Allow creation of group-level roles on self-managed instances
What does this MR do and why?
- Creates a
restrict_member_roles
feature flag which is disabled by default. - To support backwards compatibility, when this FF is disabled, self-managed instances will be able to create both group & instance-level custom roles.
- When FF is enabled, then self-managed instances will only be able to create instance-level roles.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Before | After |
---|---|
before-self-managed-roles | after-self-managed-roles |
How to set up and validate locally
- Ensure SaaS mode is turned off:
export GITLAB_SIMULATE_SAAS=0
- Log-in as admin and navigate to
/admin/application_settings/roles_and_permissions
and click onAdd new role
. - Navigate to any group that you are an owner of, and go to
Settings > Roles and Permissions
and click onAdd new role
. - When
restrict_member_roles
FF is turned on, you should only be able to create custom roles on the instance-level and not on the group-level.
Related to #439167 (closed)
Edited by Hinam Mehra