Draft: SAML Group Lock settings for Self Managed

Smriti Gargrequested to merge
smriti-386390/saml_group_lock into master

What does this MR do and why?

Solves #386390 (closed)

With this change I have introduced Policy changes to disallow any group members other than Admin or Top level group owners to add new members to a group in case its a subgroup of a Group that has SAML Group Links Configured

For project policy also changes have been made when Users are not allowed to share a project with other groups or invite members to a project created in a group.

Screenshots

A new option for Lock Memberships for SAML Synchronization is added in Group>Settings>General>Permissions and group features

Screenshot_2023-02-09_at_10.36.07_PM

Steps to Verify

  1. Login to the application as root user.
  2. Enable SSO and enter some SAML Group Links for a group. I did this for Twitter group in my gdk setup.
  3. Create a new group and assign the group one more owner. Transfer this group as child group for the group you set up in step 2, In my case child group for Twitter group
  4. Go to menu Group > Settings > Permissions and group features and enable setting Lock Memberships to SAML Synchronization.
  5. Observe as you login to application as the owner of the child group. You cannot Invite Members to the group.
  6. Observe as you login as root user or owner of the parent group to the application you can invite members to the group.

Screenshot for Invite Members button being visible in case setting is not enable Screenshot_2023-02-28_at_12.42.46_PM

Screenshot for Invite Members button being removed in case setting is enabled Screenshot_2023-02-28_at_12.44.05_PM\

Migration output Screenshot_2023-02-15_at_6.27.06_PM

Edited by Smriti Garg

Merge request reports