Allow subgroup owner to query SAML users (!141040) · Merge requests · GitLab.org / GitLab

Drew Blessing requested to merge dblessing_allow_subgroup_members_to_view_group_members into master Jan 04, 2024

What does this MR do and why?

Resolves issue identified as part of feature flag rollout of group_user_saml - #434464 (comment 1712933262). Original feature issue: https://gitlab.com/gitlab-org/gitlab/-/issues/424505

Based on discussion here and in the issue, there is a desire to decouple this feature from existing permissions. Users should not have permission to query SAML users solely based on membership at a subgroup level. This change adds a new :read_saml_user permission that is contingent upon a subgroup member's ability to manage members of the subgroup (owner only, currently). If a user can manage members at a subgroup level then they can query SAML users when SSO is enforced.

This has a frontend component in !142920 (merged). Right now this MR is dependent on !142920 (merged) because I incorporated those changes into my branch for testing. But ultimately order doesn't matter because the feature is currently behind a disabled feature flag . We will test thoroughly before and after flag rollout.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Edited Feb 02, 2024 by Drew Blessing

Allow subgroup owner to query SAML users

What does this MR do and why?

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

Merge request reports