Security minded customers cannot use CRM feature due to cascading permissions

Summary

Security-conscious customers are unable to use GitLab's CRM feature because of the requirement that contacts and organizations can only be created for root groups, and that users must have at least the Reporter role. This results in cascading permissions that provide Reporter-level access to all subgroups and projects under the root group, which is not acceptable for many organizations focused on security.

Proposed Solution

A potential solution recently discussed involves allowing the selection of a specific group for CRM contacts, similar to selecting a description for templates. This could be implemented as follows:

• Group Selection for Contacts: Enable the selection of a group for contacts, defaulting to the root group unless configured otherwise.
• Migration Considerations: The transition should be seamless, leveraging the existing table structure for group CRM settings.

This solution seeks to offer more granular control over permissions, aligning better with the security needs of these customers. Further discussions and technical assessments are needed to refine and validate this proposal.