Instance administrators should be the only ones to make changes that impact billing
Problem to solve
Non-admin users have too much freedom over whether or not they take up a paid seat and admins do not have enough control over this. For example, a guest user can move themselves into a paid seat by creating a project on their personal namespace (#36420), or a maintainer or group owner could add them to their group or project while another maintainer or group owner only wants to allow them guest level access.
It's also really hard to see an overview of what groups/projects a user is a member of without specifically going into that user and clicking the groups/projects tab. When an instance has thousands of users, it's almost impossible to understand which users are taking up paid seats and in which project/groups they are allocated those seats.
This makes it hard for customers to manage billing and forecasting, especially in the case where large companies are utilising GitLab in such a way where groups on the instance are allocated to specific teams in their org and have separate budgets.
Admins should be the only people who can move a guest user to a paid seat. We should remove the
Add new team members permission from maintainers as a first step, and understand how we then handle the ramifications of also removing that permission from owners.