Group Membership: On the expiration date, the member gets removed within all containing projects, which is (1) very unexpected, (2) not useful in all environments, (3) not mentioned in the UI, (4) not documented

Summary

When you hit the expiration date of a group-member, the member gets removed from all projects in that group. This is a different behaviour than the the default when removing a member directly. This might be intended initally, but is (1) very unexpected, (2) not useful in all environments, (3) not mentioned in the UI (and it just looks like it just removes the member from the group and not projects), and (4) not documented.

Steps to reproduce

1. Have a group, say group1.
2. Add a user to it, say user1, and add an expiration date to somewhere in the future (can be also tomorrow).
3. Add a project to the group, say group1/project1.
4. Add user1 as direct member to group1/project1 without an expiration date, and probably with higher permission (the permission level is not relevant for this issue but is often the reason why you add an additional direct membership).
5. Wait until the expiration date, when it hits, user1 gets removed from group1 like intended, but also from all containing projets, here group1/project1.

What is the current bug behavior?

On the expiration date, the member gets removed from the group, but also from all projects contained in that group.

When you do a direct removal of the member by the kebab-menu entry “Remove Member”, you get an “Also remove direct user membership from subgroups and projects” option (deactivated by default), which I guess is always activated for the expiration date action:

So the default behaviour of “Remove Member” and expiration is different, which is confusing.

Furtheremore, there is no hint in the UI about this, and there is no documentation about it. We looked at the following pages:

• https://docs.gitlab.com/ee/user/group/#add-users-to-a-group
• https://docs.gitlab.com/ee/user/project/members/index.html#add-users-to-a-project
• https://docs.gitlab.com/ee/user/group/access_and_permissions.html

What is the expected correct behavior? / Possible fixes

Documentation

As I mentioned already, this behaviour (a behaviour which is not obvious) in not mentioned in the documentation, so adding it there would be nice.

As it is undocumented, this leads me to the next section, as it might be unintended...

Intentional?

So just to clearify, is this intended, that “Also remove direct user membership from subgroups and projects” is activated?

As said, it is different default behaviour from the direct removal by “Remove Member”. For sure there are valid reasons for removing the member also from all projects within the group (i.e. to clean up the user when he is not part of the umbrella-project any more), but is probably not always desired.

UI hint

As someone might easily think to know what the Expiration Date executes (i.e. doing the same as “Remove Member” and just removes the member from the group but not the projects), I think there must be also a Warning/Info in the UI about what is done when the Expiration Date hits.

For the “Invite members”, you could put it here:

For the table view it is a little more complicated, but you might adding a ⓘ beside the expiration date.

Activate feature in UI

As an alternative to the “UI hint”, you could also give the same options as in the “Remove Member” dilog, i.e. the option to the user, so that the user has to explicitly activate the functionaliy (and hence cannot miss that this will happen) and to decide what will happen on the expiration date.