Allow subgroup owner to query SAML users
What does this MR do and why?
Resolves issue identified as part of feature flag rollout of group_user_saml
- #434464 (comment 1712933262). Original feature issue: https://gitlab.com/gitlab-org/gitlab/-/issues/424505
Based on discussion here and in the issue, there is a desire to decouple this feature from existing permissions. Users should not have permission to query SAML users solely based on membership at a subgroup level. This change adds a new :read_saml_user
permission that is contingent upon a subgroup member's ability to manage members of the subgroup (owner only, currently). If a user can manage members at a subgroup level then they can query SAML users when SSO is enforced.
This has a frontend component in !142920 (merged). Right now this MR is dependent on !142920 (merged) because I incorporated those changes into my branch for testing. But ultimately order doesn't matter because the feature is currently behind a disabled feature flag . We will test thoroughly before and after flag rollout.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.