### Problem to solve: There is no support for mapping custom roles to [groups who may be invited into a group](https://docs.gitlab.com/ee/user/group/manage.html#share-a-group-with-another-group). It would be easier to apply these roles to user groups rather than one-by-one for a user. ### Proposal Allow custom roles to be assigned to groups when [sharing with a group](https://docs.gitlab.com/ee/user/project/members/sharing_projects_groups.html#invite-a-group-to-a-group). ### Permission Evaluation Criteria How would the [max role](https://docs.gitlab.com/ee/user/project/members/share_project_with_groups.html#maximum-role) assignment be applied for groups? Take the scenario: **Custom Role** * Platform Engineer: Developer + Manage CI/CD Variables + Manage Tokens * Developer Lead: Developer + Manage Merge Requests **User Groups** * SRE Group * Kate - Assigned Owner * Joe - Assigned Custom Role: Developer Lead * Mark - Assigned Custom Role: Platform Engineer * Jake - Assigned Developer * Mary - Assigned Guest * Developers Group * Sarah - Assigned Custom Role: Developer Lead Role * Bob - Assigned Developer * Dev Users - Assigned Developer Role * QA Group * QA Users - Assigned Reporter Group/Projects * Group A * Bob - Assigned Owner Role * Front-end Project * Invite **SRE Group** with Max Role of Platform Engineer * Invite **Developers Group** with Max Role of Developer Permission Result for Front-end Project | User | Permission Result | |------|-------------------| | Kate | Platform Engineer | | Joe | Developer Lead | | Mark | Platform Engineer | | Jake | Developer | | Sarah | Developer | | Bob | Owner | | Mary | Guest | 1. The inheritance between parent group and project. 2. Restrictive of the two roles during group invite ([Comment](https://gitlab.com/gitlab-org/gitlab/-/issues/443369#note_1897416529) from @alexbuijs): >>> interpret 'the more restrictive of the two roles' as follows: 1. the role with the lowest base access level vs static role is the Max role. This can be either a custom role or a static role 2. when one role is a custom role with the same base access level as the other static role, then the static role is the Max role 3. when both roles are custom roles with the same base access level, choose the source role as the Max role >>> ### UI Verification * Source is reflected accurately on the Member's Page of group and project. This can be either the inherited group or invited group. ### Alternatives * Set up [SAML Group sync](https://docs.gitlab.com/ee/user/group/saml_sso/group_sync.html#configure-saml-group-links) with your users mapped to a group * [LDAP Group Sync](https://gitlab.com/gitlab-org/gitlab/-/issues/435229)