Skip to content

Allow subgroup owner to query SAML users

What does this MR do and why?

Resolves issue identified as part of feature flag rollout of group_user_saml - #434464 (comment 1712933262). Original feature issue: https://gitlab.com/gitlab-org/gitlab/-/issues/424505

Based on discussion here and in the issue, there is a desire to decouple this feature from existing permissions. Users should not have permission to query SAML users solely based on membership at a subgroup level. This change adds a new :read_saml_user permission that is contingent upon a subgroup member's ability to manage members of the subgroup (owner only, currently). If a user can manage members at a subgroup level then they can query SAML users when SSO is enforced.

This has a frontend component in !142920 (merged). Right now this MR is dependent on !142920 (merged) because I incorporated those changes into my branch for testing. But ultimately order doesn't matter because the feature is currently behind a disabled feature flag . We will test thoroughly before and after flag rollout.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Edited by Drew Blessing

Merge request reports

Loading