Addition of SAML group membership to top level group downgrades direct members of that group
Summary
A customer raised a ticket for a loss in access that occurred in their top level group on GitLab.com.
They were using SAML group membership to control access to their subgroups, but their parent group had direct membership of some accounts with owner access.
As part of revising their SAML groups, they defined a group to provide default guest access to the top level group for all users. When they applied this to the top level group, the existing direct members were downgraded from owner to guest.
Looking at what's documented, it doesn't seem like this is expected behaviour:
After a group sync, for GitLab subgroups, users who are not members of a mapped SAML group are removed from the group. Users in the top-level group are assigned the default membership role.
Following the default membership role
link the role section in the docs states:
That role becomes the starting access level of all users added to the group.
Existing members with appropriate privileges can promote or demote users, as needed.
If a user is already a member of the group, linking the SAML identity does not change their role.
The final sentence being key.
Steps to reproduce
- Create a top level group
- Add users to top level group; assign them owner access
- Add subgroups
- Define SAML group membership for the subgroups; eg: adding guests, developers, maintainers etc.
- Verify access by the various accounts
- Add SAML group membership to the top level group. Group should contain all the users defined in the top level group already. Specify that the default access level should be guest.
- Customer's experience was that the owners were downgraded to guest.
Example Project
What is the current bug behavior?
If a user is already a member of the group, linking the SAML identity does change their role.
What is the expected correct behavior?
If a user is already a member of the group, linking the SAML identity does not change their role.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com Occurred 2022-11-11
Conclusion
Not a bug, but a possible misunderstanding on how the group sync feature works.
Implementing UI improvement to hopefully prevent further issues. See #386021 (comment 1448152508)