API endpoint for listing all group and project memberships for a user
Problem to solve
Compliance-minded organizations, or generally those with standard auditing practices, need to be able to view a list of user access within their GitLab instances. Knowing what users are part of specific groups and projects helps an organization audit those memberships as part of their access management policy.
Currently, GitLab does not provide a simple, friendly way to obtain this information and the only current workaround is leveraging multiple GitLab API endpoints to create this report.
Intended users
Further details
This is the first iterative change we can make towards delivering this feature to customers due to some technical challenges with the original proposal. Of import:
- Rendering the data within the GitLab UI has a considerable performance cost (e.g. 6.75s to render data for 20 users)
- Using current API endpoints also has a considerable performance cost (e.g. 9s for 44 users)
- UX challenges for larger instances where group and project memberships may be high
Proposal
Create a GraphQL API endpoint specifically tuned for querying data about a user's group and project memberships. The JSON response would look similar to this:
[
{
"user_id": 1,
"memberships": [
{
"access_level": 20,
"created_by_id": 37,
"source_id": 1,
"source_type": "Project",
"created_at" : "2017-03-17T17:18:09.283Z",
"updated_at" : "2017-03-17T17:18:09.283Z"
},
{
"access_level": 20,
"created_by_id": 20,
"source_id": 3,
"source_type": "Namespace",
"created_at" : "2017-03-17T17:18:09.283Z",
"updated_at" : "2017-03-17T17:18:09.283Z"
},
{
"access_level": 40,
"created_by_id": nil,
"source_id": 28,
"source_type": "Project",
"created_at" : "2017-03-17T17:18:09.283Z",
"updated_at" : "2017-03-17T17:18:09.283Z"
}
]
},
{
"user_id": 20,
"memberships": [
{
"access_level": 50,
"created_by_id": 1,
"source_id": 5,
"source_type": "Project",
"created_at" : "2017-03-17T17:18:09.283Z",
"updated_at" : "2017-03-17T17:18:09.283Z"
}
]
}
]
Permissions and Security
Only administrators
should be able to pull this data via API.
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
GraphQL Query
{
users {
pageInfo {
startCursor
endCursor
hasNextPage
}
nodes {
id
...memberships
}
}
}
fragment membership on MemberInterface {
createdAt
updatedAt
accessLevel {
integerValue
stringValue
}
createdBy {
id
}
}
fragment memberships on User {
groupMemberships {
nodes {
...membership
group {
id
}
}
}
projectMemberships {
nodes {
...membership
project {
id
}
}
}
}