Allow creation of group-level roles on self-managed instances (!142637) · Merge requests · GitLab.org / GitLab

Hinam Mehra requested to merge 439167-restrict-member-roles-ff into master Jan 24, 2024

What does this MR do and why?

Creates a restrict_member_roles feature flag which is disabled by default.
To support backwards compatibility, when this FF is disabled, self-managed instances will be able to create both group & instance-level custom roles.
When FF is enabled, then self-managed instances will only be able to create instance-level roles.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before	After
before-self-managed-roles	after-self-managed-roles

How to set up and validate locally

Ensure SaaS mode is turned off:

export GITLAB_SIMULATE_SAAS=0

Log-in as admin and navigate to /admin/application_settings/roles_and_permissions and click on Add new role.
Navigate to any group that you are an owner of, and go to Settings > Roles and Permissions and click on Add new role.
When restrict_member_roles FF is turned on, you should only be able to create custom roles on the instance-level and not on the group-level.

Related to #439167 (closed)

Edited Jan 25, 2024 by Hinam Mehra

Allow creation of group-level roles on self-managed instances

What does this MR do and why?

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

Merge request reports