Allow restricting group members by a domain whitelist
Problem to solve
Currently members can be added to our group, or subgroups or projects using any valid gitlab.com account.
We want users to only be able to invite new members if their email is on a whitelist of domains managed by the group owner. This is to ensure that no-one outside our company (or our clients') is added to our group. And also any employee added is registered with their corporate email account rather than a personal one so that when their corporate email account becomes inactive they lose access to GitLab.
Further details
The use case for this is we regularly add users to GitLab. It's easy to mistakenly add the wrong account to the group (e.g. a personal account, or just selecting the wrong account from the autocomplete box).
Ideally we'd also be able to restrict members to use federated login (e.g. Google Sign-in) so that when their corporate Google Apps account they will no-longer be able to access GitLab.
Solution
Settings
We will add this new setting under the Permissions, LFS and 2FA section settings in Group General Settings. We will add a new text input with the following attributes:
- Title:
Restrict membership by email - Placeholder:
Enter domain - Help text:
Only users with an email address in this domain can be added to the group.<br>Example: <code>*@ gitlab.com</code>. Some common domains are not allowed. Read more - Link to documentation TBD
Common domains
We will not allow users to restrict membership to common domains like gmail.com, outlook.com, yahoo.com, etc. These domains will be listed in the docs. When the user enters one of these domains, the page will show an inline error on refresh after the user presses the Save button:
Inviting new members by email
When inviting new members to the group via email, we will validate addresses directly on the Frontend:
| Right domain | Wrong domain |
|---|---|
 |
 |
If the address the user entered doesn't belong to the right domain, the dropdown row will be greyed out and a warning line will be added:
This email address cannot be invited because it’s not in the *@ gitlab.com domain
Adding existing users
| Right domain | Wrong domain |
|---|---|
 |
 |
For adding existing users we will use the same interface we use now. We will simply change the help text under the main text field to inform users of the domain restriction:
Search for existing users or invite new ones using their email address. New members must have an email address in the *@gitlab.com domain.
When the user clicks the Add to group button, the backend will check whether the users can be added to the group. If any of the specified users could not be added to the group, they will show up in the text field upon refresh, and an inline error message will be attached:
These users were not added because their email addresses are not in the right domain
Original proposal
- Allow entering a whitelist of member domains in the group settings, configurable by Owners.
- Only members with primary emails that match the defined mask can be added to the group. Other members should return an error.
- Only matching members should be displayed as results in the member autocomplete.
For the first iteration, we'll leave existing members that do not meet the whitelist in the group. The whitelist should apply only to new members.
What does success look like, and how can we measure that?
- Success would be mean increased security for corporate GitLab projects.