Extend Group Sharing Restrictions to Merge Request Approval Rules

Problem to solve

GitLab SaaS customers can configure their top-level group to prevent external groups (groups outside their hierarchy) from being invited to projects and subgroups using the setting "Members cannot invite groups outside of [group_name] and its subgroups". However, this restriction does not extend to merge request approval rules. External groups and their members can still be designated as approvers in merge request approval rules, creating a security and governance gap.

Current Behavior

When a group owner enables the setting to prevent inviting groups outside the hierarchy (documentation):

• ✅ Projects cannot invite external groups for general access
• ✅ Subgroups cannot invite external groups for membership
• ❌ Projects can still add external groups and their members as approvers in merge request approval rules

This means that while external members cannot be granted general project access, they can still be given approval authority over code changes, which may violate organizational security and compliance policies.

Desired Behavior

When the group-level restriction "Members cannot invite groups outside of [group_name] and its subgroups" is enabled, the same restriction should automatically apply to merge request approval rules. Specifically:

1. When adding groups to approval rules: Only groups within the hierarchy should be available for selection as approvers
2. When adding individual users to approval rules: Only users who are members of groups within the hierarchy should be available for selection as approvers
3. Enforcement: Any attempt to add external groups or users to approval rules should be blocked with a clear error message explaining the restriction

Proposal

1. Option 1: Automatic Extension - When "Members cannot invite groups outside of [group_name] and its subgroups" is enabled, automatically apply the same restriction to approval rules. External groups and their members would be blocked from being designated as approvers in merge request approval rules.
2. Option 2: Separate Toggle - Add a companion setting under Settings > General > Permissions and group features:
   • ☐ Approval rules cannot include members or groups from outside of [group_name] and its subgroups
   • This would give administrators explicit control over approval rule restrictions independently from general group sharing, preventing external users and groups from being added as approvers.
3. Option 3: Merge Request Approval Policy Enhancement (Ultimate Tier) - For Ultimate customers, this could be enhanced through merge request approval policies to provide granular control over which users and groups can be approvers based on membership source.