Allow group owners to disable personal projects for group managed accounts
Top-level groups using SAML SSO can enforce the use of group managed accounts to require users to create unique users that are tied to that specific group. These user accounts are used when SSOing into the group, and are tied to the email address received from the configured identity provider.
Group managed accounts were intended as a solution for enterprises on GitLab.com looking for more control over user activity. One gap for these enterprises is the use of personal projects; a personal project could be forked or cloned in a personal namespace, outside of the control of a group's owner, and accidentally expose valuable code.
Some organizations prefer to have the group be the only place that a user's able to interact with projects associated with the enterprise. By keeping them in the group, they're able to assert control over them and audit activity.
For organizations using group managed accounts, introduce a group setting that disables personal projects for all group managed accounts.
- When enabled, set the
projects_limitfor each existing and new group managed account to
- When disabled, set the
projects_limitfor each existing group managed account to the instance default. Do not adjust the projects limit for new group managed accounts.
Note that this won't affect any existing personal projects, which we should make clear in the documentation.