15.7 Planning for Manage::Authentication and Authorization

15.7 Milestone: 2022-11-18 to 2022-12-17

%15.6 Planning issue: #17571 (closed)

Boards

• Build Board (%15.7 milestone issues to be built)
• Workflow Board (%15.7 issues in their current workflow states SSoT)
• Cross-Functional Prioritization Board
• Bug Prioritization Sisense Dashboard (Handbook page)

Capacity

Preliminary capacity

Team	Weight
frontend	7
backend	44

Capacity Goals

60% typefeature (including 10% Support Priority / Support Efficiency ) 10% typemaintenance 30% typebug

Objectives & Themes

• Fix open security bugvulnerability
• FY23:ROADMAP work (Custom Roles, Enterprise Users) - These have the direction label applied
• Finish Group SCIM for self-managed
• typemaintenance and typebug work

Security Issue Summary

Product prioritized typefeature list

1. New feature work - FY23:ROADMAP items, direction items

• Main Themes: Customizable Roles, Domain Verification/Enterprise Users, Self-Managed SCIM, one largely requested LDAP item

• See Feature Board. Items are stack ranked.

Quality prioritised typebug list

1. Bot accounts created using Group Access Token c... (gitlab-org/gitlab#362683 - closed) (W3 priority2 severity2 customer Deliverable Quality dept KR)
2. Git over HTTP(S) stopped working (HTTP Basic: A... (gitlab-org/gitlab#332974 - closed) (W? priority2 severity2 Deliverable)
3. GitLab Okta SCIM app fail to provision silently... (gitlab-org/gitlab#277329 - closed) (W? priority3 severity2).
4. `undefined method `[]' for nil:NilClass` except... (gitlab-org/gitlab#366450 - closed) (W? priority3 severity3 customer )
5. Group SSO redirects to the sign in page instead... (gitlab-org/gitlab#366076 - closed) (W2 priority3 severity3 customer )
6. HTTP 5xx for TooManyIps error should be HTTP 403 (gitlab-org/gitlab#377972 - closed) (W2 priority2 severity3 customer Deliverable)
7. Show SAML status badge for members in subgroups... (gitlab-org/gitlab#11870 - closed) (W3 priority3 severity3 SUSImpacting customer )
8. Self-managed SAML - bypass 2 factor authenticat... (gitlab-org/gitlab#196131 - closed) (W3 priority4 severity4 SUSImpacting Deliverable )

%15.6 typebug Deliverable currently open (for tracking purpose)

1. Automatic Logouts Are Too Frequent (gitlab-org/gitlab#121569 - closed) ( W3 priority2 severity2 SUSImpacting customer Deliverable Quality dept KR) (Carried over from %15.5)
2. Group owner cannot remove their group from a pr... (gitlab-org/gitlab#251137 - closed) ( W3 priority2 severity2 SUSImpacting customer Deliverable Quality dept KR)
3. Error when removing user's SCIM ID via API (gitlab-org/gitlab#368031 - closed) (W2 priority2 severity2 customer Deliverable Quality dept KR)
4. Do not allow Group Access Token (bot user) to b... (gitlab-org/gitlab#375676 - closed) (W2 priority2 severity2 customer Deliverable Quality dept KR)
5. Admins should be blocked from impersonating exp... (gitlab-org/gitlab#332667 - closed) (W2 priority2 severity2 customer SUSImpacting Deliverable Quality dept KR)
6. Cannot access Admin/credentials Project Access ... (gitlab-org/gitlab#354489 - closed) (W2 priority2 severity2 customer Deliverable Quality dept KR)
7. https://gitlab.com/gitlab-org/gitlab/-/issues/368416+ (W3 priority3 severity3 security bugvulnerability Deliverable ) (Carried over from %15.5)
8. GitLab.com Group access tokens continue working... (gitlab-org/gitlab#367740 - closed) (W2 priority3 severity3 security bugvulnerability Deliverable )
9. https://gitlab.com/gitlab-org/gitlab/-/issues/373299+ (W3 priority3 severity3 security bugvulnerability Deliverable )

Engineering prioritized 15.6 typemaintenance list

1. Review auth team owned gems and identify Ruby 3... (gitlab-org/gitlab#378574 - closed) Deliverable
2. OAuth tokens without expiry in the DB (gitlab-org/gitlab#363355 - closed) Deliverable
3. Drop U2F support (gitlab-org/gitlab#232672 - closed)
4. Remove project bots with no membership (gitlab-org/gitlab#276489 - closed)
5. Review moving the `GITLAB_THROTTLE_USER_ALLOWLI... (gitlab-org/gitlab#332697)
6. [Feature flag] Enable sending paginated data fo... (gitlab-org/gitlab#366534 - closed)
7. Follow-up from "Update documentation for SCIM i... (gitlab-org/gitlab#371784 - closed)
8. https://gitlab.com/gitlab-org/gitlab/-/issues/28210+
9. Epic Convert access token creation form into a Vue c... (gitlab-org&8768) (will break down once ready)

Support prioritized list

1. Verify Group Link Configuration button (gitlab-org/gitlab#363812) (W3 typefeature Support Priority)
2. Decouple Domain Verification and Pages Wizard (gitlab-org/gitlab#375492 - closed) (W? typefeature)
3. Allow password reset email to be sent to any ve... (gitlab-org/gitlab#16311 - closed) (W5 typefeature Support Priority Support Efficiency)
4. Automatically delete unverified unconfirmed use... (gitlab-org/gitlab#352514 - closed) (W3 typefeature Support Priority Support Efficiency)
5. Allow gitlab.com Group Owners to obtain users' ... (gitlab-org/gitlab#26068 - closed) (W? typefeature Support Efficiency)

Slipped %15.6

Release Post Items

Status	Issue	Release Post MR
Primary. Bumped to %15.8	Extend group SCIM to instance level for self-ma... (gitlab-org&8902)	Link
Primary, Bumped to %15.8. Needs docs and video/image.	Allow Ultimate Guests to view repository conten... (gitlab-org/gitlab#20277 - closed)	Link
Ready	Transparent SSO enforcement for group members o... (gitlab-org/gitlab#215155 - closed)	Link
Primary. Push to %15.8	Allow group owners to disable 2FA for individua... (gitlab-org/gitlab#372401 - closed)	Link
Push %15.8	Enterprise Users - MVC: Automatic Claim of exis... (gitlab-org/gitlab#322039 - closed)	Link
Merged	Prevent users from choosing weak passwords (gitlab-org/gitlab#23610 - closed)	Link
Merged	Add a 'Remember me' checkbox to the SAML author... (gitlab-org/gitlab#379013 - closed)	Link
Merged	Audit Event proposal: Enable Admin Mode (gitlab-org/gitlab#362101 - closed)	MR
Ready	Allow gitlab.com Group Owners to obtain users' ... (gitlab-org/gitlab#26068 - closed)	MR

Other