Allow setting GitLab Pages Access Control on Group level

Release notes

Problem to solve

Pages, when configured to be accessible to everyone, have the potential to leak internal information. On GitLab.com, this is especially concerning, because there are no other controls on who accesses these pages.

Because the pages access level setting can only be changed on a project level, customers currently have to run scripts to efficiently audit or adjust these features to stay compliant and protect internal information.

There needs to be a way to limit pages access level to internal or disable pages altogether on a group level.

Intended users

• Cameron (Compliance Manager)
• Sidney (Systems Administrator)
• Sam (Security Analyst)

User experience goal

• The user should be able to control Pages Access Control on a Group level

Proposal

Provide a setting for GitLab Pages on group level under Group>Settings>General>Permissions, so it can be applied to all projects in the group. The setting includes:

• A checkbox that reads “Restrict access to Only Project Members on all group projects”
  • If unchecked (Default Setting)
    • The projects under this group set their GitLab Pages individually (just as they do today)
    • Unchecked is the default setting, so once this issue is implemented, there is no change in behavior for any group/project
  • If checked
    • Individual projects no longer control their GitLab Pages permissions, and cannot override this setting
    • The Pages selector element under Project>Settings>General>Visibility>Pages becomes disabled, and reads {{Permission Setting}} - Permission set by group
    • The Pages checkbox under Project>Settings>General>Visibility>Pages can still be turned on/off, to completely enable or disable GitLab Pages for that specific project.
• Whenever the checkbox changed (before saving)
  • If user toggles/untoggles the checkbox
    • Display alert component
  • If user reverts setting to current configuration (before saving)
    • Hide alert component

• 🌀 See mockups in Design Management

Proposal Copy

Pages
With GitLab Pages you can host your static websites on GitLab. Learn more.
[ ] Restrict access only to project members on all group projects

Learn more link: https://docs.gitlab.com/ee/user/project/pages/introduction.html#gitlab-pages-access-control

Alert copy:

Changing this setting will impact permissions for GitLab Pages websites published by every project in this group.

Further details

Permissions and Security

• Add expected impact to Maintainer (40) members
  • Project maintainers will be unable to change Pages Settings if Group Pages Setting is configured
• Add expected impact to Owner (50) members
  • Group Owners will be able to change Pages Settings on Group Level

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

This setting affects controlling Pages usage by multiple teams (beyond a scope that can be manually controlled), thus it should be GitLab Premium

Is this a cross-stage feature?

Links / references

Possible related issue: #244329 (better administration on group level would be preferable so that it can benefit .com customers)