-managed
• Link to request: https://gitlab.lightning.force.com/lightning/r/00161000002xBdkAAE/view
• Priority: customer priority8
• Questions: @jrandazzo, can you confirm the following? It seems like the current behavior when inviting a group to a group/project is that if the group member has a custom role in the group, they will have the custom role in the group/project invited to as well. Could you confirm if that's the expected behavior for now? (i.e. if we don't turn on the feature flag described in https://docs.gitlab.com/ee/user/custom_roles.html#assign-a-custom-role-to-an-invited-group)

@cbazan1 I believe they are encountering a bug if the feature flag is not turned on. I created an issue to track the experience: #504148. @hmehra Does this bug occur when the feature flag is turned on? cc @eugielimpin in case you stumble in to this.

@jrandazzo the possible bug I saw is when the feature flag is enabled. I started a discussion about it on Slack (internal).

For posterity:

1. Group A has member User A with role Developer+read_code
2. Group B invites Group A and assigns Developer+read_vulnerability role
3. User A has role Developer+read_code (instead of Developer+read_vulnerability) in Group B

The effect of this can actually be seen in the example scenario above (assuming that is the correct expectation) i.e. Joe will have Developer Lead role in Front-end Project instead of Platform Engineer.

@eugielimpin in that above scenario, User A has the right permission in Group B. If the base access level of the two roles matches, then the role they had in Group A will carry.

Originally, we had the opposite but it resulted in billing issues (because Guest + read_code is not a billable role). So, we had to change this.

@cbazan1 I would recommend turning the assign_custom_roles_to_group_links_sm feature-flag on to resolve the bug. That will take into account custom roles when inviting groups.

mentioned in issue #504148

removed the relation with #443369

marked this issue as related to #443369

@jrandazzo could you confirm that this feature follows the rules in Assign a custom role to an invited group (only difference is that the invite is to a project instead of a group)?

@eugielimpin That's correct - this feature covers sharing a group into a project while the issue @hmehra worked on covers sharing a group into a group. I cleared up the issue descriptions to better reflect this. The rules outlined on the table you linked should apply to both features.