When a user is a member of a project under a group, we give the user access to the group. So even if the group was private and the user is not a member, they will be able to view the group and view issues / boards but scoped only to the projects he has access to. We should document this behavior since it has caused confusion even internally. Related issues: https://gitlab.com/gitlab-org/gitlab-ce/issues/58149 https://gitlab.com/gitlab-org/gitlab-ce/issues/38843#note_147621561