Skip to content

Add context regarding Guest seat usage for custom roles

Ben King requested to merge benjaminking-update-custom-roles-doc into master

What does this MR do and why?

Custom roles provide the ability for group members to be given specific access beyond the usual scope of access assigned by their membership. The most common examples are:

  • "Guest+1", which allows a Guest role to view code (controlled by: read_code)
  • From 16.1, a custom role which can view and change vulnerability reports (controlled by: read_vulnerability & admin_vulnerability. This is also often assigned to a Guest user.

As it stands, the code permits the first example without any changes made to how we consider a user as "Billable" (for Self-Managed), or "Using a Seat" (for SaaS).

When providing Vulnerability Report access, any Guest users who receive this custom role now begin to use a seat. This seems to be intended as shown in this MR where we consider anything except read_code as 'elevated' in terms of permissions, so the Guest member should now be using a seat.

This merge request aims to provide explanatory text so that users are aware of the potential costs before enabling custom roles. This customer appears to have been caught out by this, and is being billed an additional seat on GitLab.com.

It is important to note the current status of this behaviour, as it is hidden by a feature flag (elevated_guests):

The above behaviour means customers are already experiencing this on SaaS, but Self-Managed users will not have their 'Billable Users' value change until the feature flag is either enabled, or the code modified to have this change permanently enforced.

Question to TW Reviewer: Should we put in text that indicates this is not currently subject to Self-Managed instances, but is expected to be in an upcoming release?

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports