Group membership activity tracking
Problem
Groups in GitLab have a significant gap in activity display for membership events, creating inconsistency and limiting audit capabilities:
-
Groups don't track their own membership changes - When users join, leave, or are removed from a group, these events are not recorded in the group's activity feed (see #18643 (closed))
-
Missing audit trail for compliance - No visibility into who invited/removed users, when memberships expired, or when users deleted their accounts (see #395637 (closed))
-
Feature parity gap - Projects successfully track member joined/left/expired events, but groups lack this entirely, creating an inconsistent user experience (see #520495)
Impact
- Compliance managers cannot maintain proper audit trails for group access
- Group owners lack visibility into membership changes over time
- Security teams cannot track unauthorized access patterns or suspicious membership activities
- Users experience confusion due to inconsistent behavior between project and group activity pages
Proposed Solution
Implement Complete Membership Event Tracking for Groups
Add the following events to group and project activity feeds:
Note: Some of the project level events exist, but are incomplete and do not list the name of the project that was joined, for example.
| Event Type | Details to Include | Priority |
|---|---|---|
| Member Joined Project | User name, project name, inviter (if applicable), access level, timestamp | High |
| Member Left Project | User name, project name, whether voluntary or removed, remover (if removed), timestamp | High |
| Member Expired in Project | User name, project name, original access level, expiration date | High |
| Member Access Changed in Project | User name, project name, old level → new level, who made change | Medium |
| Member Invited to Project | User email/name, project name, inviter, access level, invitation date | High |
| Member Joined Group | User name, group name, inviter (if applicable), access level, timestamp | High |
| Member Left Group | User name, group name, whether voluntary or removed, remover (if removed), timestamp | High |
| Member Expired in Group | User name, group name, original access level, expiration date | High |
| Member Access Changed in Group | User name, group name, old level → new level, who made change | Medium |
| Member Invited to Group | User email/name, group name, inviter, access level, invitation date | High |
| Account Deleted | Former user identifier, deletion date | Medium |
| Group Joined Group | Group name, inviting group, access level, timestamp | High |
| Group Joined Project | Group name, inviting project, access level, timestamp | High |
| Group Left Group | Group name, inviting group name, whether voluntary or removed, remover (if removed), timestamp | High |
| Group Left Project | Group name, inviting project name, whether voluntary or removed, remover (if removed), timestamp | High |
| Group Access Expired | Group name, original access level, expiration date | High |
| Group Access Changed | Group name, old level → new level, who made change | Medium |
Display Consistency
- Mirror the existing "Team" tab functionality from projects
- Show events in the same format:
"@username joined the group (invited by @inviter)" - Include these events in:
- Group activity page
- Project activity page
- Your work activity feed (when user is group member)
Privacy & Permissions
- Public groups: Show join/leave events but not the actor who invited/removed
-
Private groups:
- Members see full details including who invited/removed
- Non-members see nothing
Benefits
- Complete audit trail for compliance and security requirements
- Feature parity between projects and groups
- Better visibility for group owners to manage their teams
- Consistent UX across all GitLab activity pages
Note: All of the events listed above are available as audit events.