Assign custom role when sharing a group to a PROJECT
Problem to solve:
There is no support for mapping custom roles to groups who may be invited into a project. It may be easier to apply these roles to user groups rather than one-by-one for a user.
Proposal
Allow custom roles to be assigned to groups.
How would the max role assignment be applied for groups? Take the scenario:
Custom Role
- Platform Engineer: Developer + Manage CI/CD Variables + Manage Tokens
- Developer Lead: Developer + Manage Merge Requests
User Groups
- SRE Group
- Kate - Assigned Owner
- Joe - Assigned Custom Role: Developer Lead
- Mark - Assigned Custom Role: Platform Engineer
- Developers Group
- Sarah - Assigned Custom Role: Developer Lead Role
- Bob - Assigned Developer
- Dev Users - Assigned Developer Role
- QA Group
- QA Users - Assigned Reporter
Group/Projects
- Group A
- Bob - Assigned Owner Role
- Front-end Project
- Invite SRE Group with Max Role of Platform Engineer
- Invite Developers Group with Max Role of Developer
- Front-end Project
- Bob - Assigned Owner Role
Permission Result for Front-end Project
| User | Permission Result |
|---|---|
| Kate | Platform Engineer |
| Joe | Platform Engineer |
| Mark | Platform Engineer |
| Sarah | Developer |
| Bob | Owner |
Permission Evaluation Criteria
-
The inheritance between parent group and project.
-
Restrictive of the two roles during group invite (Comment from @alexbuijs):
interpret 'the more restrictive of the two roles' as follows:
- the role with the lowest base access level vs static role is the Max role. This can be either a custom role or a static role
- when one role is a custom role with the same base access level as the other static role, then the static role is the Max role
- when both roles are custom roles with the same base access level, choose the inviting role as the Max role
UI Verification
- Source is reflected accurately on the Member's Page of a project. This can be either the inherited group or invited group.
Alternatives
- Set up SAML Group sync with your users mapped to a group
- Not supported but on roadmap: LDAP Group Sync
Edited by Joe Randazzo