Inconsistency in group/project member access to parent group
## Problem Currently, project members have [access](https://gitlab.com/gitlab-org/gitlab/-/issues/24104#note_446810070) to the parent group. They can view it and have limited permissions. The behaviour for group members is different: we don't grant access to the parent group. There are other edge-cases of this inconsistency caused by how it is implemented. Eg. user `Bob` has access to `Group_Board` in the following scenario: ```mermaid graph Group --> Subgroup Subgroup --> Project Group --> Group_Board User:Bob -->|Developer| Subgroup ``` However, `Bob` does not have access to `Group_Board` when `Subgroup` has no projects: ```mermaid graph Group --> Subgroup Group --> Group_Board User:Bob -->|Developer| Subgroup ``` ## Proposal Because of group / project consolidation, we need to resolve this difference one way or the other. The preferred, more secure way to go is to stop granting access for project members. This is likely going to be a breaking change. This is discussed already in a few issues: * https://gitlab.com/gitlab-org/gitlab/-/issues/214755+ * https://gitlab.com/gitlab-org/gitlab/-/issues/36658+ ## Implementation plan - [ ] Assess impact of removing upwards inherited access on other features: https://gitlab.com/gitlab-org/gitlab/-/issues/385072+ - [ ] Decouple permissions on the `group` itself (accessing the route and group name) from permissions on `group's resources`(members, child groups/projects, labels, issues, etc.)
epic