Skip to content
GitLab
Next
    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore
  • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
  • Sign in
  • Get free trial
  • GitLab.org GitLab.org
  • GitLab GitLab
  • Issues
  • #7297

Allow restricting group members by a domain whitelist

Problem to solve

Currently members can be added to our group, or subgroups or projects using any valid gitlab.com account.

We want users to only be able to invite new members if their email is on a whitelist of domains managed by the group owner. This is to ensure that no-one outside our company (or our clients') is added to our group. And also any employee added is registered with their corporate email account rather than a personal one so that when their corporate email account becomes inactive they lose access to GitLab.

Further details

The use case for this is we regularly add users to GitLab. It's easy to mistakenly add the wrong account to the group (e.g. a personal account, or just selecting the wrong account from the autocomplete box).

Ideally we'd also be able to restrict members to use federated login (e.g. Google Sign-in) so that when their corporate Google Apps account they will no-longer be able to access GitLab.

Solution

Settings

settings

We will add this new setting under the Permissions, LFS and 2FA section settings in Group General Settings. We will add a new text input with the following attributes:

  • Title: Restrict membership by email
  • Placeholder: Enter domain
  • Help text: Only users with an email address in this domain can be added to the group.<br>Example: <code>*@ gitlab.com</code>. Some common domains are not allowed. Read more
  • Link to documentation TBD
Common domains

settings--domain-not-allowed

We will not allow users to restrict membership to common domains like gmail.com, outlook.com, yahoo.com, etc. These domains will be listed in the docs. When the user enters one of these domains, the page will show an inline error on refresh after the user presses the Save button:

Inviting new members by email

When inviting new members to the group via email, we will validate addresses directly on the Frontend:

Right domain Wrong domain
invite-email-right invite-email-wrong

If the address the user entered doesn't belong to the right domain, the dropdown row will be greyed out and a warning line will be added:

This email address cannot be invited because it’s not in the *@ gitlab.com domain

Adding existing users

Right domain Wrong domain
add-members add-members-error

For adding existing users we will use the same interface we use now. We will simply change the help text under the main text field to inform users of the domain restriction:

Search for existing users or invite new ones using their email address. New members must have an email address in the *@gitlab.com domain.

When the user clicks the Add to group button, the backend will check whether the users can be added to the group. If any of the specified users could not be added to the group, they will show up in the text field upon refresh, and an inline error message will be attached:

These users were not added because their email addresses are not in the right domain

Original proposal

  • Allow entering a whitelist of member domains in the group settings, configurable by Owners.
  • Only members with primary emails that match the defined mask can be added to the group. Other members should return an error.
  • Only matching members should be displayed as results in the member autocomplete.

For the first iteration, we'll leave existing members that do not meet the whitelist in the group. The whitelist should apply only to new members.

What does success look like, and how can we measure that?

  • Success would be mean increased security for corporate GitLab projects.

Links / references

Edited May 27, 2019 by Chris Peressini
Assignee
Assign to
Time tracking