Prevent group owners from bypassing instance-level setting on who can create projects in a group

Proposal

Currently, it is possible for an instance admin to define which roles can create projects within a group on an instance level. This can be based on role, or limited to only administrators or no one on the instance. From the documentation and the UI, users would believe that this setting would be instance-wide and not able to be bypassed.

Group owners have the ability to specify who can add projects to a group. With this option, owners can select the minimum role required to create projects within that group to a role that is lower than the instance-wide setting.

There should be a mechanism in place to prevent group owners from changing the minimum role required to create projects to a role that is lower than the instance setting configured by the instance admins. Alternatively, there could be a setting on the instance configuration that would allow for group owners to bypass this setting, but by default it should not be able to be bypassed.

Current Behaviour

Admin settings

Group owner settings (group-level settings)

In this case, the group owner was able to bypass this setting by allowing Developers to create projects. Developer was able to create a project in this group regardless of instance setting being configured for admins only.